13742 - Aadhaar Virtual ID to be accepted from July. Here’s how to generate - Live Mint

Aadhaar Virtual ID to be accepted from July. Here’s how to generate

Aadhaar Virtual ID, a 16-digit random number mapped with the Aadhaar number, can only be generated, replaced or revoked by the Aadhaar card holder

Last Published: Tue, Jun 26 2018. 10 14 AM IST

Komal Gupta

Aadhaar number holders can generate Virtual ID from the UIDAI website. Photo: Mint

New Delhi: With the Unique Identification Authority of India (UIDAI) mandating the implementation of Virtual ID from 1 July, the way financial institutions have been verifying information about customers is going to change. Virtual ID is a 16-digit random number mapped with the Aadhaar number. It can only be generated, replaced or revoked by the Aadhaar number holder. “It will not be possible to derive the Aadhaar number from the Virtual ID,” a circular issued by UIDAI in January said. There will only be one active and valid Virtual ID for an Aadhaar number at any given time.

How to generate Aadhaar Virtual ID?

Aadhaar number holders can generate Virtual ID from the UIDAI website, Aadhaar enrolment center or the mAadhaar app. All that the user needs to ensure is that their mobile phone number is linked with the Aadhaar database so that they can receive an OTP or one-time password to generate VID. The facility has been rolled out by UIDAI from 2 April.

Why has Aadhaar Virtual ID been introduced?

The move is part of UIDAI’s initiative to put in place multi-layered security to reinforce privacy protection for Aadhaar holders. Virtual IDs allow Aadhaar number holders to share VID instead of their Aadhaar number during authentication, thus reducing collection of Aadhaar numbers by various agencies, said a UIDAI circular.

How to use it?

The Virtual ID can be used for the purpose of authentication in the same way the Aadhaar number is used. As of now, when a customer has to authenticate himself/herself to avail financial services, he/she has to give the 12-digit Aadhaar number and an OTP that he/she receives on the mobile phone.

From 1 July, the customer will not be required to give the Aadhaar number, instead the 16-digit Virtual ID will be provided to the agency or company.

Where to use Aadhaar Virtual ID?

UIDAI has introduced two categories of an Authentication User Agency (AUA)—an entity engaged in providing Aadhaar-enabled services. Local AUA, which is the limited KYC category and a global AUA, which will have access to e-KYC using the Aadhaar number.

An AUA may be a government, public or a private legal agency registered in India which uses Aadhaar authentication services provided by UIDAI.

All banks-commercial banks, payment banks, regional banks, rural banks, cooperative banks, small finance banks; life insurance companies and National Payments Corporation of India (NPCI) have been categorized as global AUAs whereas prepaid payment instruments (PPIs), non-bank financial institutions (NBFCs), telecom operators and non-life insurance companies are amongst those classified as local AUAs.

This means that if you want to authenticate yourself to avail services of any of these local AUAs, you will have to use Aadhaar Virtual ID. However, the use of Virtual ID for availing services of global AUAs is optional for users.

However, the global AUAs too have been instructed to upgrade their systems to provide authentication services using Virtual ID, said UIDAI in a circular issued on 6 June.

According to an industry expert, who did not wish to be named,Aadhaar Virtual ID has been introduced as an alternate ID for protecting privacy of Aadhaar number, especially for online customers doing OTP based e-KYC and authentication.

“ However, the distinction between local and global AUAs needs more clarity especially when KYC regulation and specific use cases are driving the classification among entities getting Global and Local AUA licenses,” added the person.

First Published: Tue, Jun 26 2018. 10 13 AM IST

13696 - Virtual IDs for new SIMs in place of Aadhaar from July 1 - TNN

Virtual IDs for new SIMs in place of Aadhaar from July 1

Nisha Nambiar | TNN | Updated: Jun 16, 2018, 09:36 IST

PUNE: The department of telecommunications (DOT) has directed telecom service providers to change their systems and networks for enabling the use of virtual IDs instead of Aadhaar and opting for the limited KYC mechanism. 

This is a relief for cellphone users as they can provide the telecom service providers either the Aadhaar numbers or the virtual IDs (VIDs) generated by the Unique Identification Authority of India (UIDAI), which will authenticate their name and address details from July 1. 

The June 12 circular issued by the department of telecommunications (DOT) is, however, yet to reach most telecom service providers and retailers. 

The VID is a 16-digit number that is temporary and revocable at any time and is mapped to an individual’s Aadhaar number for authentication. In addition, the UIDAI will provide unique tokens to each agency against an Aadhaar number to establish the uniqueness of beneficiaries in their database. 

The circular mentions that the licensee shall display the Aadhaar numbers or VIDs in masked form at the point of sale terminals and ensure that they are not stored anywhere in its system, application or database. The licensee should follow the e-KYC process using the UID token to ascertain the uniqueness of the subscriber and store it along with other fields in the subscriber’s database. 

The circular added that replacement of Aadhaar number is permitted only with UID tokens for the existing subscribers and that too as a one-time measure. The telcos can’t alter other data in the database. 

“If any incident of alteration/manipulation of any other field comes to notice, such connection shall be treated as pre-activated and penal action shall be taken,” the circular read. 

The Cellular Operators Association of India (COAI) has described the telecom ministry’s move as a step towards the customers’ privacy.

“The telecom operators always ensure the subscribers’ privacy and comply with the telecom ministry’s regulations. They are trying their best to make necessary updates in the IT systems by July 1 and implement the suggested changes,” COAI director general Rajan Mathews said. 

Activist and e-governance expert Anupam Saraph said the virtual IDs have come in “very late” as the retailers already have Aadhaar details of most consumers. “Even as the circular mentions that information could not be stored, I feel this has already been done,” he told TOI.

A telecom service retailer here said he was yet to receive the circular. “We have already collected Aadhaar numbers of many customers. We are not sure what we should do with the collected we have already collected,” he said.

13646 - Uidai Beefs Up Data Security, Limits Digital Payment Companies' Access To Aadhaar Data - INC42

Uidai Beefs Up Data Security, Limits Digital Payment Companies' Access To Aadhaar Data

The UIDAI Divides Authentication User Agencies Into Two Types — Local AUAs (Banks) And Global AUAs (Payment Companies)

 ^{Bhumika Khatri}

June 4, 2018 5 min read

After mobile wallet transactions fell 13% to 268.79 Mn in March 2018, it looks like wallet companies are ready to record further downfall in the first quarter of 2018, thanks to the UIDAI (Unique Identification Authority of India)’s attempt to ensure data security.

