The usefulness of Aadhaar’s virtual ID and limited KYC features will be far lesser than the UIDAI is letting on. The UIDAI said on Wednesday evening that people can use a Virtual ID to mask their Aadhaar number while sharing their information with third parties. Also implemented is a limited KYC feature where the third parties will have access to only necessary Aadhaar details. But there is a catch, the the Aadhaar-issuing body plans to split the third party authenticators (like telecom providers, banks etc) into two groups and the virtual ID and limited KYC will only be useful for one of them.

A notification sent out by the UIDAI goes into detail about how the two new features will be handled. The UIDAI will split the third parties, or Authentication User Agencies (AUAs) as it refers to them, into two groups. (For reference here is a list of active AUAs as on 31.12.2017. It includes banks, mobile operators, government agencies, among others)

The first one labelled as Global AUAs will able to access full KYC details and the Aadhaar number of users, hence virtual IDs won’t serve much use here. Experts speculate that government agencies, banks and major telcos might get the classification of Global AUAs.

“The virtual id is to be used only for local AUAs. Global AUAs, potentially like banks will still need Aadhaar for Direct Benefit Transfers. This does not remove the financial fraud risk that Aadhaar poses,” Independent security researcher Srinivas Kodali told Medianama.

The second group of third parties will be classified as Local AUAs and only they will accept a virtual ID and limited KYC in lieu of full details. Kodali said he thinks start-ups and other small firms which need Aadhaar for verification of specific details will get this classification.

The UIDAI’s circular is very thin on the details regarding how this classification will be done. “UIDAI will from time to time evaluate AUA’s based on the laws governing them and categorise them as ‘Global AUAs’ only if the laws require them to Aadhaar number in their KYC.” So if the law requires your bank to have your full Aadhaar detail then UIDAI will label them as a Global AUA.

The Aadhaar-issuing body will be releasing the necessary Application Programming Interfaces (a software layer for third parties to help integrate the new features) by March 1 and all agencies have been directed to update systems for the use of virtual ID and limited KYC by June 1. Those who fail to do so may face discontinuation of authentication services and an imposition of financial disincentives added the circular.

On the mentioned deadlines Kodali said, “The spec has been brought in a hurry and their deadline of March 1st can’t be met.”

Another critical issue that the virtual ID system fails to address is the usage of paper-based Aadhaar copies something that happens a lot in rural parts of the country. “This still doesn’t solve the issue of non-electronic or paper usage, which is something most people use. That is the primary source of abuse and leakages,” co-founder of Internet Freedom Foundation Kiran Jonnalagadda said. “Loopholes still exist, this does not solve anything.”

A virtual ID can only be generated if an Aadhaar holder has access to the UIDAI’s website. Around two-thirds of the country’s population is not online and therefore the virtual ID feature fails to address them.

The core issue, of details which have already been leaked also remains unsolved, “At least 13 crore Aadhaar numbers were published by 210 government in the past and the risk of people having these numbers already is very high. UIDAI needs to re-issue fresh Aadhaar numbers to solve the problem, which is highly unlikely,” says Kodali.

Previous Developments

Wednesday’s move comes following a January 4 report in the Tribune, that alleged the presence of a major security loophole in the Aadhaar database. A journalist from the paper was able to purchase unrestricted access to the database for as little as Rs 500. For the price, the journalist was made an Enrollment Agency Administrator for CSC SPV, apparently without any checks. Using the provided administrator login id, the journalist could log into the UIDAI portal and get unrestricted access.

The Aadhaar portal which was used to access this loophole has been taken offline since the day the report was published. The UIDAI also responded to the issue by restricting the access of about 5,000 officials to the Aadhaar portal.

“All the privileges given to designated officers for access have been immediately withdrawn,” an unnamed top government official told the Economic Times. UIDAI reportedly overhauled its system to enable access only by entering the biometrics of the person whose details were sought to be verified.

(This copy has been updated to make it easier to read)