Unique Identification Authority of India or UIDAI, the agency that administers Aadhaar, last week introduced two new measures- virtual ID and limited KYC- to address security and privacy concerns around leakage of Aadhaar numbers and data.
In conversation with Moneycontrol News, UIDAI CEO Ajay Bhushan Pandey discussed what this means for citizens, how virtual ID will help create a sense of security,what happens to the Aadhaar numbers already stored by different entities. He also spoke about the measures UIDAI has taken to accept feedback and fix flaws in the code, and vouched for the safety of the database.
Edited excerpts:
Q: What will citizens have to do for virtual ID?
A: A citizen will have an option to use virtual ID wherever he is required under the law to authenticate himself. For example, if he is required `to disclose his Aadhaar number, or give his Aadhaar number for opening a bank account or to a telecom company, there he can use his virtual ID. If he can authenticate himself, then UIDAI will be able to understand this virtual ID belongs to this person.
Based on their own need for privacy, people can decide whether they want to use the Aadhaar number or the virtual ID number.
Q: Is it right to say this is like a debit card number linked to your account?
A: This debit card is a good analogy. Let’s say you have the same bank account number and you can get five debit cards issued, each will have a different number and can be held by different persons…but this (virtual ID) is much better than that.
Virtual ID is like a debit card you can change every day. Here the expiration date is only till the time you change it.
Q: So can I create a virtual ID for every transaction?
A: Yes.
Q: UIDAI said global authentication user agency (AUA) will be allowed to store a citizen's Aadhaar number, while others, known as local AUAs will not be allowed to store Aadhaar numbers. Who qualifies as a global AUA and who as local AUA?
A: Global AUA will be one, which by law, is required to get your real Aadhaar number, not the virtual Aadhaar ID.
But in so far as the resident is concerned, he can give the AUA virtual ID itself. The real Aadhaar number will be sent to that agency by the UIDAI.
Q: But these global AUAs can be private or government entities?
A: Supposing the government says that for opening a bank account… Aadhaar number is required. So a bank, even if it is a private bank, will get the (actual) Aadhaar number. But if there is no requirement of the law, and a person only wants to authenticate, then you can give the virtual ID, that will be a local AUA.
Q: What happens to the people or agencies who have already stored your Aadhaar number?
A: We will have a plan, we will tell them that you need to purge this (stored Aadhaar numbers). Because anyway when they are storing Aadhaar number, they are storing it as per our Act and are supposed to do so in a certain manner. We will tell them to please replace this Aadhaar number with their local UID token.
Q: Is there a possibility of causing re enrolment for some people?
A: Why will there be a re-enrolment? Identity is fixed, the Aadhaar number is not changing. If your debit card is lost, you get another debit card. Your bank account has not changed.
Q: What about the SMS service (*99*99*1#) that lets you see what all bank accounts your Aadhaar number is connected to?
A: That is not our service. It is provided by the National Payments Corporation of India and Reserve Bank of India.
Q: Would you engage with the RBI on this?
A: According to me this is a good service because you send Aadhaar number to a certain place and you get to see which particular bank accounts are linked to Aadhaar. Supposing if you have ten bank accounts and you yourself want to find out which bank account your government payments will come in. Normally, you must have given the approval. But if you have not given, and you have forgotten, then this is the one way of finding out.
Q: Does it not increase the chance of identity theft?
A: I don’t understand how it will lead to identity theft. I don’t see there is any cause for worry on that account.
Q: Would you talk to RBI regarding the use of virtual ID instead of Aadhaar number for the service?
A: We are in charge of Aadhaar. Supposing if there is misuse of identity, not Aadhaar identity, someone's bank account or something gets compromised, that’s the job of the RBI right?
They need to figure out what will be the misuse potential. We cannot take care of the problem of concerns of other agencies.
The response that is being sent by RBI is not something that UIDAI should be concerned with.
Q: Is it mandatory for private organisations to ask for Aadhaar number for salary credit?
A: I am not aware of (such a rule). In the private organisation and private employees- they have their own contract and under their contract, if they mutually decide, then they can do this. From the government side there is nothing. Suppose if you want to appoint a driver, now if you want to check his identity, he will give you a driver's licence, but you may have some doubt whether the driver's license is valid or not. Today Aadhaar has more credibility, so you may like to ask him to provide his Aadhaar number. So this is between you and the driver. UIDAI does not come into this
Q: What about NRIs who are applying and getting Aadhaar numbers?
A: NRIs who have not lived in India for at least 182 days, they are not entitled to get an Aadhaar. Therefore, they are not required to provide Aadhaar number to the various places where the government has asked for Aadhaar numbers, for example banks, telecom companies and other places.
Q: Some NRIs with valid Aadhaar numbers are also using Aadhaar for property transactions and some such…
A: As per the law they are not entitled to an Aadhaar number if they have not lived in India for 182 days. But if they have a valid Aadhaar number and later on become non resident, then they can continue using their Aadhaar number.
Q: Virtual ID will be generated online?
A: Yes
Q: Will it be generated through the Aadhaar portal?
A: Yes, and later on through the mAadhaar app.
Q: A French researcher has been talking about flaws in the mAadhaar app...
A: That is not a vulnerability. Not at all. What he says is that in the software, certain more rigorous things should have been put.
There is a term called common vulnerability scoring system, which every organisation in the world has. They identify all vulnerabilities which they rank from a score of 0 to 10, and low, medium and high based on the severity.
The researcher is saying if someone accesses your phone, they will be able to access some settings of the mAadhaar app. He was saying those settings also should not be seen.
It is a low severity vulnerability, and we have replied to him.
Q: What if a phone with mAadhaar app gets stolen?
A: If it gets stolen, then in that case also, the person will be able to see the settings. And if it gets stolen, you have to immediately block the number and the usual problem of misuse of mobile phone will arise. But because Aadhaar is only for proof of identity and not for the authorisation of the transaction, that will not cause any damage to you.
Q: Is there any sort of bugs bounty programme already in place for Aadhaar?
A: We have a very, very strong internal and an accredited external audit system. There is a multi-layer internal and external audit system. And therefore, this particular system we follow very rigorously.
In addition to that whenever we get to know of any vulnerability reported from any other sources, we take them very seriously.
Q: Is there a mechanism to report errors?
A: Of course. The people keep reporting to me and we have channels available, we have our website, we have our people there, so in our own manner, we do that (error reporting) and these channels also we keep expanding.
Only thing is that we don't talk openly about the security issues because tomorrow if I say here is an equivalent of a bugs bounty programme, it will be done in a manner that does not threaten the security.
Q: Aadhaar is an open source project...
A: Though it is based on open source, and open platform we have our own system of penetration testing and other things. And we also operate under the strict provisions of the law where any attack on Aadhaar from an unknown source is taken very seriously and many times it constitutes a criminal offence.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