According to an ET report, the UIDAI has imposed restrictions on digital payment companies accessing its database by classifying them as local authentication user agencies and citing concerns over their security systems.

It is to be noted that an authentication user agency (AUA) captures Aadhaar information from a person and submits it to the Central Identities Data Repository for validation.

Now, the UIDAI has segregated this agency into two — local AUAs, which can access limited information, and global AUAs, which can access the complete information in the repository. Global AUAs cover banks while all payment companies and other entities in the authentication business fall under local AUAs.

According to the report, the UIDAI noted that “only global AUAs will be allowed access to full eKYC along with Aadhaar numbers, while local agencies will have restricted access.”

In simple terms, this means that payment companies can only accept virtual Aadhaar numbers from consumers, which are provided by the UIDAI for verification.

It essentially means the woo-woo magic that happened on devices with your Aadhaar number won’t happen anymore; rather you will have to source your virtual ID from the UIDAI website and provide it to the authentication agency. Just another process for KYC-lazy customers, who have stopped using mobile wallets because of these requirements.

The UIDAI also noted that “some entities required to verify clients with Aadhaar number may not have the requisite security systems needed to use or store these numbers and have been precluded from the list of global AUAs.”

The Unending Saga Of E-Kyc, Rbi, Uidai, And Supreme Court

Ever since the RBI issued stricter KYC guidelines for digital payment users last October, the sector has seen some major upheaval. As reported earlier by Inc42, the Reserve Bank of India (RBI) had refused to extend the deadline for KYC (Know Your Customer) beyond February 28, 2018, stating that enough time has already been granted to adhere to the prescribed guidelines.

However, adding to the confusion, the country’s Supreme Court, on March 13, 2018, extended the deadline for mandatory linking of Aadhaar card to avail of various government services and welfare schemes. Reports claimed that more than 50% of the PPIs are still not KYC compliant.

Most recently, the RBI asked all payment system operators in the country to store data relating to their customers within India. The move is geared towards ensuring that user details remain secure against privacy breaches. According to the directive, payment companies have been given six months to comply with the newly released norms.

According to industry estimates, the fall, in terms of the number of digital wallet users, has been somewhere around 80% to 90% and is largely the result of most customers shying away from full KYC authentication.

Notably, the completion of the KYC involves linking of Aadhaar card and PAN card to e-wallet mobile applications. The RBI had earlier stated that customers who are not willing to follow the KYC process could close their PPI accounts and get the balance money transferred to their respective bank accounts.

What Is Aadhaar Virtual Id?

Inc42 had earlier reported that the UIDAI has introduced the beta version of the VID (virtual ID) feature. In January, the UIDAI launched a two-layered safety net feature to avoid data breaches. This consists of a 16 digit Virtual ID and limited know-your-customer (KYC) for Aadhaar number holders.

We're ⚡ by ZoFlow

With the virtual ID, there will be no need to share the real Aadhaar number at the time of authentication. Instead, a randomly generated 16-digit code will be shared with the agency every time.

This ID, along with biometrics of the user, like the name, address, and photographs, can provide the necessary details to the concerned agency, without being able to track the actual Aadhaar number of the user.

A user can generate multiple virtual IDs as per the need. The older IDs will get cancelled once a fresh ID is issued to the user. Since the virtual ID gets mapped to the individual’s Aadhaar number, there will be no more need to share the original Aadhar number.

While, the limited KYC feature will provide the agencies with only the essential details, thus avoiding the chance to track and store a user’s Aadhaar number. Agencies can do their own KYC and identify users with ‘tokens’.

Also, as stated by the UIDAI in a media statement, “Agencies that undertake authentication won’t be allowed to generate the virtual ID on behalf of Aadhaar holder.”

The UIDAI has been in a full-drawn battle in the Supreme Court to defend the Aadhaar system, claiming that 13ft high and 5ft thick walls protect Aadhaar data, which continues to witness major leaks. The move to limit access of local AUAs ie wallet companies to UIDAI data in order to ensure data security might be counter-productive to the digital push of the government.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

12791 - Make Aadhaar simple for vulnerable sections - Asian Age

Make Aadhaar simple for vulnerable sections

Arun Kumar Singh

Vice Admiral Arun Kumar Singh retired as Commander-in-Chief of the Navy's Eastern Naval Command in 2007. A nuclear and missile specialist trained in the former Soviet Union, he was also DG Indian Coast Guard.

Published : Jan 27, 2018, 4:31 am IST

Aadhaar is a biometric (finger print and retina scan) card system.

 Media reports have also indicated that some cremation grounds and cemeteries have asked for Aadhaar card of the deceased before carrying out the final rites.

If information from the Internet is any proof then 111 crore of 125 crore Indians have been issued Aadhaar cards. Meanwhile, the media has reported unfortunate cases of starvation deaths of poor people after having been denied subsidised ration due to their failing biometrics or non-availability of Aadhaar cards. A Google search indicates that India has an estimated 78 million homeless (including 11 million street children) people, an estimated 276 million people living below the international poverty line $1.25 per day (in purchasing power parity terms) while over 104 million senior citizens (over 60 years) with fading biometrics face problems of living in Digital India. Also vulnerable are pensioners or the sick whose biometric authentication “fails” during the annual pension life certificate requirement.

This article delves at options available to make life simpler for about 450 million (assuming half of them have problems in getting Aadhaar due to having no address proof or with failed fingerprint biometric authentication) vulnerable people living in Digital India.

At the outset, I must admit that I do support the Aadhaar card (it does have a role to play in national security during this period of global transnational terror, counterfeit currency trickling in from Pakistan and for tackling the menace of black money) and am aware that the Supreme Court is examining the issue of “privacy and data leakage” while the Unique Identification Authority of India (UIDAI) has recently come out with an “additional layer of security” to prevent data leakage, i.e. “fusion facial recognition in conjunction with one time password (OTP) or with biometric functions (finger prints and or retina scan)” for authentication beginning July 1, 2018 so as to provide “major relief” to senior citizens who have problems of fading biometrics, and are particularly vulnerable as Aadhaar is (or may be, depending on the Supreme Court verdict) linked to pensions, hospital admissions-cum-discharge, bank accounts, mobile phones, fertiliser subsidy and ration cards.

