“How do you solve a problem like Aadhaar?”
Due apologies to ‘Sound of Music’ aside, that’s the question everyone seems to be asking currently in India. After Chandigarh’s The Tribune reported on how the entire Aadhaar demographic database in India can be bought for Rs 500, concerns over the security of the 12-digit authentication system have only grown louder.
To firewall the Aadhaar ecosystem and safeguard card-holders’ data, UIDAI announced a ‘Virtual ID’ (VID) on Wednesday. But will it be able to plug in the loopholes in Aadhaar’s security?
What is Virtual Aadhaar ID?
The VID is a 16-digit randomly generated number which can be used for authentication instead of the Aadhaar number. Every new transaction will generate a new ID which will override the previously-generated ID. The Aadhaar number is verified through a VID using the Verhoeff algorithm, which is an error detection formula developed by the Dutch mathematician Jacobus Verhoeff. According to UIDAI’s circular, there’ll be only one active VID for any Aadhaar number at any given moment.
Wait, What About the Aadhaar Numbers Already Leaked?
While the VID will add an extra layer of security when you give your Aadhaar number for authentication, it does nothing to prevent the misuse of Aadhaar numbers already leaked.
Speaking to The Quint, Kiran Jonnalagadda, a member of the Internet Freedom Foundation, an organisation working on ‘net neutrality, free expression, privacy and innovation’ said:
It will achieve nothing, not least because UIDAI will fail to implement it on time. The horse has already bolted out of the stable.
Apart from The Tribune’s report on Aadhaar database available for a paltry Rs 500, there have been other instances of breach in the Aadhaar database.
In May 2017, Centre for Internet Society (CIS) estimated in a study that Aadhaar numbers of ‘as many as 135 million Indians’ could have been leaked from government websites. And in November 2017, UIDAI admitted that more than 200 central and state government websites publicly displayed Aadhaar numbers, names and addresses of beneficiaries.
Even still, the VID does nothing to allay fears of potential misuse of the personal Aadhaar information which is easily available. Is this a case of too little, too late?
Still Vulnerable to Financial Fraud?
With the VID, UIDAI also introduced ‘Limited KYC’. This means that instead of all agencies storing Aadhaar numbers for authentication, UIDAI will give an agency-specific UID ‘token’ to some agencies for e-KYC authentication.
Now, in its circular UIDAI specifies that all Authentication User Agencies (AUA)s will be divided into two — global and local. Global AUAs will have full access to e-KYC and will be able to store Aadhaar numbers within their system, while Local AUAs will have limited access.
But the key question is what agencies will fall under ‘Local’, and which ones under ‘Global’?
Security researcher Srinivas Kodali told Medianama,
The virtual ID is to be used only for local AUAs. Global AUAs, potentially like banks, will still need Aadhaar for Direct Benefit Transfers. This does not remove the financial fraud risk that Aadhaar poses.
No Internet, No VID, No Extra Level of Security?
According to UIDAI’s circular, the VID is optional and will be generated on UIDAI’s portal, Aadhaar enrolment centres and the mAadhaar mobile application.
But what about the leakage of data when the Aadhaar-card holder is not connected to the Internet? How will UIDAI ensure that all assisted centres make virtual Aadhaar ID a viable option for Aadhaar card-holders in remote villages with negligible Internet penetration?
Virtual Aadhaar ID will be implemented from 1 March 2018, but whether UIDAI will be able to implement it comprehensively and ensure that no leakages occur with an extra layer of Aadhaar data, we’ll have to wait and see.
What UIDAI needs is a ‘reset’ button — the only way it can ensure everyone’s Aadhaar information is safe is by reissuing fresh Aadhaar numbers.
But that will entail an additional cost of Rs 8,000 to Rs 10,000 crore. Is that a cost we can afford?
(We Indians have much to talk about these days. But what would you tell India if you had the chance? Pick up the phone and write or record your Letter To India. Don’t be silent, tell her how you feel. Mail us your letter at lettertoindia@thequint.com. We’ll make sure India gets your message.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)