- After years of criticism about the weakness of Aadhaar systems and the dangers they pose to privacy, the Unique Identification Authority of India introduced a new process that it hopes will be more secure.
- The “Virtual ID” is supposed to replace your 12-digit biometric-based Aadhaar number, allowing you to use it for authentication without giving away the Unique ID itself.
But what is Virtual ID?
- According to a circular issued by the Unique Identification Authority of India on Wednesday, Virtual ID will be a 16-digit random number that is mapped to your Aadhaar number.
- Once you have generated a Virtual ID, you can provide that 16-digit number, instead of your Aadhaar number, to any agency seeking to use Aadhaar to authenticate you.
- For most people, the key takeaway is that, starting March 1, they will have to generate a Virtual ID and will have to use that instead of Aadhaar for any sort of authentication.
How does it work?
- According to the circular, the Virtual ID will be mapped with the Aadhaar number, but is otherwise a random-generated number just like the Unique ID.
- This means that someone who only has access to your Virtual ID should not be able to use that to derive your Aadhaar number.
- When you give your Virtual ID to an authentication agency, say a telecom company or a local government body, they will enter it into the system and then receive a UID token that authenticates it, and provides a limited set of demographic details, such as your name, phone number, address and so on. Simply put, these agencies will now be able to authenticate you without ever actually seeing your Aadhaar number.
How is it different from Aadhaar/how is it more secure?
- A major concern regarding Aadhaar is how easily companies or government bodies that have access to it can store those numbers.
- Though the Unique Identification Authority of India has spent years insisting that the Aadhaar number itself is not dangerous if leaked, when coupled with demographic data, it lends itself to either profiling or financial fraud, which has taken place in the past.
- The new system attempts to add a layer of security over this, by making it more difficult for agencies to get access to your Aadhaar number.
- Until now, wherever authentication was necessary, you simply gave them your Aadhaar number or biometrics.
- Though the Aadhaar Act made it illegal to store that data unless authorised, it was impossible to say what agencies or individuals were doing it.
- The new system avoids that potential loophole altogether, by making sure agencies do not have access to your Aadhaar number in the first place. Instead, they are only shown your Virtual ID and receive a UID token that confirms it is mapped to your Aadhaar number.
- The Unique Identification Authority of India claims it will not be possible to derive the Aadhaar number from the Virtual ID. Moreover, different agencies will be given different UID tokens to authenticate the same Aadhaar – meaning they will not simply be able to merge their information and build a picture of the Virtual ID holder.
- A key aspect of the security is that the Virtual ID is temporary and revocable.
- This means that it matters less if an agency stores your Virtual ID in the hope of profiling you, since Virtual IDs are not permanent and can change.
- The Unique Identification Authority of India has indicated that it will have an upper time limit for Virtual IDs.
Is it really more secure?
- On paper, the process is more secure. But the question it prompts is, why was this not in place all along? The idea of the Virtual ID is to prevent agencies from collecting and storing individual Aadhaar numbers with demographic data. But government agencies have themselves been leaking Aadhaar numbers and it is entirely possible, given the way the internet works, that the entire Aadhaar database – with the UIDs and demographic data – has already been copied, either piecemeal or altogether. The process will be more secure from here on, but the cat may already be out of the bag.
I have Aadhaar. What do I need to do?
- The new system will not be in place until March 1, and the Unique Identification Authority of India has made it mandatory for agencies to start using Virtual ID by June 1. Assuming it sticks to these deadlines, every Aadhaar holder will have to generate their Virtual IDs between March 1 and June 1. This can be done on the Unique Identification Authority of India’s website, at Aadhaar Enrolment Centres and on the mAadhaar mobile app. From June 1, you will need to use this Virtual ID instead of Aadhaar in most authentication circumstances.