Media reports have also indicated that some cremation grounds and cemeteries have asked for Aadhaar card of the deceased before carrying out the final rites.

Aadhaar is a biometric (finger print and retina scan) card system. Neither is it a smart card (with a chip) like our debit or credit cards nor is it a combination of the more versatile biometric (thumb print only)-cum-smart card with a chip like the Ex-Serviceman Contributory Health Scheme (ECHS) card being used by military veterans. After some discussions with people working at Aadhaar centres, I discovered that to make an Aadhaar card it requires, at least, 20 per cent “capture” of all 10 fingers of an individual along with retina scan of both eyes and the photograph. It is obvious that the quality of equipment used for this “biometric data capture” plays an important role as do data transmission by Internet, followed by data storage in a secure data bank and data retrieval when needed.

I further learnt that to get a “reliable authentication by finger print” all the time, the initial “fingerprint data capture” while making Aadhaar must be above 50 per cent, thus even though a person has an Aadhaar card (with 20 per cent data capture), his fingerprint authentication may fail when needed (due to fingerprint data capture being less than 50 per cent); presently, banks, hospitals, ration shops, hospitals, mobile phone shops, etc, only have “fingerprint” machines and not the expensive retina scan machines and certainly not the prohibitively expensive facial scan machines. A recent TV show discussion indicated that “facial recognition” machines have been installed at an airport in the UK and apparently one such machine costs Rs 2 crore and initial trials had shown failure rates of about 30 per cent though with advancing technology this situation will definitely improve.

Assuming that the Supreme Court rules in favour of the continued usage of the Aadhaar card, what are the interim solutions to provide “relief” to the weaker sections of society till such time that Aadhaar can be made completely “safe and usable”? 

First, assuming that uninterrupted electricity and Internet is available, it is obvious that the equipment used for initial data capture, data transmission, data storage and retrieval must be urgently upgraded to the latest global standards. 

Second, free Aadhaar cards (along with bank accounts) need to be given to the poor and homeless using the nearest post office or bank as “address proof” till such time that all have a roof over their head, by 2022, as promised by Prime Minister Narendra Modi. For those living below poverty line (and unable to own a mobile phone for OTP, etc) and relying on subsidised food ration shops, the old system of book-keeping along with a digital photo of the individual taken along with his ration card (and Aadhaar card, if held).

For the ageing and increasing number of senior citizens who become more and more vulnerable due to failing health, fading biometrics and collapsing family support systems, the government (and hospitals, banks, pension disbursement authorities, insurance companies, etc) should, apart from “OTP”, consider the old “written forms for annual pension life certificates” or taking a digital photo of the individual with Aadhaar card. Another option would be to automatically issue an “Aadhaar smart card with chip” (easy authentication of identity by a special card reader with a screen display of the individual’s photo, date of birth, visible identification marks, height, colour of hair and eyes) to senior citizens and to those people whose finger prints get worn out due to hard manual labour.

To conclude, implementation of all the above proposals may not make Aadhaar “foolproof” in a diverse, over-populated country like India and their maybe some “misuse” by a few but it is still worth making life easier for the vulnerable sections of our society and should be given the same priority as needed for cyber security to prevent leakage of data. 

Aadhaar is needed but it must be user-friendly and inclusive and given a higher priority than the proposal to make Bengaluru airport as India’s first “biometric recognition walk through airport”.

Tags: aadhaar cards, digital india, narendra modi

12781 - Aadhaar's new security measures are good, it is still work in progress - Business Standard

Aadhaar's new security measures are good, it is still work in progress

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure

Alnoor Peermohamed  |  Bengaluru 

Last Updated at January 25, 2018 00:33 IST

While public pressure over the security of Aadhaar might have forced the Unique Identification Authority of India (UIDAI) to introduce new features such as face authentication, virtual ID and limited KYC, experts who have worked on the system say such updates are incremental and need to keep happening.

Be it Google, Facebook or Aadhaar, a digital system serving billions of people needs to remain secure for which it continually has to evolve, sometimes adapting to issues that are found. The three new features will certainly help improve security, but many questions still remain over how the UIDAI will tackle the recently highlighted issue of rogue Aadhaar agents.

An article in the Tribune newspaper which claimed that Aadhaar information of individuals was on sale for as little as Rs 500, sparked off the biggest security scare against the digital identity keeper in a while. Even though the UIDAI asserted that its systems had not been breached, proof that Aadhaar details of an individual could be bought had been delivered. The agency has also not inspired confidence among public and security researchers with the way it has responded to Aadhaar data that has been put in public domain in violation of privacy of individuals.

"As an economy and an ecosystem, we have to understand that there is no such thing as a 100 percent secure system. When it was on paper it was not secure and now that it is digital, it is not a 100 percent secure. Security gaps may exist, but those should not cause large-scale theft of people's identity or cause significant damage. It's an arms race and this means that Aadhaar has to improve constantly," says Lalitesh Katragadda, former head of Google's product centre in India who has helped build Aadhaar.

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure:

Face Auth

Face Authentication or 'Face Auth' is an additional biometric that the UIDAI will roll out in order to cut down on the number of failed attempts which is increasingly being highlighted as an issue. By matching a user's face, captured through a camera at the time of authentication to the image of their face which was taken at the time of Aadhaar enrolment, the identity of an individual can be more accurately verified.

Facial recognition in the consumer landscape has once again been popularised by Apple's latest iPhone X device that uses an array of sensors and infrared light to map a person's face in three dimensions. The company claims this is more accurate than its previous fingerprint-based TouchID technology, but this isn't the case with UIDAI's facial recognition technology.

The UIDAI will utilise webcams and low-end hardware to enable Face Auth and therefore the conscious decision to use a person's face in conjunction to another layer of authentication - fingerprint, iris scan or a one-time password sent to the user's registered mobile device was taken.

