Addressing privacy concerns after a news report claimed a breach in the Aadhaar database, the UIDAI on Wednesday announced a new two-layer system to strengthen security of Aadhaar number holders which would do away with the need to share the unique ID for verification purposes.
Under the new system, at the user-end, the Aadhaar holder will have the choice not to share their Aadhaar number at the time of authentication. Instead, a random 16-digit Virtual ID number would be generated and could be used in lieu of Aadhaar with the authorised agency like banks and telecom service providers.
“Virtual ID will be a temporary, revocable 16 digit random number mapped with the Aadhaar number. It is not possible to derive Aadhaar number from Virtual ID,” a circular issued by UIDAI said.
At the agency-end, the Unique Identification Authority of India (UIDAI) has introduced the concept of “Limited KYC” (Know Your Customer) which won’t return Aadhaar number but would only provide an “agency specific unique UID token to eliminate agencies storing Aadhaar numbers while still enabling their own paperless KYC”.
The move comes amid heightened concerns around the collection and storage of personal and demographic data of individuals after The Tribune reported it bought unrestricted access to details of over one billion Aadhaar numbers — for just Rs 500 and in 10 minutes.
However, people would have to wait till March 1 as the UIDAI would be releasing necessary applications for its implementation by that day, the circular said.
“And by June 1, all agencies would have to fully migrate to the new system.”
As per the circular, a virtual ID will be valid for a defined period of time and every time a new one gets generated by the user, the older one gets automatically cancelled.
“Aadhaar number being a permanent ID for life, there is a need to provide mechanism to ensure its continued use by the Aadhaar number holder while optimally protecting the collection and storage of Aadhaar number itself in many databases,” the UIDAI said.
It added that while it is important to ensure that Aadhaar number holders can use their identity information to avail products and services, the collection and storage of Aadhaar numbers by various entities had heightened privacy concerns.
Last week, the Tribune report, widely shared on social media, claimed that it had got access through an “agent” to every detail of any individual submitted to the UIDAI including name, address, postal code, photo, phone number and email and found in its investigation that unauthorised persons had gained access to people’s personal information.