UIDAI takes the right step
Virtual IDs will ensure data security
The Unique Identification Authority of India (UIDAI) has taken a firm step in support of data security and privacy by introducing disposable IDs, authentication tokens and tiered KYC requirements to reduce the exposure of Aadhaar numbers. These are logical measures, since providers only need to have the number authenticated against a person. There is no need for them to store it even for a second thereafter. It is surprising that this pervasive principle, which is followed by almost all services requiring a login, was not applied to UIDAI earlier.
Apart from disastrous denials of the very services it was designed to assure — withdrawal of food and shelter entitlements to the poorest have been noted — the security of the world’s biggest repository of biometric data has been questioned following leaks. The first problem is being examined by the courts. And the virtual ID is the UIDAI’s first attempt to address the second. All systems are vulnerable to a capable, imaginative and determined attacker, no matter how diligently they are secured. Their holdings must be shared on a need-to-know basis, and the recent blanket requirements for Aadhaar data to be shared with service providers, from mutual fund managers to telecom companies, flies in the face of that principle.
The Indian Express, January 12