How exactly applications built on Aadhaar will utilise this new Face Auth feature is not known yet, and neither are the technical specifications. Srikanth Nadhamuni, the former Chief Technology Officer of Aadhaar, envisions a scenario where a farmer using Aadhaar to get his PDS witnesses a failure to authenticate using his fingerprint, prompting the application to capture his photo and check whether it matches with the existing photo on the UIDAI's database.

Activists, however, point out that it's far easier to fake facial recognition software, which in some cases get fooled into giving out positives by simply holding photos of the user in front of a camera. "At the end of the day your face is again biometric, and that comes with the same host of issues that are plaguing the other biometrics that has so far been used," says Sunil Abraham, Executive at Bengaluru-based think tank Centre for Internet and Society (CIS).

Virtual ID

As its name suggests, Virtual ID gives users a stand-in for their 12-digit Aadhaar number if they're worried that it will be stolen, leaked online or misused in any way. Any Aadhaar user will be able to log into an online portal, visit an Aadhaar enrollment centre or use the mAadhaar app to generate a 16-digit Virtual ID.

By virtue, the UIDAI has built the Virtual ID to be temporary and a user can ask for any number of Virtual IDs - when a new one is generated, the old one is destroyed and can even be assigned to another user. The key here is that only the UIDAI will be able to make the link to a Virtual ID and Aadhaar number and no-one else.

After years of arguing that leaking of the Aadhaar number itself wasn't an issue, the UIDAI is finally giving users a tool that allows them to keep their Aadhaar number private. While Abraham agrees that the feature will make Aadhaar safer, he says its effectiveness will only be valid if a user opts in as it has not been made a feature by design.

Nadhamuni argues on the contrary, that making Virtual ID a mandatory process would hurt more people than it helps. "A lot of people in rural India are using their Aadhaar for authentication of PDS and MNREGA and so on and it's working for them.

You don't want to confuse all of them and ask them to create yet another number. You'd have to make a farmer understand the concept of Virtual ID when he's completely happy with the way things are today," he says.

Limited KYC

The process of KYC (Know Your Customer) through Aadhaar has all along given public bodies and private companies access to a user's details such as name, age, sex, address and photograph. With limited KYC, the UIDAI will categorise a body seeking aadhaar details into two buckets, ones that get the full information and ones with whom only partial information is shared.

Realising that not all bodies or companies need all the Aadhaar details, is the biggest change that Limited KYC will bring in. The idea is that the fewer places a person's Aadhaar details are stored, the fewer chances of it leaking. Moreover, by giving only critical services full Aadhaar details the UIDAI is hoping it will eliminate its problem of having to share details with less secure systems.

Limited KYC will also bring in a tokenized system for agencies to ensure uniqueness while not storing a user's Aadhaar number on their databases. A 72 digit alphanumeric UID Token will be generated at the time of authentication which only UIDAI will be able to map back to a particular Aadhaar number. However, there isn't clarity on who will be exempt from this as there is word that banks and tax authorities will be allowed to store user Aadhaar numbers.

The UID Tokens will also be backdated, meaning all previous KYC attempts a user had made with a particular body or company will also be migrated to the new system, ensuring that if two databases leak, the perpetrators are not able to easily use Aadhaar numbers to match users and improve the quality of the data they've stolen. Some details on this are still missing though.

Security: Work in Progress

Experts who worked on building Aadhaar say that such features were discussed during the very inception of the national biometric database, but were not rolled out until now to avoid complexity. Katragadda, who has worked on building many large APIs at Google agrees that all large systems avoid complexity during the kickoff and add them based on needs of users later.

Like him, both Nadhamuni and even Abraham agree that the new features will make Aadhaar more secure, while the latter had his reservations on how secure it would be which only the fine print would reveal. The experts also agree that the public discourse which Aadhaar security has taken is a good thing, since the digital security of over a billion people is now public discussion.

"Security breaches are like earthquakes. It's better to have many tiny tremors than be oblivious to gaps in our system and lose everything with that one massive earthquake. So it's better to have our ears close to the ground, have ethical hacking competitions where we ask people to hack the Aadhaar system, find gaps in security. The best APIs in the world do this," says Katragadda.

He adds that India should not be scared to build large digital systems for public good in the fear that there will be security breaches. Even the paper based system before Aadhaar had several security lapses, but were not visible. "Otherwise we need to have this holy grail of a system which is perfectly automated and we're at least 20 years away from full robotics," he adds.

First Published: Thu, January 25 2018. 00:32 IST

12706 - Virtual Id, Limited KYC, face recognition: New security features to help strengthen Aadhaar - Business Today

Virtual Id, Limited KYC, face recognition: New security features to help strengthen Aadhaar

 BusinessToday.in   New Delhi     Last Updated: January 16, 2018  | 18:02 IST

In the past week UIDAI has introduced three new features to improve the  security of Aadhaar database amid concerns over the safety of the world's biggest online database. Both the government and the UIDAI, which administers Aadhaar database, are confident about the safety of data. Some government officials have dismissed the criticisms over Aadhaar saying it's a foolproof system.

Trai (Telecom Regulatory Authority of India) chairman RS Sharma, in a recent interview with ET, said there's never been a breach of data, saying it's just "breach of trust". He went to justify his claim giving an example about how out of total 15 billion biometrics, not even a single biometric information had been stolen since the Aadhaar service was launched seven years back.     

UIDAI architect Nandan Nilekani also hailed the Aadhaar security structure recently saying the newly introduced security features like Virtual Ids and Limited KYC were significant to protect the Aadhaar system. About the recent incident of data breach, Nilekani said the incident was not a data leak but a "privileged leak", which the UIDAI was able to stop.

After a media report last month alleged a major data leak of Aadhaar Card holders' information on paying just Rs 500, UIDAI Chief Executive Ajay Bhushan Pandey strongly defended the system, rubbishing the claim before launching an inquiry into the incident.

A few days later, Virtual Id (VID) system and Limited KYC services were introduced as part of the added security measures. The VID is a 16-digit temporary random number that an Aadhaar holder can use for authentication or KYC services with fingerprint instead of the original Aadhaar number. Under limited KYC, authentication user agencies will neither get access to full KYC nor will they be able to store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers.

