It appears as if the Anti Aadhaar lobby in India has just been outsmarted by the UIDAI with its proposition of the “Virtual Aadhaar ID” as a response to the many complaints about the leakage of Aadhaar information.
The Supreme Court is waiting to complete its hearing which potentially could hold that the linking of Aadhaar to Bank and Mobile accounts was in violation of the Constitutional Right to Privacy of an individual. In the process, the entire Aadhaar scheme’s future hangs in balance.
The ground had been well prepared for scrapping the Aadhaar with the hurriedly issued 9 member judgement in the Puttaswamy case declaring Privacy as a fundamental right giving a very strong weapon with which any action of the Modi Government related to Aadhaar could be struck down.
Since the Supreme Court cleverly avoided defining what is Privacy even while holding that it is a Fundamental right, it left the doors wide open to intervene on any thing that Aadhaar was supposed to be linked with. The recent sting operation of Tribune alleging that the entire Aadhaar data base access could be purchased for Rs 500/- in 10 minutes had primed up the argument for striking down the Aadhaar linkage. Aadhaar linkage appeared to be a lost cause after this Tribune revelation.
But suddenly the “Virtual ID” option floated by UIDAI has frustrated the anti Aadhaar lobby and given a strong argument for UIDAI that it is responding to the security vulnerabilities and taking mitigation steps.
The plight of the Anti Aadhaar lobby is like the plight of a batsman in a Cricket game who has happily jumped forward to a flighted delivery hoping to hit a six, only to find that he has missed the ball and is now praying that the Wicket Keeper does not stump him out.
We hope that the Wicket Keeper completes his expected duty and the Umpire does not call a no-ball.
There is no doubt that the Aadhaar authorities have been in the past behaving with an air of arrogance that reminded me of the “Indira Gandhi of Emergency Days” . But the intention of the Government to use Aadhaar as a unique identifier to root out benami asset holding and black money cannot be faulted. All those who wanted to protect their black money were using the “Privacy” argument to oppose Aadhaar. The UIDAI was playing into their hands so far by its own negligence, ignorance and arrogance.
Hence there is a need to address the security concerns and meet them adequately rather than blaming the system itself and fight for its scrapping.
The Virtual ID concept is some thing which should be appreciated as a step in the right direction. It is true that it has come late and should have been in place from the day Aadhaar was intended to be used for KYC purposes widely. We have repeatedly advocated what we have called “Regulated Anonymity” and the Virtual Aadhaar ID is close in its concept to part this concept which is the principle of “De-Identification” or “Pseudonomization”.
Under the proposed system, UIDAI will stop allowing direct access to its core CIDR server system which houses the data of the citizens collected for issue of Aadhaar. Instead there will be a gateway server which faces the down stream service providers which is linked in the back end with the core CIDR server. Public will be able to obtain a “Virtual Aadhaar ID” which is a 16 digit temporary random number mapped to the Aadhaar number of the user, through the website. This 16 digit number may be used as an ID to be provided to service providers like Banks and Mobile companies. When these users want to check the Aadhaar identity against either the OTP or biometric of the Aadhaar holder, the query will be processed by the secondary server which in turn will query the Core CIDR server and process the request.
The exact architecture that UIDAI may use is not known. It is however clear that the Core CIDR server has to be kept insulated from the public including the agencies such as AUA/KUA with a strong Firewall that separates the Core CIDR system from any communication from outside. The mapping of the Virtual ID issued and the true ID has to be maintained some where and that becomes a critical component of the process. How this is secured determines the security of the system as a whole.
If UIDAI again makes mistakes in managing the security of this “Mapping Server”, then the problem will continue.
The architecture should therefore include a “Virtual ID issuing server”, “Virtual ID-True ID mapping Server” in addition to the current “Core CIDR Server”. In the Regulated Anonymity system that we had discussed in the past, a system was discussed for such requirements and hopefully some of those principles would be used and improved upon in the UIDAI new system. (The Regulated Anonymity system is discussed here). The concept was discussed in 2013 and could be considered as raw and amenable to many improvements.
If UIDAI does not secure access to the “Mapping Server”, the data will be only be marginally more secure as it introduces one additional step for the hackers to break.
If UIDAI sheds it’s “I Know Everything” attitude and is humble in listening to the experts in the field, it may perhaps be able to secure the system at least in future. Whether it is too late?… is difficult to answer.
The Y2K Moment again
Keeping the arguments of how the security of the Virtual ID would be implemented, we can now address the industry issue that the proposed system has introduced. UIDAI has announced that the UIDAI will start accepting VID from March 1, 2018. From June 1, 2018 it will be compulsory for all agencies that undertake authentication to accept Virtual ID from their users.
This means that all the agencies who are using Aadhaar now, (Should be thousands of companies) will all have to tweak their codes to accommodate a 16 number system in the place of a 12 number system for its services. For some time, they need to maintain both systems working and later remove the earlier 12 digit number acceptance.
Additionally it may be necessary for them to covert all existing storage of True Aadhaar Id with a Pseudo Aadhaar Id or atleast remove the True Aadhaar Id from their system.
This will be like implementing the “Right to Forget” which is a tough task since most of these companies will not know where all they have stored the Aadhaar numbers in their systems. It could be on web servers, on cloud storage systems, on e-mail servers etc and all of these have to be erased. (If such a requirement is made).
It is possible that the Supreme Court may impose the above condition for allowing the use of Virtual ID in future and not scrap the system. But it is not known when they will give their view on it. The user companies have to therefore keep their fingers crossed and wait if the 16 number field has to be used in future or they should keep both options in place for some time.
The software developers therefore have their hands full only to implement the changes as the Supreme Court may decide. In this respect we will be re-living the days of Y2K implementation when globally codes were changed to accommodate a four digit field for the year component of a date instead of the 2 fields which were provided.
Good for many… but costs for the companies….Perhaps it is the price to be paid for the development amidst a hostile political environment.
Waiting to see what the Supreme Court will do now….
Old Articles of naavi