Aadhaar
Here’s a 9-point explainer on how Virtual ID is supposed to work - and if it addresses security concerns.

The UIDAI announced on Wednesday that Aadhaar card holders would now have a second layer of security – a 16-digit virtual ID (VID) which they could use to avail services instead of providing their 12-digit Aadhaar number.

This comes after news reports highlighted breaches in Aadhaar databases and that all you needed was Rs 500 and 10 minutes to get access to lakhs of Aadhaar IDs and corresponding information.

But how does the UIDAI claim that this VID would work?

1. A VID is a temporary 16-digit number which is mapped with the Aadhaar number. This means that another 16-digit VID can be generated after a minimum validity period.

2. There can be only one active VID for an Aadhaar number at a given point of time.

3. You can create this VID by logging on to the UIDAI website and inputting your Aadhaar number. You will get a temporary randomised 16-digit VID.

4. It isn’t possible to derive the Aadhaar number from the VID.

5. The VID can be used instead of the Aadhaar number wherever KYC or authentication is needed.

6. The government has also introduced the limited KYC category, where information is shared with a service provider on a need-to-know basis. For instance, only your name, photo and address will be shared with a telco.

7. There would be two categories of Authentication User Agencies (AUA) which will provide Aadhaar-enabled services. The limited KYC categories will be ‘local AUAs. But services of ‘global AUAs’ will not be accessible through VID – for instance, you will have to provide your Aadhaar ID for a passport.

8. The VID service will be activated from March 2018.

9. All service providers would have to update their systems to make them VID-compatible or face financial penalties.

But is the VID really addressing the concerns for safeguarding data?

Kiran Jonnalgadda, founder of HasGeek and trustee of Internet Freedom Foundation (IFF), says, “It would have been better had the government come up with this before the leaks. Now it’s just a whitewash.”

Sunil Abraham, Executive Director at Centre for Internet and Society says that while this is a move towards redressal, it is not enough.

“They should re-issue the compromised Aadhaar IDs and revoke the existing KYCs,” he says.

Kiran also points out that as long as local and global AUAs are not defined clearly, the usage of VIDs remains limited. “You may still have to give your Aadhaar ID to certain service providers, and that continues to put your data at risk,” he argues.

Sunil suggests that unless we switch to smart cards, adoptability of VIDs would continue to face hurdles. It is easier to read off a 12-digit number off a card than remember a 16-digit temporary code. So, unless the latter is stored in the smart card, people may continue to use their Aadhaar numbers, he explains.

Sunil also asserts that the most effective way to implement VID would be to ensure that no institution be allowed to store the Aadhaar number, unless absolutely necessary. He has previously argued that biometrics are not appropriate for authentication, but for surveillance – and that continues to remain a concern.