The UIDAI also came up with face recognition feature for Aadhaar authentication on Monday. This is the second layer of verification to ensure that those having difficulty with their fingerprints/iris authentication are no longer excluded. Pandey tweeted Tuesday said, "UIDAI introduces yet another landmark technology for authentication - Face Authentication. #AadhaarFaceAuth will help all elderly or others facing issues with fingerprint authentication. Service to be launched by 1 July 2018."  

The move will improve inclusion and benefit the people whose fingerprints no longer match to their original biometrics due to age. Since residents are already photographed at the time of Aadhaar enrolment, this new measure does not require any additional effort from the existing Aadhaar holders. However, the circular specifies that this new measure will only be allowed in "fusion mode along with one more authentication factor", be it fingerprints, iris scan or OTP (one-time-password).

12683 - How UIDAI beefed up Aadhaar security after alleged data breach - Money Control

How UIDAI beefed up Aadhaar security after alleged data breach

The Unique Identification Authority of India (UIDAI) has beefed up Aadhaar's security to address privacy concerns around leakage of Aadhaar numbers and data.

Moneycontrol News

@moneycontrolcom

The Unique Identification Authority of India (UIDAI) has beefed up Aadhaar's security to address privacy concerns around leakage of Aadhaar numbers and data.

Earlier this month, The Tribune found in an investigation that details of any of the about billion Aadhaar numbers issued in India can be accessed for as little as Rs 500 on WhatsApp. Following the allegations, the authority has announced several steps to secure Aadhaar data.

Here are some measures taken by the UIDAI to safeguard Aadhaar: 

Virtual ID

The virtual identity or virtual ID (VID) will be a random 16-digit number mapped to the Aadhaar number of a citizen.

The VID will not be duplicable by agencies performing authentication of Aadhaar number, and hence, will ensure safety of the Aadhaar number. The ID, similar to a debit card, will come with an expiration date.

Also Read: UIDAI chief says virtual ID like a debit card, can be changed daily sans theft scare

According to a statement by UIDAI, which administers Aadhaar, the VID can be generated and revoked only by the Aadhaar number holder through channels such as the Aadhaar portal and the mAadhaar mobile app. If so required, a new VID can be generated by the Aadhaar holder for each new transaction, and the previous ID will automatically become redundant.

Last week, Nandan Nilekani, the man behind the Unique Identification Authority of India (UIDAI) also backed the virtual ID arrangement announced by the UIDAI.

Also Read: Nandan Nilekani backs virtual ID, calls for constructive views on Aadhaar

Limited KYC 

The UIDAI has further introduced limited KYC (know your customer) process wherein only some entities, categorised as global authentication user agency (global AUA), will be allowed to store a citizen's Aadhaar number, while others, known as local AUAs will not be allowed to store Aadhaar numbers.

These agencies will be given a UIDAI token specific to them, to enable them to uniquely identify their customers.

The UID token, a unique character for system usage, will be unique to every authentication request made by a global or local AUA.

Currently, every agency that uses Aadhaar for KYC authenticates a user and often stores a person's Aadhaar number.

As of now, the new measures do not specify what happens to the Aadhaar numbers that have already been stored by public or private entities. It also does not mention which AUAs would qualify as global or local.

Facial recognition 

As another measure to tighten security, UIDAI has rolled facial recognition for authentication of Aadhaar number.

On Monday, the authority stated it will enable face authentication in conjunction with existing authentications such as biometric or iris scan or one-time password to be able to successfully authenticate an Aadhaar number holder on registered devices from July 1.

Also Read: From July, you'll be able to authenticate Aadhaar via facial recognition

"This facility is going to help in inclusive authentication of those who are not able to biometrically authenticate due to their worn out fingerprints, old age or hard work conditions," UIDAI said in a statement. Several cases have been reported of people being unable to complete biometric authentication due to skin of the fingers being worn out on account of age or working conditions.

12680 - UIDAI will issue 16-digit virtual ID to secure Aadhaar privacy - New Burgh Gazette

UIDAI will issue 16-digit virtual ID to secure Aadhaar privacy Jacquelyn Byrd14 January 2018, 03:28 

While "global authentication user agencies" will get to access the entire KYC gamut and the Aadhaar number, smaller, local authentication agencies will be given the virtual IDs. 

210 government published at least 13 crore Aadhaar numbers in the past and the risk of people having these numbers already is very high. 

UIDAI has been under the scanner over the past few months over allegations of access of personal information by random entities without the consent of individual Aadhaar holders. 

It will not be possible to derive Aadhaar number from VID. The UIDAI on Wednesday introduced a new security layer to address the privacy concerns related to Aadhaar. 

A day after the Unique Identification Authority of India (UIDAI) introduced a new concept of 'Virtual ID' for Aadhaar card holders, former finance minister and Congress leader P Chidambaram hinted that it was too late an attempt. 

The flaw, according to a Hindustan Times report, is based on the USSD (Unstructured Supplementary Service Data) that was publically shared by UIDAI in December and tells the user if their bank account has been linked with their Aadhaaar number or not. VIDs being temporary can not be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders. 

The VID will be a temporary, revocable 16-digit random number mapped with the Aadhaar number. Read also: Should We Link Aadhaar or Not? "I think, everybody has to accept Aadhaar is here to stay", The former UIDAI chief said. However, the new system of KYC does not require the Aadhaar Number. The details of this new virtual ID that UIDAI is creating are still coming in so for now it is not clear how it will work. 

The first relates to the report by Buzzfeed News that the creator of Aadhaar, and the head of UIDAI from 2009 to 2014, Nandan Nilekani, himself had tweeted out his Aadhaar number, with the first 8 digits redacted. The Aadhaar-issuing body will offer means to generate the VID via the resident portal, at an Aadhaar Kendra (Aadhaar centre) or via mobile app mAadhaar. 

This will allow Aadhaar holders to generate a 16-digit temporary number that can be shared with a bank, insurance company and telecom service providers instead of the 12-digit Aadhaar number. UIDAI will categorize all AUAs into two categories - "Global AUAs" and "Local AUAs". Only name, photograph and address of the person can be accessed via this Virtual ID. This will also reduce the ability to merge databases across agencies thus enhancing privacy substantially. When will the limited KYC and UID Tokens be in place? The second kind, would get limited access as per requirement, therefore better safe-guarding the Aadhaar-card holders. The UIDAI's and the government's cavalier attitude towards security in Aadhaar has been exposed many times over. VID launch is on March 1, so you won't have to wait for long. All of these service providers will have to advance their systems to compulsorily allow for the new instrument from June. Any non-compliance will invite action in the form of financial disincentives and termination of the said Agreement. 

