Search
Close this search box.

We are creating some awesome events for you. Kindly bear with us.

Indian Government introduces Virtual ID to enhance data privacy in the use of national biometric ID

Indian Government introduces Virtual ID to enhance data privacy in the use of national biometric ID

The Indian Government has announced
significant changes
to the way the national ID, Aadhaar, is currently being
used for authentication. Instead of providing the actual ID number, citizens
will be able to use a revocable Virtual ID and the agencies are required to
make the necessary changes in their systems by June 1, 2018.

The Unique Identification Authority of India (UIDAI), a statutory
body, under the Ministry of Electronics and Information Technology (MeitY) is responsible
for issuing the 12-digit unique
identity number linked to a citizen’s basic demographic and biometric
information. Nearly 1.2 billion Aadhaar numbers have been issued till
date, with over 99%
of adults
having the number by 2017.

 Within
a relatively short period of time (the first number was issued in September
2010), Aadhaar has become the primary identity proof used by Indian
citizens for accessing a range of services from government as well as
non-government entities. Banks, Telecom companies, Public Distribution Systems
(India’s food security system), Income Tax, etc. have been mandated through
various laws to use Aadhaar for identity verification and de-duplication. A
wide range and number of private entities are using Aadhaar to verify identity
of their customers.

In a new circular, UIDAI recognises that the collection and
storage of Aadhaar numbers by various entities has heightened privacy concerns [1]
and that the Aadhaar number being irrevocable and permanent for life, there is
need to provide a mechanism to ensure its continued use by the Aadhaar number
holder while optimally protecting the collection and storage of Aadhaar number
itself in many databases.

Virtual ID

To strengthen privacy and security of Aadhaar number
holders, UIDAI has introduced a Virtual ID which an Aadhaar holder can use it
in lieu of his/her Aadhaar number to avoid need of sharing of the Aadhaar number
at the time of authentication or KYC processes (Know Your Customer).

The introduction of Virtual ID will reduce collection of
Aadhaar numbers by various agencies. Residents are currently required to share
Aadhaar number to authenticate their identity to avail various services and the
number is stored in the databases of banks, telcos and other private sector
organisations. The circular notes that VID, by design being temporary, cannot
be used by agencies for de-duplication.

The VID will be a temporary, revocable 16-digit random
number mapped with the Aadhaar number. It is not possible to derive Aadhaar
number from VID.

There will be only one active and valid VID for an Aadhaar
number at any given time.

The VID is revocable and can be replaced by a new one by
Aadhaar number holder after the minimum validity period set by UIDAI.

No entities like AUAs
(Authentication User Agency) /KUAs (KYC User Agency)
can generate VID on
behalf of Aadhaar number holder.

(AUAs are entities
engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using
the authentication as facilitated by the Authentication Service Agency (ASA).
An AUA may be government / public / private legal agency registered in India,
that uses Aadhaar authentication services of UIDAI and sends authentication
requests to enable its services / business functions.
)

The VID can be generated only by the Aadhaar number holder.
They can also replace (revoke and generate new one) their VID from time to time
after UlDAI sets minimum validity period. UIDAI will provide various options to
Aadhaar number holders to generate their VID, retrieve their VID in case they
forget it, and replace their VID with a new number. These options will be made
available via UlDAI’s resident portal, Aadhaar Enrolment Centres, mAadhaar
mobile application
etc.

All agencies using Aadhaar Authentication and e-KYC services
will be required to ensure that Aadhaar number holders can provide the 16-digit
VID instead of Aadhaar number within their application. All agencies offering assisted
services shall inform their offices and operators to enable this option for
Aadhaar number holders.

Limited KYC service

UIDAI will categorize all AUAs into two categories –
"Global AUAs" and “Local AUAs”. Only Global AUAs will have access to
e-KYC with Aadhaar number, while all other agencies will only have access to
"Limited KYC". 

This Limited KYC service provides an "agency
specific unique UID token to eliminate many agencies storing Aadhaar Number,
while still uniquely identifying their customers and enabling their own
paperless KYC.
 

This will also reduce the ability to merge databases across
agencies thus enhancing privacy substantially. The UID Token will be a 72-character
alphanumeric string meant only for system usage.

UIDAI from time to time will evaluate AUAs/Sub-AUAs based on
the laws governing them and categorize them as "Global AUAs" only if
laws require them to use Aadhaar number in their KYC, Only such agencies will
have access to Full e- KYC (with Aadhaar number) and the ability to store
Aadhaar number within their system.

All AUAs who are not categorized under 'Global AUAs"
will automatically be categorized as "Local AUAs". Such entities will
only have access to "Limited KYC" and will not be allowed to store
Aadhaar number within their systems. According the circular, UIDAI reserves the
right to determine, in addition to UID Token, what demographic fields need to
be shared with the Local AUAs depending upon their needs.

All AUAs required to migrate
by June 1, 2018

Agencies using Aadhaar Authentication and e-KYC would need to
make suitable changes so that their systems can accept VID in place of Aadhaar
number, use UlD Token within their database instead of Aadhaar number (if they
are local AUAs), and modify application to access Limited or Full e-KYC based
on their categorisation.

Local AUAs should make changes inside their systems to
replace Aadhaar number within the databases with UID Token. 

Existing Aadhaar numbers
can be replaced with corresponding UID token by doing demographic match using
authentication API.

Global AUAs should make changes in their systems to accept
UID token, in addition to Aadhaar number and use it in their processes.

UIDAI will share updated API/technical documents,
guidelines, and conduct workshops / training sessions for AUAs/KUAs to ensure
smooth and timely implementation. The necessary APIs are planned to be released
by March 1, 2018.

By June 1, 2018, all AUAs/KUAs shall have to fully migrate
to the new system, failing which their authentication services may be discontinued,
and financial disincentives may be imposed. Any non-compliance will invite
action in the form of financial disincentives and termination of the said
Agreement.

[1] To take up a
couple of recent examples of concerns raised in the media, there was viral news
report in The Tribune Newspaper
of reporters being able to purchase “a
service being offered by anonymous sellers over WhatsApp that provided
unrestricted access to details for any of the more than 1 billion Aadhaar
numbers created in India thus far.” For Rs. 500 or around US$8. The Economic Times
reported
that following the article, UIDAI restricted the access of all designated
officials, numbering about 5,000 to the said Aadhaar portal. There were further
news
reports
of police reports being filed against the reporters, which were
denied by UIDAI
and MeitY
. The complete statement from UIDAI is available here.

A short while earlier,
there had been allegations that leading Indian telco, Airtel had  usedAadhaar
details to establish e-KYC credentials of users and open their accounts on
Airtel Payments Bank without their consent. Subsequently, UIDAI temporarily
barred Airtel and its payments bank service from using Aadhaar to verify users.
On March 11, it was reported that UIDAI was allowing Airtel to continue
Aadhaar-based e-KYC verification of telecom subscribers till March 31, but has
not withdrawn the current eKYC licence suspension order on its banking arm. That
remains suspended till final enquiry and audit (here
and here).

Featured image: Kannanshanmugam,shanmugamstudio,Kollam/ CC BY-SA 3.0

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.