Virtual Aadhaar ID: Does it Solve Aadhaar’s Security Problem?
To firewall the Aadhaar ecosystem and safeguard Aadhaar card-holders’ data, UIDAI announced a ‘Virtual ID’ (VID) on Wednesday, 10 January.
To firewall the Aadhaar ecosystem and safeguard Aadhaar card-holders’ data, UIDAI announced a ‘Virtual ID’ (VID) on Wednesday, 10 January.(Photo: Liju Joseph/The Quint)

Virtual Aadhaar ID: Does it Solve Aadhaar’s Security Problem?

“How do you solve a problem like Aadhaar?”

Due apologies to ‘Sound of Music’ aside, that’s the question everyone seems to be asking currently in India. After Chandigarh’s The Tribune reported on how the entire Aadhaar demographic database in India can be bought for Rs 500, concerns over the security of the 12-digit authentication system have only grown louder.

To firewall the Aadhaar ecosystem and safeguard card-holders’ data, UIDAI announced a ‘Virtual ID’ (VID) on Wednesday. But will it be able to plug in the loopholes in Aadhaar’s security?

Also Read : Aadhaar Virtual ID: How to Use UIDAI’s New Damage Control Measure

What is Virtual Aadhaar ID?

The VID is a 16-digit randomly generated number which can be used for authentication instead of the Aadhaar number. Every new transaction will generate a new ID which will override the previously-generated ID. The Aadhaar number is verified through a VID using the Verhoeff algorithm, which is an error detection formula developed by the Dutch mathematician Jacobus Verhoeff. According to UIDAI’s circular, there’ll be only one active VID for any Aadhaar number at any given moment.

Also Read : This Is How UIDAI’s ‘Virtual ID’ for Aadhaar Will Work

Also Read : Don’t Shoot the Messenger Who Broke Aadhaar Database Breach Story 

Wait, What About the Aadhaar Numbers Already Leaked?

While the VID will add an extra layer of security when you give your Aadhaar number for authentication, it does nothing to prevent the misuse of Aadhaar numbers already leaked.

Speaking to The Quint, Kiran Jonnalagadda, a member of the Internet Freedom Foundation, an organisation working on ‘net neutrality, free expression, privacy and innovation’ said:

It will achieve nothing, not least because UIDAI will fail to implement it on time. The horse has already bolted out of the stable.

Also Read : Has UIDAI Failed to Fulfil Its Obligations Under the Aadhaar Act?

Apart from The Tribune’s report on Aadhaar database available for a paltry Rs 500, there have been other instances of breach in the Aadhaar database.

In May 2017, Centre for Internet Society (CIS) estimated in a study that Aadhaar numbers of ‘as many as 135 million Indians’ could have been leaked from government websites. And in November 2017, UIDAI admitted that more than 200 central and state government websites publicly displayed Aadhaar numbers, names and addresses of beneficiaries.

Even still, the VID does nothing to allay fears of potential misuse of the personal Aadhaar information which is easily available. Is this a case of too little, too late?

Also Read : “There Is an Orchestrated Campaign to Malign Aadhaar”: Nilekani

Still Vulnerable to Financial Fraud?

With the VID, UIDAI also introduced ‘Limited KYC’. This means that instead of all agencies storing Aadhaar numbers for authentication, UIDAI will give an agency-specific UID ‘token’ to some agencies for e-KYC authentication.

Now, in its circular UIDAI specifies that all Authentication User Agencies (AUA)s will be divided into two — global and local. Global AUAs will have full access to e-KYC and will be able to store Aadhaar numbers within their system, while Local AUAs will have limited access.

Also Read : Aadhaar Data Easy Prey For Cyber Criminals, Says RBI Study 

But the key question is what agencies will fall under ‘Local’, and which ones under ‘Global’?

Security researcher Srinivas Kodali told Medianama,

The virtual ID is to be used only for local AUAs. Global AUAs, potentially like banks, will still need Aadhaar for Direct Benefit Transfers. This does not remove the financial fraud risk that Aadhaar poses.

Also Read : Why is UIDAI So Confused on Whether Aadhaar Database Was Breached?

No Internet, No VID, No Extra Level of Security?

According to UIDAI’s circular, the VID is optional and will be generated on UIDAI’s portal, Aadhaar enrolment centres and the mAadhaar mobile application.

But what about the leakage of data when the Aadhaar-card holder is not connected to the Internet? How will UIDAI ensure that all assisted centres make virtual Aadhaar ID a viable option for Aadhaar card-holders in remote villages with negligible Internet penetration?

Also Read : Aadhaar Breach: Data Security Has Been Compromised Earlier Too

Virtual Aadhaar ID will be implemented from 1 March 2018, but whether UIDAI will be able to implement it comprehensively and ensure that no leakages occur with an extra layer of Aadhaar data, we’ll have to wait and see.

What UIDAI needs is a ‘reset’ button — the only way it can ensure everyone’s Aadhaar information is safe is by reissuing fresh Aadhaar numbers.

But that will entail an additional cost of Rs 8,000 to Rs 10,000 crore. Is that a cost we can afford?

(We Indians have much to talk about these days. But what would you tell India if you had the chance? Pick up the phone and write or record your Letter To India. Don’t be silent, tell her how you feel. Mail us your letter at lettertoindia@thequint.com. We’ll make sure India gets your message.)

(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit the Subscribe button.)

Follow our India section for more stories.

    Also Watch