Newburgh Gazette http://newburghgazette.com/2018/01/14/uidai-will-issue-16-digit-virtual-id-to-secure-aadhaar/

12742 - This is what happened when Nandan Nilekani accidentally tweeted his Aadhaar ID - Times Now News

This is what happened when Nandan Nilekani accidentally tweeted his Aadhaar ID

Updated: Jan 11, 2018 | 17:31 IST | ET Now Digital

Nandan Nilekani  

Mumbai: Would you believe if we tell you the man who helped create India’s unique biometric identity program ‘Aadhaar’, had tweeted his ID three years ago. No, we are not joking.

According to a BuzzFeed news report, Nandan Nilekani exposed himself to identity theft by tweeting a picture of his own Aadhaar card on April 12, 2014. Though he blacked out the first 8-digits of his 12-digit Aadhaar number, he forgot to blacked the QR code which contains all his personal demographic details such as name, address that could be read by any freely available iOS or Android app used for scanning QR codes. Does that mean Nilekani’s private information remains online? The answer is YES.

BuzzFeed News reviewed at least half a dozen other web pages and found images of Nilekani’s tweet with his Aadhaar card exist on at least one popular website, that they don’t want it to be named.

Nilekani served as the head of the Unique Identification Authority of India (UIDAI) from 2009 to 2014.On January 10, Nilekani, in an exclusive interview with ET NOW, praised the UIDAI for introducing the new security features for Aadhaar card and lashed out against its critics for making baseless allegations.

Nilekani, 62, said the move to introduce 'Virtual IDs' for each Aadhaar card holder is a significant move and puts to rest the debate of privacy surrounding the unique identification number.

Despite several people on Twitter pointing out a potential breach of privacy, Nilekani’s tweet remained on Twitter at least through September 2016, when he finally deleted it.

In September 2016, India’s government passed the Aadhaar Act to govern the program, which made publishing an Aadhaar number publicly a criminal offense.

Also Read: How do homeless people get Aadhaar if they have no home or permanent address? Supreme Court asks

Aadhaar is a 12 digit unique-identity number issued to all Indian residents based on their biometric and demographic data.

According to experts, Nilekani’s leaked Aadhaar number leaves him vulnerable to identity fraud as the government has made the unique ID mandatory for carrying out a number of tasks.

These include linking bank accounts and mobile phone number. You are also required to link your 12-digit unique identification number Aadhaar to mutual fund holdings, insurance policy, PPF and small savings schemes such as Kisan Vikas Patra.

Recently, the government has made Aadhaar number mandatory for obtaining benefits under the Varishtha Pension Bima Yojana (VPBY) pension scheme. The move was made to bring in greater transparency and maintain digital records of financial products through the country. In addition to financial products mobile SIMs, PFs and other social schemes have also been urged to be linked to Aadhaar.

After The Tribune published an investigation revealing how it was able to buy unauthorized access to the demographic details of nearly 1.2 billion Indians in the Aadhaar database earlier this week at a mere Rs 500, the UIDAI took to the Twitter and wrote, “having someone’s Aadhaar number and demographic information was “not a security threat” without also having their biometric information. But a day later, the UIDAI sent out a tweet cautioning the general public about the importance of keeping Aadhaar numbers confidential.

View image on Twitter

Aadhaar

✔

@UIDAI

Please ensure that you delete the local copy of Aadhaar downloaded in any cyber cafe or on any other public machine as it may lead to misuse. #AadhaarEssentials

5:03 PM - Jan 6, 2018

• 184 184 Replies
  571 571 Retweets
  687 687 likes

Twitter Ads info and privacy

In a major security upgrade, the UIDAI on January 10 introduced two measures to make Aadhaar cards more secure. With the introduction of virtual IDs, no Aadhaar cardholder will have to disclose their actual card number to third-party services.

In August 2017, the Supreme Court held that privacy is a fundamental right under the Constitution of India.

Must Read: Your Aadhaar number can give away your bank name: Here's how

12739 - Aadhaar: Doubts linger THE ASIAN AGE.

Aadhaar: Doubts linger

THE ASIAN AGE.

Published : Jan 13, 2018, 12:14 am IST

It may be a Herculean task to reassign Aadhaar numbers to 119 crore people before bringing in Virtual ID.

(Representational image)

The planned introduction of a 16-digit “Virtual ID” for Aadhaar may be a good security measure, but it may have been thought of a little too late. The Virtual ID is a clear response to the credibility hit the Aadhaar system and its database faced following the newspaper expose of how it could be breached with an electronic payment to agents selling a gateway for illegal access. Around 119 crore Indians have already shared a 12-digit number to establish their identity for various services, to claim government subsidies and for banking, etc. The Virtual ID may further confuse users and confound the system struggling to keep the sanctity of personal data already shared with several government departments, telecom providers, etc. The switch to need-based access to personal data now may help only prospectively.

The Aadhaar system’s progenitor seems to be nursing a grouse that the system’s credibility is being eroded by an “orchestrated campaign”. However, after several government websites published the data of welfare recipients and a serious media expose, the biometric identifier must reinvent more safeguards to convince the Supreme Court of its constitutional validity. It may be a Herculean task to reassign Aadhaar numbers to 119 crore people before bringing in Virtual ID, and also create data trusts to oversee the dissemination of information for authentication on a need-to-know basis. The government, as the sentinel of the information, has a huge task ahead — to guarantee the best possible safeguards even if it’s accepted that no databank in the world is safe from hacking as that’s just what hackers do.

Tags: virtual id, aadhaar, supreme court

12734 - UIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics

UIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics

 BusinessToday.in   New Delhi     Last Updated: January 12, 2018  | 17:06 IST

Aadhaar-issuing body, Unique Identification Authority of India (UIDAI), had barely started patting itself on the back for introducing the Virtual ID concept, what CEO Ajay Bhushan Pandey called "one of biggest recent innovations in this field", when detractors came crawling out of the woodwork, all guns blazing.

