With Virtual ID, UIDAI admits what it has been denying: Leaked Aadhaar numbers are a problem

The new process will allow people to be authenticated without sharing their Aadhaar number.

Every time news emerged that official websites were giving away registered Aadhaar numbers to anyone looking for them, the government insisted it was not a problem, even though the 12-digit Unique ID is supposed to be confidential. On Wednesday, the authority that oversees Aadhaar introduced a new system through which one can be authenticated without sharing the UID. In doing so, the body admitted what it has been denying until now: Leaks of Aadhaar numbers are a massive concern.

In a circular released on Wednesday, the Unique Identification Authority of India announced the implementation of a number of new processes aimed at making Aadhaar more secure. As far as most citizens are concerned, the most relevant part of these changes is what is being called the Virtual ID. According to the circular, Virtual ID or VID, will be a temporary, revocable 16-digit random number that is mapped to your Aadhaar number. The circular claims it will be generated in a manner such that if you gave your VID to someone, they will not be able to derive your Aadhaar number from it.

Virtual ID

According to UIDAI, someone who has Aadhaar can give their VID wherever authentication or Know Your Customer verification. This means that, once the VID system is in place, you do not have to give your Aadhaar number out to institutions, whether private or governmental, so that you can be authenticated.

The rest of the circular details how exactly this will work. UIDAI will allow Aadhaar-holders to generate their VID from a number of places, including its website, Aadhaar Enrolment Centres and the mAadhaar mobile app. There will be a set validity period for the VID, after which holders have to generate a new one.

On the back end, only certain institutions, essentially the core government ones, will be able to access people’s Aadhaar numbers themselves. Other agencies will only be able to do what UIDAI is calling “limited KYC” in which they will only get access to a few demographic details and a UID token authenticating the VID, instead of the Aadhaar number of the user itself. This is aimed at ensuring they cannot store the Aadhaar number.

Aadhaar number leaks

All these changes point to one thing: The sharing of Aadhaar numbers is a dangerous thing, and can be misused.

This should have been obvious, since the Aadhaar Act says it is a confidential detail and even says that those displaying or storing Aadhaar numbers should be punished with up to three years in prison. Yet, over the last few years, the government has insisted that there is no major issue if your Aadhaar number is available to others, even as they have been turning up all over the internet, particularly on government websites.

Aadhaar numbers have been readily available to anyone who would like to find them. A Google search could turn up Aadhaar numbers that had been hosted on government websites. A large number of state websites were found to be publicly displaying Aadhaar numbers along with names and other demographic data.

In a response to a question in Parliament last week, Minister of State for Electronics and Information Technology Alphons Kannanthanam admitted that “approximately 210 websites of Central Government, State Government departments and some educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.” He added that they have been asked to remove these, without saying whether criminal cases – as mentioned in the Aadhaar Act – had been initiated against these institutions.

UIDAI u-turn

Throughout all of this, the government insisted that there was no major danger if your Aadhaar number has become public. In an interview to Scroll last March, UIDAI Chief Executive Officer Ajay Bhushan Pandey said “in case of Aadhaar, let us say the 12 digits are leaked. The question is, by merely knowing your Aadhaar number, will someone be able to harm you? My answer is no.”

Yet, the new circular from UIDAI says exactly that.

“While it is important to ensure that Aadhaar number holders can use their identity information to avail many products and services, the collection and storage of Aadhaar numbers by various entities has heightened privacy concerns,” the circular said. “Aadhaar number being the permanent ID for life, there is need to provide mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases.”

It goes on to explain exactly the point of the Virtual ID.

 “Introduction of Virtual ID for an Aadhaar holder to use it in lieu of his/her Aadhaar number to avoid need of sharing of the Aadhaar number at the time of authentication.”

Constitution bench

That is about as clear an admission of UIDAI admitting that it was either lying or simply got it wrong when saying earlier that there was no danger in the leaking of Aadhaar numbers. Moreover, the new system will not be implemented until March 1, 2018 and will not be mandatory until June 1, 2018. Meanwhile, there are genuine concerns, following many of these cases over the last few months, that practically the entire Aadhaar database including demographic data has already been copied by people who are now monetising that information. UIDAI has insisted all along that biometric data has not been breached, and so there is nothing to fear. Now it has changed tack to make Aadhaar numbers themselves private.

