Virtual ID, limited KYC for Aadhaar cardholders
UIDAI seeks to address privacy and security concerns over sharing of Aadhaar details
As it looks to address concerns regarding the privacy of Aadhaar data, the Unique Identification Authority of India (UIDAI) has introduced a concept of ‘virtual ID’, which is a temporary number that can be generated by users for the purpose of verification and authentication.
The UIDAI has taken a slew of measures to safeguard the privacy of citizens, primarily after reports emerged that Aadhaar data can be accessed by unauthorised means.
The virtual ID, which will be mapped with the Aadhaar number, can be shared with authorities to authenticate identity for availing various services and it will provide users an option of not sharing their Aadhaar number.
The ID will be a temporary, revocable 16-digit number that can be shared with agencies like a telecom operator, for verification of identity. The virtual ID along with biometrics will furnish limited details like names, addresses, and photographs to the agency concerned for verification.
However, experts feel that though the intention of the government is good, it has to be seen what security parameters are put in place to safeguard the virtual ID.
According to senior cyber lawyer Pavan Duggal, cybersecurity was not introduced at the start by the UIDAI and that is why there have been so many cases regarding data breach.
Also, he said people were become increasingly concerned about privacy and consequently, the UIDAI had come up with the concept of a virtual ID.
“However, the UIDAI needs to define the security parameters and how it will ensure privacy. As the virtual ID is not covered by the Aadhaar Act and the Information Technology Act, the government needs to amend the law. Technical cybersecurity parameters also need to be defined in detail,” he added.
Duggal also highlighted that the virtual ID could be misused by cybercriminals as they could create fake IDs based on the Aadhaar number, therefore, a holistic approach was required to be adopted by the government. “The concept is nice but the devil is in the detail,” he added.
The UIDAI has to define the technical details as well as the time frame for which the virtual ID can remain active. The authority has only said a user can generate as many virtual IDs as he or she wants but it is yet to define the time frame. The UIDAI has also
introduced the concept of ‘limited knowyour-customer (KYC)’ under which it will only provide need-based or limited details of a user to an authorised agency that is providing a particular service.
The UIDAI said it would start accepting the virtual ID from March 1 and from June 1, 2018, it would be compulsory for all agencies that undertake authentication to accept the virtual ID from users. Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.
“An Aadhaar number-holder can use the virtual ID in lieu of the Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the virtual ID in a manner similar to using the Aadhaar number,” a UIDAI notification said. According to the UIDAI, agencies that undertake authentication will not be allowed to generate the virtual ID on behalf of the Aadhaar holder.
As many as 1.19 billion biometric identifiers have been issued so far and Aadhaar is required as identity proof by various government and non-government entities.