"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?

The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.  

So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.

Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.

Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.

Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.

However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."

In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.

with PTI inputs

12733 - Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief - NDTV

Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief

"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.

All India | Written by Sukirti Dwivedi | Updated: January 13, 2018 05:35 IST

NEW DELHI:  Virtual ID, the 16-digit temporary number, announced by UIDAI this week had been suggested way back in 2009-10 when its architects were still designing the system. But the Aadhaar authority, which has called Virtual ID a unique innovation to enhance privacy and security, decided against rolling it out at that time.

"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.

It may be a step forward. But not everyone is as convinced.

Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.

Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.

Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.

Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. 

The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.

Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.

There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.

UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.

This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.

COMMENTS

"Privacy can be protected by design and not by choice," said CIS executive director Sunil Abraham, who believes the biggest flaw with Aadhaar was its design.

"Since it is not mandatory most people will just use the Aadhaar number instead of getting into the hassle of generating a VID... This is privacy through hurdles instead of privacy by design. I suggest authorities should generate VIDs for people and ensure that third parties only use VID and not the Aadhaar number," Pranesh Prakash at the CIS' policy director told NDTV.

12732 - Security questions - Indian Express

Security questions

A legitimate authentication system must be universally trusted. With virtual IDs, UIDAI has taken a step in that direction

By: Editorials | Published: January 12, 2018 12:10 am

While the objectives of Aadhaar are entirely reasonable, its implementation has not earned universal trust.

The Unique Identification Authority of India (UIDAI) has taken a firm step in support of data security and privacy by introducing disposable IDs, authentication tokens and tiered KYC requirements to reduce the exposure of Aadhaar numbers. 

These are logical measures, since providers only need to have the number authenticated against a person. There is no need for them to store it even for a second thereafter. This principle has been followed in other services for decades. For instance, email providers do not know their users’ passwords, since they are not stored on servers in plain text. They are stored as hexadecimal hashes, which are cryptographically compared against passwords during a login. It is surprising that this pervasive principle, which is followed by almost all services requiring a login, was not applied to UIDAI earlier.

While the objectives of Aadhaar are entirely reasonable, its implementation has not earned universal trust. Apart from disastrous denials of the very services it was designed to assure — withdrawal of food and shelter entitlements to the poorest have been noted — the security of the world’s biggest repository of biometric data has been questioned following leaks. 

The first problem is being examined by the courts. And the virtual ID is the UIDAI’s first attempt to address the second. 

From the time the project was launched by Nandan Nilekani, its promoters chose to stonewall criticism, instead of engaging with it, by arguing that Aadhaar is an impregnable data silo. The UIDAI’s reaction to a newspaper story which showed how easy it is to acquire Aadhaar numbers was to target the messenger. Just two months ago, the government claimed in an affidavit that Aadhaar is breach-proof.

There is an element of hubris here, and the technologists behind Aadhaar must know it. Systems are secured by multiple strategies, but there is no such thing as bulletproof security. All systems are vulnerable to a capable, imaginative and determined attacker, no matter how diligently they are secured. 

The only certain deterrent is legal, and fortunately privacy law has plugged the gap. However, it remains to be seen how many impugned parties have the stomach for private litigation. And the fact remains that large repositories of data, whether Equifax or Aadhaar, are targets in a world where data is the new gold. 

Their holdings must be shared on a need-to-know basis, and the recent blanket requirements for Aadhaar data to be shared with service providers, from mutual fund managers to telecom companies, flies in the face of that principle. Tiered exposure and virtual IDs would now reduce exposure of real Aadhaar numbers, though they must have already been shared in large quantities. Now, UIDAI has taken a step towards seeking universal trust, which is the bedrock of a legitimate authentication system.

For all the latest Opinion News, download Indian Express App

12724 - Govt launches Virtual ID to safeguard Aadhaar data: Here's how UIDAI's VID will work - First Post

Govt launches Virtual ID to safeguard Aadhaar data: Here's how UIDAI's VID will work

New Delhi: The Unique Identification Authority of India (UIDAI) on Wednesday introduced 'Virtual ID' (VID) to safeguard Aadhaar cardholders' data.

VID will be a 16-digit, randomly-generated number which can be used for authentication instead of the original Aadhaar number, according to UIDAI.

This is how VID works:

VID will be a temporary, revocable 16-digit random number mapped with the Aadhaar number. It will not be possible to derive Aadhaar number from VID.

"Last digit of the VID is the checksum using 'Verhoeff' algorithm as in Aadhaar number. There will be only one active and valid VID for an Aadhaar number at any given time," the UIDAI said in a statement.

The "Verhoeff" algorithm is a checksum formula for error detection developed by the Dutch mathematician Jacobus Verhoeff and was first published in 1969.

Aadhaar number holder can use VID in lieu of Aadhaar number whenever authentication or KYC services are performed.

Authentication may be performed using VID in a manner similar to using Aadhaar number.

"VID, by design being temporary, cannot be used by agencies for de-duplication. VID is revocable and can be replaced by a new one by Aadhaar number holder after the minimum validity period set by UIDAI policy," the authority added.

VID can be generated only by the Aadhaar number holder.

They can also replace (revoke and generate new one) their VID from time to time after the UIDAI set minimum validity period.

"UIDAI will provide various options to Aadhaar number holders to generate their VID, retrieve their VID in case they forget, and replace their VID with a new number. These options will be made available via UIDAI's resident portal, Aadhaar Enrollment Center and mAaadhaar mobile application, etc," the authority said.

Published Date: Jan 10, 2018 20:21 PM | Updated Date: Jan 10, 2018 20:21 PM

Tags : #Aadhaar #Aadhaar Data Breach #KYC #MAaadhaar #Unique Identification Authority Of India (UIDAI) #Verhoeff

12719 - Virtual ID for Aadhaar - the Tribune

osted at: Jan 12, 2018, 1:21 AM; last updated: Jan 12, 2018, 1:21 AM (IST)

Virtual ID for Aadhaar

A band-aid solution that does not assure

THE most welcome part of the new two-layer Aadhaar security system is the choice offered for the first time since the Modi government tried to gang press citizens into linking the card to every conceivable purpose and service. The government opted for this high-voltage digital exercise after its first reflex action of coercion against the reporter and The Tribune failed to quell apprehensions about breach of personal data and privacy. However, offering citizens the choice not to share their unique IDs for verification purposes is too little and too late. Too late because millions have already shared their personal details with service providers; and too little because the government is yet to figure out how to eliminate the vulnerability, if that is at all possible, from the linking of several databases to Aadhaar.

