Indian Govt to Introduce New Measures For Increased Aadhaar Security

By Little India Desk | January 11, 2018

After the whole controversy surrounding reported security breach against Aadhaar, the Unique Identification Authority of India on Jan 10. said it will bring in two-layer security to reinforce privacy protection for users.

The new proposed measures involve giving virtual identification for the ID holders, so that the actual Aadhaar numbers need not be shared by them to authenticate their identity. It means that a 16-digit temporary number will be used instead of the Aadhaar number. The UIDAI said the Virtual ID software would be released by March 1.

The virtual identification can be generated, retrieved, revoked or replaced through UIDAI’s portal, mobile app, enrollment centers, etc. For any kind of verification with virtual ID, only name, address and photograph will be shared. This is an effort to curb the number of people who will have access to the Aadhaar number. The UIDAI will also set a minimum validity period for Virtual ID and the users would be able to replace their ID from time to time.

The authority has regulated the storage of Aadhaar number within various databases. For an authentication request by agencies, UIDAI will send a UID Token, which is a specific number that will remain the same for a specific agency but will be different for different entities.

The measures seek to address the privacy and potential misuse of identity concerns, which have resulted in a legal challenge to Aadhaar in Supreme Court. The virtual ID will be a 16-digit random number mapped with the Aadhaar number and it can only be generated, replaced or revoked by the Aadhaar number holder from time to time.

“It will not be possible to derive the Aadhaar number from the virtual ID,” a circular issued by UIDAI said.

Until now, a person had to give their 12-digit identity number along with demographic and biometrics or through a one-time password during authentication or e-KYC (know your customer) for accessing various benefits and services from service providers. UIDAI also introduced the concept of limited KYC category which does not access Aadhaar number.

The authority now has introduced two categories of an Authentication User Agency (AUA), an entity — government, public or private legal agency– engaged in providing Aadhaar-enabled services. As a category of AUA, the limited KYC category would be providing only need-based details of user to an authorized agency.

The changes have again been met with various opinions, with critics calling it unworkable.

“The new virtual ID is untested and unworkable. The UIDAI is trying to rectify technical breach by its untested technology,” said one of the petitioners who are fighting a case against Aadhaar in the Supreme Court, NDTV reported. “In the hearing next week, we will oppose it tooth and nail,” the petitioner added.

Some, however, welcomed the move.

“If someone authenticates you, they will only have the virtual number, and even if their database gets hacked, all that gets lost is the virtual ID number which doesn’t put you at risk because you can always change this number,” Rahul Matthan, partner at law firm Trilegal, was quoted as saying by the Mint.

“Aadhaar is here to stay! Happy that the @UIDAI has introduced virtual ID and limited KYC in the spirit of continuous innovation to enhance privacy and security,” former UIDAI chairman Nandan Nilekani tweeted.

#Aadhaar is here to stay! Happy that the @UIDAI has introduced virtual ID and limited KYC in the spirit of continuous innovation to enhance privacy and security. https://t.co/EyWGB2KiK5

— Nandan Nilekani (@NandanNilekani) January 10, 2018

NSA whistleblower Edward Snowden tweeted again about the issue earlier this week, talking of UIDAI’s FIR that is said to name the Tribune journalist who reported on security threat for investigation:

The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI. https://t.co/xyewbK2WO2

— Edward Snowden (@Snowden) January 8, 2018

Information Technology Minister Ravi Shankar Prasad on Jan.8 said the government asked the UIDAI to request the Tribune and its journalist to assist the police in the investigation.

UIDAI will also be releasing necessary APIs (application programming interfaces) by Mar. 1. All agencies have been directed to make the necessary changes for the use of virtual ID, UID token and limited KYC and operationalize it by June 1.