India January 12(IM): The most recent development in the Aadhaar issue is the UIDAIs announcement of new Virtual IDs, a temporary, virtual ID to be used and shared, in place of the actual Aadhaar number. This move is, on the one hand, a welcome acknowledgment of the privacy and security issues with Aadhaar, as opposed to the UIDAIs characteristic denial of privacy allegations. The removal of access granted to officials and the link of database access to biometrics are other good steps. On the other hand, this move can only partially resolve a single privacy issue that of securing the Aadhaar number.Details of the Virtual ID and the tokenization system have been shared via a UIDAI Circular. In brief, the Circular states that, after March 2018, Aadhaar holders will have the option of generating and sharing a virtual ID instead of sharing the Aadhaar number itself. This will be a temporary ID, which can be replaced from time to time by the Aadhaar holder himself only.
Further, agencies using Aadhaar-based authentication or KYC are to be classified into global and local agencies the former will be allowed access to full KYC details, and the latter Limited KYC details.The limited KYC will be paperless KYC, and details will be shared with the local agencies on a needs-only basis. Lastly, agency-specific UID tokens are to be given to the local agencies to uniquely identify the individual, instead of the Aadhaar number. Agencies must store these UID tokens in their databases instead of the actual Aadhaar number. UID tokens for an individual will vary from one agency to another. Reaction to the Tribune's report?Looking at the Tribune breach, once unauthorized access was gained, the risk was due to the ability to enter any Aadhaar number into the system, and a Virtual ID can reduce the number of Aadhaar numbers put into circulation. Though this move is being described as a knee-jerk reaction to the Tribune report on the Aadhaar breach, it isnt clear if it is in fact such a reaction. Tokenization, in fact, had been under consideration by the UIDAI for a while, and some initial steps towards tokenization at the agency level had been introduced by the UIDAI in July, 2017.UIDAI needs to broaden its approach to privacy Hopefully, this move isnt such a reaction, since masking the Aadhaar number solves only a very small part of the issues brought to light with the Tribune story. The UIDAI has, in the past, taken a very narrow approach to privacy, focusing on securing the CIDR (Central Identities Data Repository), protecting biometric data, and, possibly, now protecting the Aadhaar number. Statements by the UIDAI, like undervaluing the importance of disclosure of demographic data, indicate either a lack of understanding or a lack of concern with the larger privacy and security issues involved in the ecosystem created by Aadhaar. For truly securing privacy, the UIDAI needs to fully address the several issues that have arisen over the years.What about the Aadhaar numbers already shared?Despite the introduction of the VID system, there are several privacy issues which remain unresolved. One is that this system neither addresses nor takes into account the sheer volume of Aadhaar numbers that have already been shared. The mandatory linkages of Aadhaar with various services, and the increasingly common use of Aadhaar for KYC has led to Aadhaar numbers already entering into the possession of several entities. The deadlines for many linkages, in fact, is March 31st, the very date from which the Virtual ID system will be made available. As the website database leaks since the last year showed, several Aadhaar numbers have already been compromised. The virtual ID system in no way addresses any of these problems.Virtual ID system is optional, not mandatory
Another issue is that the virtual ID system is optional, and not mandatory. This, again, will limit the impact of this system to reduce Aadhaar number disclosures. It is questionable how many people will actually adopt the Virtual ID system or understand its significance. People have in no way been impressed with the need to keep their Aadhaar number a secret. The UIDAI itself has not taken a clear stand on the secrecy of the Aadhaar number, with its statements made earlier that the Aadhaar number is not a secret number.Sharing the Aadhaar number through a xerox of the Aadhaar card has become one of the most common steps taken by people for KYC and other purposes today. The Virtual ID system would be a lot more effective if all Aadhaar holders received new Aadhaar numbers which are masked on the Aadhaar card, and then mandated to use Virtual IDs. Such a large scale overhaul of the Aadhaar system is, however, unlikely. Risks of sharing biometric data unaddressed Another significant issue with this system is that it does not in any way address the risks involved with the collection and use of biometric data in the Aadhaar ecosystem. That data will continue to be collected and used by the same agencies, even if Virtual IDs or limited KYC were to be implemented. This is a bigger risk than that of sharing the Aadhaar number.The extent of services linked with Aadhaar, with biometric data as the only bar, will make biometric data the biggest target of cybercriminals. It is a huge mistake to think that securing the CIDR alone will resolve problems since people are also giving out biometric data everywhere, everytime they touch something, or even if they just upload a picture of themselves online. Even a high-end camera could easily be used to obtain iris scans of a person.There have also been many reports on the abuse of the Aadhaar system. For instance, the UIDAI itself discovered and acted against fake apps being introduced to extract Aadhaar numbers. It is perfectly conceivable to have fake payment apps which extract not just Aadhaar and account numbers, but biometric data as well. Reports have also come out on replay attacks, which allowed malicious players to save and reuse biometric data for fraudulent transactions.Consider payment technologies using biometric authentication, such as Apple Pay, where the fingerprint is stored on the phone, and this is not shared with anyone. To make the payment, the receiving entity receives just a one-time token, and not the account number, the fingerprint, the OTP (One-Time Password) or any other critical data. Surely, introducing a virtual fingerprint would better preserve peoples privacy than a virtual Aadhaar number. Smart cards have, in fact, been suggested previously for the Aadhaar system. The UIDAI needs to reconsider the use of biometrics as authentication, instead of a replaceable smart card or OTP.Hopefully, a good first step If this move of introducing Virtual IDs is the first of a much larger, holistic movement towards better security/privacy in the Aadhaar ecosystem, then it is very welcome. As a stand-alone step, however, it resolves very little. To fully deal with the issues with Aadhaar, a lot more needs to be done. To look at it positively, at the very least, this move is a sign of an acknowledgement of and is a step towards resolving the security and privacy issues with Aadhaar.
SOURCE: FIRST POST