News

Articles:

Indian Government introduces Virtual ID to enhance data privacy in the use of national biometric ID

Indian Government introduces Virtual ID to enhance data privacy in the use of national biometric ID

The Indian Government has announced
significant changes
to the way the national ID, Aadhaar, is currently being
used for authentication. Instead of providing the actual ID number, citizens
will be able to use a revocable Virtual ID and the agencies are required to
make the necessary changes in their systems by June 1, 2018.

The Unique Identification Authority of India (UIDAI), a statutory
body, under the Ministry of Electronics and Information Technology (MeitY) is responsible
for issuing the 12-digit unique
identity number linked to a citizen’s basic demographic and biometric
information. Nearly 1.2 billion Aadhaar numbers have been issued till
date, with over 99%
of adults
having the number by 2017.

 Within
a relatively short period of time (the first number was issued in September
2010), Aadhaar has become the primary identity proof used by Indian
citizens for accessing a range of services from government as well as
non-government entities. Banks, Telecom companies, Public Distribution Systems
(India’s food security system), Income Tax, etc. have been mandated through
various laws to use Aadhaar for identity verification and de-duplication. A
wide range and number of private entities are using Aadhaar to verify identity
of their customers.

In a new circular, UIDAI recognises that the collection and
storage of Aadhaar numbers by various entities has heightened privacy concerns [1]
and that the Aadhaar number being irrevocable and permanent for life, there is
need to provide a mechanism to ensure its continued use by the Aadhaar number
holder while optimally protecting the collection and storage of Aadhaar number
itself in many databases.

Virtual ID

To strengthen privacy and security of Aadhaar number
holders, UIDAI has introduced a Virtual ID which an Aadhaar holder can use it
in lieu of his/her Aadhaar number to avoid need of sharing of the Aadhaar number
at the time of authentication or KYC processes (Know Your Customer).

The introduction of Virtual ID will reduce collection of
Aadhaar numbers by various agencies. Residents are currently required to share
Aadhaar number to authenticate their identity to avail various services and the
number is stored in the databases of banks, telcos and other private sector
organisations. The circular notes that VID, by design being temporary, cannot
be used by agencies for de-duplication.

The VID will be a temporary, revocable 16-digit random
number mapped with the Aadhaar number. It is not possible to derive Aadhaar
number from VID.

There will be only one active and valid VID for an Aadhaar
number at any given time.

The VID is revocable and can be replaced by a new one by
Aadhaar number holder after the minimum validity period set by UIDAI.

No entities like AUAs
(Authentication User Agency) /KUAs (KYC User Agency)
can generate VID on
behalf of Aadhaar number holder.

(AUAs are entities
engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using
the authentication as facilitated by the Authentication Service Agency (ASA).
An AUA may be government / public / private legal agency registered in India,
that uses Aadhaar authentication services of UIDAI and sends authentication
requests to enable its services / business functions.
)

The VID can be generated only by the Aadhaar number holder.
They can also replace (revoke and generate new one) their VID from time to time
after UlDAI sets minimum validity period. UIDAI will provide various options to
Aadhaar number holders to generate their VID, retrieve their VID in case they
forget it, and replace their VID with a new number. These options will be made
available via UlDAI’s resident portal, Aadhaar Enrolment Centres, mAadhaar
mobile application
etc.

All agencies using Aadhaar Authentication and e-KYC services
will be required to ensure that Aadhaar number holders can provide the 16-digit
VID instead of Aadhaar number within their application. All agencies offering assisted
services shall inform their offices and operators to enable this option for
Aadhaar number holders.

Limited KYC service

UIDAI will categorize all AUAs into two categories –
"Global AUAs" and “Local AUAs”. Only Global AUAs will have access to
e-KYC with Aadhaar number, while all other agencies will only have access to
"Limited KYC". 

This Limited KYC service provides an "agency
specific unique UID token to eliminate many agencies storing Aadhaar Number,
while still uniquely identifying their customers and enabling their own
paperless KYC.
 

This will also reduce the ability to merge databases across
agencies thus enhancing privacy substantially. The UID Token will be a 72-character
alphanumeric string meant only for system usage.

UIDAI from time to time will evaluate AUAs/Sub-AUAs based on
the laws governing them and categorize them as "Global AUAs" only if
laws require them to use Aadhaar number in their KYC, Only such agencies will
have access to Full e- KYC (with Aadhaar number) and the ability to store
Aadhaar number within their system.

All AUAs who are not categorized under 'Global AUAs"
will automatically be categorized as "Local AUAs". Such entities will
only have access to "Limited KYC" and will not be allowed to store
Aadhaar number within their systems. According the circular, UIDAI reserves the
right to determine, in addition to UID Token, what demographic fields need to
be shared with the Local AUAs depending upon their needs.

All AUAs required to migrate
by June 1, 2018

Agencies using Aadhaar Authentication and e-KYC would need to
make suitable changes so that their systems can accept VID in place of Aadhaar
number, use UlD Token within their database instead of Aadhaar number (if they
are local AUAs), and modify application to access Limited or Full e-KYC based
on their categorisation.

Local AUAs should make changes inside their systems to
replace Aadhaar number within the databases with UID Token. 

Existing Aadhaar numbers
can be replaced with corresponding UID token by doing demographic match using
authentication API.

Global AUAs should make changes in their systems to accept
UID token, in addition to Aadhaar number and use it in their processes.

UIDAI will share updated API/technical documents,
guidelines, and conduct workshops / training sessions for AUAs/KUAs to ensure
smooth and timely implementation. The necessary APIs are planned to be released
by March 1, 2018.

By June 1, 2018, all AUAs/KUAs shall have to fully migrate
to the new system, failing which their authentication services may be discontinued,
and financial disincentives may be imposed. Any non-compliance will invite
action in the form of financial disincentives and termination of the said
Agreement.

[1] To take up a
couple of recent examples of concerns raised in the media, there was viral news
report in The Tribune Newspaper
of reporters being able to purchase “a
service being offered by anonymous sellers over WhatsApp that provided
unrestricted access to details for any of the more than 1 billion Aadhaar
numbers created in India thus far.” For Rs. 500 or around US$8. The Economic Times
reported
that following the article, UIDAI restricted the access of all designated
officials, numbering about 5,000 to the said Aadhaar portal. There were further
news
reports
of police reports being filed against the reporters, which were
denied by UIDAI
and MeitY
. The complete statement from UIDAI is available here.

A short while earlier,
there had been allegations that leading Indian telco, Airtel had  usedAadhaar
details to establish e-KYC credentials of users and open their accounts on
Airtel Payments Bank without their consent. Subsequently, UIDAI temporarily
barred Airtel and its payments bank service from using Aadhaar to verify users.
On March 11, it was reported that UIDAI was allowing Airtel to continue
Aadhaar-based e-KYC verification of telecom subscribers till March 31, but has
not withdrawn the current eKYC licence suspension order on its banking arm. That
remains suspended till final enquiry and audit (here
and here).

Featured image: Kannanshanmugam,shanmugamstudio,Kollam/ CC BY-SA 3.0