Indian Government introduces Virtual ID to enhance data privacy in the use of national biometric ID
The Indian Government has announced significant changes to the way the national ID, Aadhaar, is currently being used for authentication. Instead of providing the actual ID number, citizens will be able to use a revocable Virtual ID and the agencies are required to make the necessary changes in their systems by June 1, 2018.
The Unique Identification Authority of India (UIDAI), a statutory body, under the Ministry of Electronics and Information Technology (MeitY) is responsible for issuing the 12-digit unique identity number linked to a citizen’s basic demographic and biometric information. Nearly 1.2 billion Aadhaar numbers have been issued till date, with over 99% of adults having the number by 2017.
Within a relatively short period of time (the first number was issued in September 2010), Aadhaar has become the primary identity proof used by Indian citizens for accessing a range of services from government as well as non-government entities. Banks, Telecom companies, Public Distribution Systems (India’s food security system), Income Tax, etc. have been mandated through various laws to use Aadhaar for identity verification and de-duplication. A wide range and number of private entities are using Aadhaar to verify identity of their customers.
In a new circular, UIDAI recognises that the collection and storage of Aadhaar numbers by various entities has heightened privacy concerns  and that the Aadhaar number being irrevocable and permanent for life, there is need to provide a mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases.
To strengthen privacy and security of Aadhaar number holders, UIDAI has introduced a Virtual ID which an Aadhaar holder can use it in lieu of his/her Aadhaar number to avoid need of sharing of the Aadhaar number at the time of authentication or KYC processes (Know Your Customer).
The introduction of Virtual ID will reduce collection of Aadhaar numbers by various agencies. Residents are currently required to share Aadhaar number to authenticate their identity to avail various services and the number is stored in the databases of banks, telcos and other private sector organisations. The circular notes that VID, by design being temporary, cannot be used by agencies for de-duplication.
The VID will be a temporary, revocable 16-digit random number mapped with the Aadhaar number. It is not possible to derive Aadhaar number from VID.
There will be only one active and valid VID for an Aadhaar number at any given time.
The VID is revocable and can be replaced by a new one by Aadhaar number holder after the minimum validity period set by UIDAI.
No entities like AUAs (Authentication User Agency) /KUAs (KYC User Agency) can generate VID on behalf of Aadhaar number holder.
(AUAs are entities engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using the authentication as facilitated by the Authentication Service Agency (ASA). An AUA may be government / public / private legal agency registered in India, that uses Aadhaar authentication services of UIDAI and sends authentication requests to enable its services / business functions.)
The VID can be generated only by the Aadhaar number holder. They can also replace (revoke and generate new one) their VID from time to time after UlDAI sets minimum validity period. UIDAI will provide various options to Aadhaar number holders to generate their VID, retrieve their VID in case they forget it, and replace their VID with a new number. These options will be made available via UlDAI’s resident portal, Aadhaar Enrolment Centres, mAadhaar mobile application etc.
All agencies using Aadhaar Authentication and e-KYC services will be required to ensure that Aadhaar number holders can provide the 16-digit VID instead of Aadhaar number within their application. All agencies offering assisted services shall inform their offices and operators to enable this option for Aadhaar number holders.
Limited KYC service
UIDAI will categorize all AUAs into two categories - "Global AUAs" and “Local AUAs”. Only Global AUAs will have access to e-KYC with Aadhaar number, while all other agencies will only have access to "Limited KYC".
This Limited KYC service provides an "agency specific unique UID token to eliminate many agencies storing Aadhaar Number, while still uniquely identifying their customers and enabling their own paperless KYC.
This will also reduce the ability to merge databases across agencies thus enhancing privacy substantially. The UID Token will be a 72-character alphanumeric string meant only for system usage.
UIDAI from time to time will evaluate AUAs/Sub-AUAs based on the laws governing them and categorize them as "Global AUAs" only if laws require them to use Aadhaar number in their KYC, Only such agencies will have access to Full e- KYC (with Aadhaar number) and the ability to store Aadhaar number within their system.
All AUAs who are not categorized under 'Global AUAs" will automatically be categorized as "Local AUAs". Such entities will only have access to "Limited KYC" and will not be allowed to store Aadhaar number within their systems. According the circular, UIDAI reserves the right to determine, in addition to UID Token, what demographic fields need to be shared with the Local AUAs depending upon their needs.
All AUAs required to migrate by June 1, 2018
Agencies using Aadhaar Authentication and e-KYC would need to make suitable changes so that their systems can accept VID in place of Aadhaar number, use UlD Token within their database instead of Aadhaar number (if they are local AUAs), and modify application to access Limited or Full e-KYC based on their categorisation.
Local AUAs should make changes inside their systems to replace Aadhaar number within the databases with UID Token.
Existing Aadhaar numbers can be replaced with corresponding UID token by doing demographic match using authentication API.
Global AUAs should make changes in their systems to accept UID token, in addition to Aadhaar number and use it in their processes.
UIDAI will share updated API/technical documents, guidelines, and conduct workshops / training sessions for AUAs/KUAs to ensure smooth and timely implementation. The necessary APIs are planned to be released by March 1, 2018.
By June 1, 2018, all AUAs/KUAs shall have to fully migrate to the new system, failing which their authentication services may be discontinued, and financial disincentives may be imposed. Any non-compliance will invite action in the form of financial disincentives and termination of the said Agreement.
 To take up a couple of recent examples of concerns raised in the media, there was viral news report in The Tribune Newspaper of reporters being able to purchase “a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.” For Rs. 500 or around US$8. The Economic Times reported that following the article, UIDAI restricted the access of all designated officials, numbering about 5,000 to the said Aadhaar portal. There were further news reports of police reports being filed against the reporters, which were denied by UIDAI and MeitY. The complete statement from UIDAI is available here.
A short while earlier, there had been allegations that leading Indian telco, Airtel had usedAadhaar details to establish e-KYC credentials of users and open their accounts on Airtel Payments Bank without their consent. Subsequently, UIDAI temporarily barred Airtel and its payments bank service from using Aadhaar to verify users. On March 11, it was reported that UIDAI was allowing Airtel to continue Aadhaar-based e-KYC verification of telecom subscribers till March 31, but has not withdrawn the current eKYC licence suspension order on its banking arm. That remains suspended till final enquiry and audit (here and here).