The Unique Identification Authority of India (UIDAI), which is facing criticism in the light of alleged data breaches, Wednesday announced a new method of identification called Virtual Identity — or VID in short. It also introduced what it described as a system of “Limited KYC” (Know Your Customer) to reduce the storage of Aadhaar numbers with the Authentication User Agencies (AUAs), while still letting them do paperless authentications. Essentially, the new VID system will hide the Aadhaar number from the authenticating agency, while still confirming the identity of the user.
The statutory body, which is mandated to collect personal data of residents of India and to issue them a unique identification number called Aadhaar, says these steps will ensure greater privacy, and limit access to its database. On Thursday, the government pushed back against the critics of Aadhaar, asking them not to “overblow this issue of privacy”. While advocates leading the ongoing legal challenge to Aadhaar in the Supreme Court declined to issue a detailed statement, answers to several questions on the implementation and the impact of the proposed VIDs and Limited KYCs remained unclear.
What is VID? How will it be different from the Aadhaar number itself?
UIDAI has said VID will be a 16-digit number, which will be temporary in nature. So, unlike the 12-digit Aadhaar number that is permanent, the VID will have a certain period of validity, at the end of which it will expire, and the user will have to generate a new one. UIDAI is yet to say what the minimum validity period for the VID will be. A VID will automatically expire when a user generates a new one, as there can only be one valid VID number against a particular Aadhaar number at any given point in time.
While it is not compulsory to use or generate a VID, the UIDAI is pitching it as another option for authenticating identity, which it claims is more secure. Think of the VID as a 16-digit OTP that can be used to validate your identity without actually giving out your Aadhaar number. The VID can only be generated by the user in question and, according to UIDAI’s circular, it is not possible to “derive Aadhaar number from the VID”. The VID cannot be used by agencies for duplication, and it cannot be generated by the Authentication User Agency (AUA) either.
The UIDAI has said that VID “is only mapped with the Aadhaar number”. So, while the VID will help confirm your identity to the AUA (for example, a bank), it will not necessarily share your Aadhaar number and other data with the AUA. But more on this in the answer to a later question.
How will the public generate the VID? Do we have to submit documents for this all over again?
No documents or proof will be needed to generate a VID. But an Aadhaar number will be essential. UIDAI has said users will be able to generate the VID from the Aadhaar resident portal, Aadhaar Enrolment Centres, and the mAadhaar app on Android. The circular says that once the new system comes into effect, all agencies will have to provide this as an option, instead of just relying on the Aadhaar number. However, UIDAI has not so far listed the detailed steps to generate the VID, and how users can complete the process to mask their Aadhaar number from the agencies that demand it.
So can we generate a VID right away?
UIDAI will implement the VID service only from March 1, so you cannot generate one now. UIDAI expects all authentication bodies to move to the new VID system latest by June 1, 2018. But the deadline to link Aadhaar with services such as banks, mobile phone numbers, etc., remains March 31, 2018 — so while VID might be in place from March 1, it is unclear whether most of these places, too, will start accepting this option from that date. Most agencies will have to upgrade their entire computer systems in order to accept VID, which could take time.
UIDAI says it will start sharing updated technical documents/Application Programming Interfaces, and will also conduct workshops and training sessions for all AUAs soon. But again, it has given no timelines for
The circular says that AUAs need to be on the new system by June 1, 2018, or face discontinuation of their authentication services, and also a fine. But then, AUAs have until June 1 to implement this system, well after the March 31 deadline for Aadhaar-linking, which many customers will have to follow without a choice.
And given that the VID is a long number, what happens if one forgets their VID after they have generated it?
The VID is not permanent, and there is the option of generating another one. UIDAI has said it will be possible to generate this from the mAadhaar app. But there is no clarity yet on the process for doing so. Also, the app is so far limited only to Google’s Android platform, and users of Apple iOS will have to rely on the web site to get the VID every single time they need it.
How will VID help with Aadhaar-linking? Does this mean most agencies will no longer store your Aadhaar data?
Here’s where matters get complicated and confusing. UIDAI has also introduced a Limited KYC, which is supposed to allow “paperless” authentication, while ensuring at the same time that the Aadhaar database is not accessed. But it appears that AUAs will be divided into two separate categories: “Global AUAs” and “Local AUAs”.
The Global AUAs will have complete access to the full eKYC (Aadhaar number), and will also be able to store Aadhaar numbers in their systems. This is something privacy activists have been cautioning against, because the number can used to reveal various other signifiers about an individual.
According to the circular, the Global AUAs will be decided on the basis of “laws governing”, and whether “laws require them to use Aadhaar number”. As of now, it is unclear which agencies will be chosen to be Global AUAs. So, a public sector bank could be a Global AUA, and so could a private player like Paytm, which has its own Payments Bank and expects customers to do an eKYC in order to use it.
Not all customers may be keen to share their Aadhaar data with every single player that demands it. And if this player is a Global AUA, even using a VID will not do much, because that player will still have the option of doing a complete eKYC and storing Aadhaar data. It also remains to be seen whether telecom players will be declared Global AUAs, and allowed to access and store Aadhaar data.
Local AUAs, on the other hand, will have “Limited KYC”, and will only get a UID token which they can use to identify customers. This UID will be unique for each Aadhaar number — a 72-character alphanumeric string, which the circular says will be meant only for system usage. Each Aadhaar will have a unique UID for each particular AUA entity. So, the UID token for your Aadhaar number at one agency will be different from the one at another agency. Every time a Local AUA sends an authentication request, it will rely on this UID token, not the Aadhaar number, to verify identity.
According to the UIDAI, all agencies will need to set up the UID token system. However, Global AUAs will have the freedom to use the UID token as “per their need for authentication and database usage”, according to the circular.
UIDAI also says it will decide what other “demographic fields” will be shared with the Local AUAs other than this UID token — which adds to the confusion. While Local AUAs will not be allowed to store Aadhaar numbers in their systems, it is still unclear who will be designated as a Local AUA.
But what happens to an Aadhaar that has already been shared with several agencies? What if some of these agencies are now declared Local AUAs?
UIDAI’s circular says Local AUAs will have to change their systems to “replace Aadhaar number within the databases with this UID token”. But again, it is unclear by when this change is supposed to take place. And to begin with, UIDAI has to specify who will be a Global AUA and who will be a Local AUA.