Activists critical of Aadhaar have been crying hoarse about problems like this for years now, and questions will be raised about why UIDAI took until now to recognise this problem. One natural presumption might be that the authority is scrambling to protect its systems ahead of a hearing in the Supreme Court, where the Aadhaar project has been challenged on the grounds of it violating a fundamental privacy.

That case is set to come up before a Constitution bench on January 17.

We welcome your comments at letters@scroll.in.
Sponsored Content BY 

The ordeal of choosing the right data pack for your connectivity needs

"Your data has been activated." <10 seconds later> "You have crossed your data limit."

The internet is an amazing space where you can watch a donkey playing football while simultaneously looking up whether the mole on your elbow is a symptom of a terminal diseases. It’s as busy as it’s big with at least 2.96 billion pages in the indexed web and over 40,000 Google search queries processed every second. If you have access to this vast expanse of information through your mobile, then you’re probably on something known as a data plan.

However, data plans or data packs are a lot like prescription pills. You need to go through a barrage of perplexing words to understand what they really do. Not to mention the call from the telecom company rattling on at 400 words per minute about a life-changing data pack which is as undecipherable as reading a doctor’s handwriting on the prescription. On top of it all, most data packs expect you to solve complex algorithms on permutations to figure out which one is the right one.

Source: giphy.com
Source: giphy.com

Even the most sophisticated and evolved beings of the digital era would agree that choosing a data pack is a lot like getting stuck on a seesaw, struggling to find the right balance between getting the most out of your data and not paying for more than you need. Running out of data is frustrating, but losing the data that you paid for but couldn’t use during a busy month is outright infuriating. Shouldn’t your unused data be rolled over to the next month?

You peruse the advice available online on how to go about choosing the right data pack, most of which talks about understanding your own data usage. Armed with wisdom, you escape to your mind palace, Sherlock style, and review your access to Wifi zones, the size of the websites you regularly visit, the number of emails you send and receive, even the number of cat videos you watch. You somehow manage to figure out your daily usage which you multiply by 30 and there it is. All you need to do now is find the appropriate data pack.

Promptly ignoring the above calculations, you fall for unlimited data plans with an “all you can eat” buffet style data offering. You immediately text a code to the telecom company to activate this portal to unlimited video calls, selfies, instastories, snapchats – sky is the limit. You tell all your friends and colleagues about the genius new plan you have and how you’ve been watching funny sloth videos on YouTube all day, well, because you CAN!

Source: giphy.com
Source: giphy.com

Alas, after a day of reign, you realise that your phone has run out of data. Anyone who has suffered the terms and conditions of unlimited data packs knows the importance of reading the fine print before committing yourself to one. Some plans place limits on video quality to 480p on mobile phones, some limit the speed after reaching a mark mentioned in the fine print. Is it too much to ask for a plan that lets us binge on our favourite shows on Amazon Prime, unconditionally?

You find yourself stuck in an endless loop of estimating your data usage, figuring out how you crossed your data limit and arguing with customer care about your sky-high phone bill. Exasperated, you somehow muster up the strength to do it all over again and decide to browse for more data packs. Regrettably, the website wont load on your mobile because of expired data.

Source: giphy.com
Source: giphy.com

Getting the right data plan shouldn’t be this complicated a decision. Instead of getting confused by the numerous offers, focus on your usage and guide yourself out of the maze by having a clear idea of what you want. And if all you want is to enjoy unlimited calls with friends and uninterrupted Snapchat, then you know exactly what to look for in a plan.

Source: giphy.com
Source: giphy.com

The Airtel Postpaid at Rs. 499 comes closest to a plan that is up front with its offerings, making it easy to choose exactly what you need. One of the best-selling Airtel Postpaid plans, the Rs. 499 pack offers 40 GB 3G/4G data that you can carry forward to the next bill cycle if unused. The pack also offers a one year subscription to Amazon Prime on the Airtel TV app.

So, next time, don’t let your frustration get the better of you. Click here to find a plan that’s right for you.

Source: giphy.com
Source: giphy.com

This article was produced by the Scroll marketing team on behalf of Airtel and not by the Scroll editorial team.