Every time news emerged that official websites were giving away registered Aadhaar numbers to anyone looking for them, the government insisted it was not a problem, even though the 12-digit Unique ID is supposed to be confidential. On Wednesday, the authority that oversees Aadhaar introduced a new system through which one can be authenticated without sharing the UID. In doing so, the body admitted what it has been denying until now: Leaks of Aadhaar numbers are a massive concern.
In a circular released on Wednesday, the Unique Identification Authority of India announced the implementation of a number of new processes aimed at making Aadhaar more secure. As far as most citizens are concerned, the most relevant part of these changes is what is being called the Virtual ID. According to the circular, Virtual ID or VID, will be a temporary, revocable 16-digit random number that is mapped to your Aadhaar number. The circular claims it will be generated in a manner such that if you gave your VID to someone, they will not be able to derive your Aadhaar number from it.
According to UIDAI, someone who has Aadhaar can give their VID wherever authentication or Know Your Customer verification. This means that, once the VID system is in place, you do not have to give your Aadhaar number out to institutions, whether private or governmental, so that you can be authenticated.
The rest of the circular details how exactly this will work. UIDAI will allow Aadhaar-holders to generate their VID from a number of places, including its website, Aadhaar Enrolment Centres and the mAadhaar mobile app. There will be a set validity period for the VID, after which holders have to generate a new one.
On the back end, only certain institutions, essentially the core government ones, will be able to access people’s Aadhaar numbers themselves. Other agencies will only be able to do what UIDAI is calling “limited KYC” in which they will only get access to a few demographic details and a UID token authenticating the VID, instead of the Aadhaar number of the user itself. This is aimed at ensuring they cannot store the Aadhaar number.
Aadhaar number leaks
All these changes point to one thing: The sharing of Aadhaar numbers is a dangerous thing, and can be misused.
This should have been obvious, since the Aadhaar Act says it is a confidential detail and even says that those displaying or storing Aadhaar numbers should be punished with up to three years in prison. Yet, over the last few years, the government has insisted that there is no major issue if your Aadhaar number is available to others, even as they have been turning up all over the internet, particularly on government websites.
Aadhaar numbers have been readily available to anyone who would like to find them. A Google search could turn up Aadhaar numbers that had been hosted on government websites. A large number of state websites were found to be publicly displaying Aadhaar numbers along with names and other demographic data.
In a response to a question in Parliament last week, Minister of State for Electronics and Information Technology Alphons Kannanthanam admitted that “approximately 210 websites of Central Government, State Government departments and some educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.” He added that they have been asked to remove these, without saying whether criminal cases – as mentioned in the Aadhaar Act – had been initiated against these institutions.
Throughout all of this, the government insisted that there was no major danger if your Aadhaar number has become public. In an interview to Scroll last March, UIDAI Chief Executive Officer Ajay Bhushan Pandey said “in case of Aadhaar, let us say the 12 digits are leaked. The question is, by merely knowing your Aadhaar number, will someone be able to harm you? My answer is no.”
Yet, the new circular from UIDAI says exactly that.
“While it is important to ensure that Aadhaar number holders can use their identity information to avail many products and services, the collection and storage of Aadhaar numbers by various entities has heightened privacy concerns,” the circular said. “Aadhaar number being the permanent ID for life, there is need to provide mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases.”
It goes on to explain exactly the point of the Virtual ID.
“Introduction of Virtual ID for an Aadhaar holder to use it in lieu of his/her Aadhaar number to avoid need of sharing of the Aadhaar number at the time of authentication.”
That is about as clear an admission of UIDAI admitting that it was either lying or simply got it wrong when saying earlier that there was no danger in the leaking of Aadhaar numbers. Moreover, the new system will not be implemented until March 1, 2018 and will not be mandatory until June 1, 2018. Meanwhile, there are genuine concerns, following many of these cases over the last few months, that practically the entire Aadhaar database including demographic data has already been copied by people who are now monetising that information. UIDAI has insisted all along that biometric data has not been breached, and so there is nothing to fear. Now it has changed tack to make Aadhaar numbers themselves private.
Activists critical of Aadhaar have been crying hoarse about problems like this for years now, and questions will be raised about why UIDAI took until now to recognise this problem. One natural presumption might be that the authority is scrambling to protect its systems ahead of a hearing in the Supreme Court, where the Aadhaar project has been challenged on the grounds of it violating a fundamental privacy.
That case is set to come up before a Constitution bench on January 17.