Virtual ID: another Aadhaar eyewash?

The Unique Identity Authority of India's (UIDAI) move to build a firewall around Aadhaar with a virtual ID, or VID, may not solve the problems of misuse, leakage and theft of data which are increasingly associated with the identity marker. The move is a response to the persistent criticism of Aadhaar's technical vulnerability and proneness to misuse. There have been several cases of breach of privacy, with the data of people stored in the Aadhaar system coming into the public space or being misused for unauthorised purposes. The credibility of the system and the ability of the UIDAI to effectively address all security challenges came to be seriously questioned last week when a case was registered against a newspaper which exposed how easy it was to procure anyone's Aadhaar data for a meagre consideration. The authority now says virtual IDs, authentication tokens and the tiered KYC requirements will ensure fool-proof security.

Virtual ID is a 16-digit random number which the Aadhaar-holder can generate and use in place of his UID. The idea of this shadow ID has come too late, and may not ultimately amount to much. It adds another layer of complexity, an extra need for communication to generate the virtual ID every time it is needed, and generally confuses the user. About 120 crore people have been issued Aadhaar cards, and many millions have already shared their details with service providers. Since several databases have already been linked to Aadhaar, the possibility of misuse and the resulting vulnerability continues even now. And it will not go away with VID. Illiterate and barely literate people will not be able to get a VID produced easily. There is even a suggestion, though not from the government, that all the existing Aadhaar numbers should be replaced with new numbers which should be better protected with fail-safe measures. That shows the enormity of the problems we are faced with now.  

Even the best technical systems are not invulnerable, and the way they are used and managed can make them more vulnerable. There is no system that can withstand attacks by determined hackers. In the case of Aadhaar, the government's authoritarian approach, coercive tactics, use of deadlines and opaqueness of intentions has created serious doubts. The absence of a privacy and data protection law in the country has made it worse. The latest steps have come soon after the government told the Supreme Court in an affidavit that Aadhaar is completely safe. Was that affidavit wrong then? Are the steps now being taken merely another eyewash, only intended to convince the court, before this week's likely hearing on the matter, that the government is doing everything to secure Aadhaar data?