Looks like UIDAI seems to have taken the concerns of privacy activists seriously, as Supreme Court begins its hearing on whether Aadhaar number should be made mandatory for consumers while acquiring services such as Banking, Financial, Telecom, etc in their day to day lives.
There are 2 key concerns when it comes to privacy related to Aadhaar:
- Whether Aadhaar database is secure? Aadhaar database contains sensitive information about individuals. So, any breach of the database can result into identity theft and fraud.
- Profiling of Individuals; With Aadhaar number stored now in multiple databases of different service providers, it can become a common link to connect the data to profile the individual and his / her behaviour without the knowledge and permission of the individual. Such profiling and behavioural analysis can then be used to exploit the individual commercially or criminally.
Virtual ID intends to address the 2nd point above and also to an extent pre-empt the arguments of privacy activists in the Supreme Court. Here is how the Virtual ID shall work:
- Virtual Id (VIDs), a 16 digit number shall be a temporary Id, which can be generated by Aadhaar number holders. It will be mapped against the Aadhaar number of the holder.
- Addhar number will not be able to be obtained or derived from VID.
- Only the Aadhaar number holder will be able to generate the VID.
- Being a temporary Id, it will remain in existence for temporary period, and can be retired, retrieved and replaced by the Aadhaar number holder at any time.
- Multiple new VIDs can be generated by Aadhaar number holder, however, at any point, only one VID for the corresponding Aadhaar number shall be in existence.
- VID instead of Aadhaar number shall be used for authentication or eKYC purposes.
- All the consumers of Aadhar authentication and eKYC shall have to comply with VID from Jun 1, 2018.
Now, if Aadhaar number holder is smart, he/she can generate a new number everytime he/she acquires a new service or is required to fulfil KYC requirements for the continued consumption of existing services. This would mean that enterprises shall not be able to use Aadhaar number for either de-dup or mining purposes.
I hope going forward UIDAI bans submission of the physical copy of Aadhaar card for KYC purposes. Aadhaar card carries sensitive information and when its photocopy is submitted at points of customer service of the organisations, first it passes through many individuals and then remains within the database of the organisations. Nothing prevents individuals or organisations to extract sensitive information on the Aadhaar card and make use of the information for the purposes for which the Aadhaar number holders may not have consented for.