In an exclusive interview to CNN-News18’s Sanket Upadhyay, UIDAI Chief Executive Ajay Bhushan Pandey says people who don’t feel comfortable sharing their Aadhaar number can now generate their own virtual ID. He said they can also change it as many times as they want. Pandey hailed it as the biggest innovation since Aadhaar was launched. An edited transcript of the interview:
UIDAI has introduced new safety features, has gone for an upgrade when it comes to safety. What is virtual ID?
Virtual ID is like a camouflage Aadhar number. If you're going somewhere and you have to prove your identity, you give your Aadhaar number. Even for online verification, you give Aadhaar number. Aadhaar is not secret information but has personally sensitive data like bank account number and mobile number. We have added another layer on Aadhaar; have been working on it for last one and half years. This is the biggest innovation since 2010, when we launched Aadhaar.
It’s like Aadhaar 2.0. Let's say you have Aadhaar number and you go to our portal and enter your number; what we'll do is, after entering the number, we will send an OTP on a linked mobile number. And you with the help of that can generate a 16-digit virtual ID number. That will then become your alias Aadhaar number.
Wherever you have to authenticate yourself, you can use your virtual ID instead of your Aadhaar number. For example, you've gone to a telecom company to get a SIM card or verifying mobile number or you've gone to a bank to verify your bank account, then you don’t have to give Aadhaar number, you can give your virtual ID and fingerprint. Aadhaar system will know that this virtual ID belongs to this system. The virtual ID can be changed any number of times.
How many times can I use one virtual ID?
Any number of times, till you change it.
What I understand is, I can use this virtual ID to mask my Aadhaar number and change it whenever I want.
Another important thing, when you use Aadhaar authentication or virtual ID, then the agency which is accepting your virtual ID gets your eKYC information. It has the same information as on your Aadhaar card. Basically, he gets your electronic Aadhaar card. On the other end, the agency will get a different series of numbers.
What if the company tries to trace it back to the person’s Aadhaar?
The companies won’t be able to trace this as they won’t get the Aadhaar number. They will have the 16-digit number. UIDAI will send a response to that company saying that this person has authenticated and here's the KYC information. Agencies will not get Aadhaar number apart from the ones that require it by law. If the agency is getting Aadhaar authentication, there's trust.
What if the agencies which don’t need Aadhar today, come out with an announcement saying that Aadhar is mandatory?
The law will take care of this. For example, telecom, by SC order, requires Aadhaar authentication to verify the mobile number. There you can give your virtual ID. But tomorrow, if the department of telecom says that telecom companies need to do Aadhaar authentication, then UIDAI won’t give them the Aadhaar number and neither will the mobile subscriber.
Subscriber will give them a virtual ID and UIDAI will give them a unique token, which will be a 72-character string which will be unique. But the company wouldn't be able to trace the Aadhaar number.
What all services are mandatory at this moment for me to give my Aadhaar number and where all can I give my virtual ID? is there ambiguity on this front?
We have given Aadhaar authentication facility to more than 300 agencies, each agency will have to come and explain why they need to collect Aadhaar number and do Aadhaar authentication.
By agencies you mean service providers, like banks and telecom agencies?
Yes. We'll take a review and ask them under which law do they require Aaadhaar authentication.
As of now, if I only want to give my virtual ID and not my Aadhaar, how do things work out?
We have a transition plan. From 1st March, you can use your virtual ID everywhere. Let’s say tomorrow, the government says that the bank should get the Aadhaar number, but you can still continue to give your virtual ID and we will give Aadhaar number to the bank. But if you go to a telecom company and the govt says that you don’t have to give your Aadhaar number then you can give your virtual ID and we will also not give the Aadhaar number.
Let me clarify that in our country there will always be someone who will say that they are not able to use the virtual ID. Then, in that case, the question is can they use their Aadhaar number? That is, of course, an option for you.
People are saying that this will add another layer of bureaucracy, as now it’ll give birth to another party which will say that we'll create a virtual ID card for you. What's your response?
It is a completely wrong conception. This is only an additional option. You can continue using Aadhaar, if you wish, forever. Some people may feel that they don’t want to give their Aadhaar number to anyone then they can generate their virtual ID. Some people might want to change virtual IDs every day, they can do that too. You can change your virtual ID as many times as you want.
Safety is a big concern. You’ve created a virtual ID, but will safety remain virtual or will that be real?
I have always maintained that we give maximum importance to safety and data because we have data of 1.2 billion people. We have their basic demographic information and their biometric details. We don’t discuss the security measures for many reasons.
There are various layers of security that we don’t want to discuss. We keep on improving security because it is not a static situation. Is your system secure? Can your system not be hacked? This can’t be answered in yes or no.
Can you elaborate?
If you ask this question to any IT system in the world, even they won’t be able to answer it in yes and no. Can you say that a fort can’t be breached or that a criminal breach is impossible? What we can say is that we've taken great security measures. In the past seven years, we've been constantly upgrading our system.
Upgradation also doesn't mean that our system was vulnerable earlier. We found there was room for improvement and that’s why we brought in virtual ID. It is not like people were living in insecurity before this, but we are trying to make things foolproof.
What's the philosophy behind virtual ID? Is it optional for you to share it or not? What’s the guarantee that you can give to people that no one will fraudulently save my data in their database?
Your Aadhaar number or KYC was used for one purpose and then they used it for some other purpose: this is the kind of complaint that we would get. This is not only a violation of Aadhaar Act but a criminal breach of trust. For example, you go and apply for a certain service and next day you start receiving calls then naturally your data have gone somewhere else. This raises a larger data protection issue and for that, there is a committee headed by Justice Srikrishna.
I am also a member of that committee. So we will look into all the security issues which will also cover Aadhaar. The data that you have given shouldn’t be used for any other propose and if that happens then certain legal actions can be taken. All these things can be looked into.
Sanket: Does the creation of virtual ID makes it difficult for someone to access my geographical data? Is that possible?
AB Pandey: See, first of all, Aadhaar doesn’t collect your geographical data. When we collect the data, we don’t mention the place from which the authentication was done. Aadhaar will, of course, know that this request of authentication has come from this agency. Now for this agency, it can come for what purpose, for example, you have gone to a bank and you are doing authentication through virtual ID or your own ID or it could be a bank employee doing Aadhaar-based attendance or doing some transaction of opening a bank account.
So we have no information regarding the purpose of the authentication or what bank account are you opening. One more thing, some people think if you link your bank accounts or phone numbers or your PAN card, the UIDAI gets all the info of your bank accounts and mutual funds which is completely untrue. UIDAI has only information of your Aadhaar that is your name. When we talk about your identity, it consists of your demographic information and biometric details.
This is the only data that we have. We don’t have details of bank accounts and mutual funds. So when people talk about the data breach and think that their account number, ATM pin or mutual fund information has been leaked and UIDAI has all this data, it’s untrue. So if UIDAI doesn’t have the information, then from where will the data breach happen?
Comments
0 comment