Virtual ID, therefore, will neither attack the root of the problem nor enhance the ease of use of the barely literate, now susceptible to the allure of the middlemen, to navigate the new rigmarole. Security and impregnability of digital systems can never be fully assured and, even if they are, humans will still form the weakest chain. The government’s weak footing on the technical front has been compounded by its authoritarian approach that fortified suspicions about its actual intentions; right from the time the government opted to spurn political consensus by converting the legislation into a money bill to bypass the Rajya Sabha. 

Before the expose about data vulnerability, the coercion-laden obsession to link Aadhaar had begun to grate on the nerves of citizens and consumers. Banks and mobile companies repeatedly held out deadlines which clearly militated against the grain of a Supreme Court order to preserve its voluntary nature until it took a view on its violation of privacy; information protection laws are in their infancy and no match to the rapacity and ingenuity of companies profiting from data commodification. As a nation, we are yet to achieve a closure on the right balance between the imperatives of national security and the right to privacy. This band-aid solution fails to address the technological and moral issues behind making it the single-source reference point.

12718 - Aadhaar: A lot of questions yet to be resolved - Deccan Chronicle

OPINION, OP ED

YOGI AGGARWAL

The writer is a Mumbai-based freelance journalist

Aadhaar: A lot of questions yet to be resolved

Published

Jan 12, 2018, 3:26 am IST

Everyone in a village in Uttarakhand has the same birth date on their Aadhaar cards.

 In Rajasthan, in the PDS, exclusion because of fingerprint failure has been close to 36 per cent

As the date approaches for the Supreme Court to hear several petitions challenging the Aadhaar project, the government’s Unique Identification Authority of India (UIDAI), which runs the intrusive scheme, is becoming even more bizarre in its responses. The latest move is to file a criminal case against a reporter from a national newspaper for filing a story showing that it is possible to get access to the records of billion-plus people pressured to enrol in the scheme for just Rs 500.

The report revealed that “it took just Rs 500, paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password” for “any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI, including name, address, postal code (PIN), photo, phone number and email. What is more, The Tribune team paid another Rs 300, for which the agent provided ‘software’ that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual”.

This is just the latest of several instances where major faultlines in the Aadhaar scheme — which demands everything from mobile phone numbers to bank accounts and tax payments, health records, college admissions, pension schemes, mutual funds — have been revealed. Some 210 government websites and those of educational institutions displayed personal information along with UID numbers as recently as November 2017. UIDAI admitted this had happened, but said “that was not us”, the database is safe.

This is just one of many instances. In Rajasthan, in the PDS, exclusion because of fingerprint failure has been close to 36 per cent — which means that not even one person from 36 per cent of households are able to authenticate using their fingerprints. Jharkhand has witnessed deaths because the poorest have had difficulty linking their UID number with their ration card. Documents in the UIDAI archive from between 2009 and 2012 show that biometrics was still in an experimental phase. That biometrics are not working as hoped because biometric authentication requires the availability of Internet service and high-quality machines capable of capturing biometric details, making it contingent on these working.

This is not all. The failures multiply. In Maharashtra, loan waivers hits a roadblock as lakhs of farmers with the same account and Aadhaar numbers are listed. Everyone in a village in Uttarakhand has the same birth date on their Aadhaar cards. Underage girls who were rescued from brothels were sent back because their Aadhaar card showed them to be adults. In all these cases, the people implementing the scheme are distorting  the data to fill the number of cases they need. Yet there is no accountability. UIDAI merely reiterates that nothing is wrong.

However, in a supposed response to the rising public criticism, UIDAI this week introduced  the concept of a “Virtual ID”, which would be a random 16-digit number, which together with the user’s biometrics would give any authorised agency like a mobile phone company limited details like name, address and photograph, which are enough for any verification. This clever ploy does not meet the main objection to the Aadhaar project — of its intrusiveness.

To get the data of over a billion people, more than a million enumerators should be needed, as happens for the census that is conducted once every 10 years. This would require trained workers visiting each household and noting the details of each member. They would necessarily have to be government employees if responsibility is to be fixed. Instead, what has happened is that the work is contracted out to private firms, who break all the norms to get as many people as possible on their list. They would be prone to invent things, including putting many people on the same Aadhaar number or giving them all the same birth date.

If UIDAI was at all serious, it would conduct an investigation into which contractor was responsible for fudging the data, haul him up and expose him publicly. The responsibility and the criminal intent would be fixed. Instead, we have no idea why or how the data was fudged and the action taken against them.

Many such contractors could also be foreign companies with shady links to foreign intelligence agencies. The government needs to give an assurance to the people that their confidential data are not being whisked away to be analysed on foreign shores. Just who the various contractors are and the parts of the Aadhaar project they were assigned must be made public, and certainly before the Supreme Court — since these are after all not state secrets.

There is a further danger. The Internet and all the things stored on it is inherently porous. Governments and private hackers (let alone small-time crooks) are known to break into these closely-guarded spaces. Luckily so far, the information is put onto different computer databases — whether of each bank, or the passport office or health records or government tax records. 

Once all the information is in a single location, based on the Aadhaar number, it is possible for an intelligent hacker to collect the  vital data of anyone of consequence in the country.

Foreign companies like Facebook or Google are another matter. They already provide the Narendra Modi government the backing that keeps it in power. A recent report by Bloomberg noted that “India is arguably Facebook’s most important market ... with the nation recently edging out the US as the company’s biggest... Since his election, Modi’s Facebook followers have risen to 43 million, almost twice Trump’s count. “As Modi’s social media reach grew, his followers increasingly turned to Facebook and WhatsApp to target harassment campaigns against his political rivals. India has become a hotbed for fake news.” It is difficult to understand why the Narendra Modi government is pushing people into Aadhaar. Perhaps the backing of an organisation like Facebook is an important influence.

Tags: aadhaar card