The UIDAI website now has a page for generating VID numbers. According to information provided in the announcement of Virtual IDs made hastily in the wake of The Tribune data breach report, the Virtual ID is a randomly generated 16 digit number that can be used for authentication in the place of an individual’s actual Aadhaar number. The number is, in reality, a 15 digit number, with the last digit being a check digit as per the Verhoeff algorithm, which is a checksum formula for error detection.
According to the original announcement, an Aadhaar holder can generate a Virtual ID for themselves to use or revoke it (after a UIDAI specified minimum period) at any time they wish. However, only one Virtual ID can be used per Aadhaar number at any given time.
According to the announcement, the VID was to be launched on the 1st of March, 2018 and APIs were to be provided in order to integrate the VID. The government was vague on the implementation or details long past the due date.
At the moment, the VID generator page on the UIDAI website appears to provide options to generate or retrieve a VID after OTP authentication of the Aadhaar. However, it is still unclear where the VID numbers can be used and where they cannot be used.
There does not appear to be an official announcement to this effect, though according to Dr. Ajay Bhushan Pandey’s statements in court, it appears that Income Tax would be one purpose that would require the real Aadhaar, while telecom operators are not considered to be entities that require the real Aadhaar numbers. Dr. Pandey also had said at that time that the use of Virtual ID would prevent aggregation of data across databases using Aadhaar.
The Virtual ID appears to be a lot like shutting the stable door after the horse has bolted. Or, to use a more “internet” metaphor, storing your real credit card on a shopping site profile, but using a “one time use” virtual card to make purchases and calling it “security”. The Aadhaar number has been proliferated across databases already, and the use of a Virtual ID cannot undo this. Everything linked with the real Aadhaar number so far will remain vulnerable to exploitation, and by the UIDAI’s own admission and the government and service providers’ relentless coercion, the Aadhaar is mostly already linked for the majority of citizens.
Justice Sikri’s question to Dr Pandey from the Supreme Court hearing also becomes important here. In a country where Aadhaar based money transfers are being promoted because debit cards are too difficult for the masses, how can the masses be expected to manage a Virtual ID securely? Those who cannot permanently remain at risk from the deleterious effects of Aadhaar on privacy and the Virtual ID cannot be considered to mitigate this risk for those with Aadhaar numbers already on record in various places.
Additionally, the implementation of the Virtual ID is unclear. When services are allowed to store the Aadhaar number – and now Virtual ID – of individuals, what happens when the Virtual ID is revoked by the individual? Does this mean that revocation will require repeated authentication with all services linked with the Aadhaar using the Virtual ID? Does this mean that the revoked Virtual IDs will remain as incorrect data on the servers of services (in which case, what is the purpose of allowing them to be stored at all?) Will they be automatically updated (which would defeat the purpose of revocation)? Something else?
At this stage, it is unknown where a Virtual ID can be used, even though the UIDAI has provided a generator to generate one.