India announced it was adding an extra layer of privacy to its virtual identification system following allegations of a major privacy breach in the world’s largest biometric database.
The move to allow all citizens to use a virtual ID to avoid sharing their unique identity numbers when using government and other services comes after a news report said personal details of up to a billion citizens enrolled in the program could be illegally accessed for just $8 paid through a digital wallet. Its operator, the Unique Identification Authority of India, said there was no breach. Still, it’s the biggest overhaul of the system—known as Aadhaar—since it was introduced in 2010.
Citizens will be able to to generate a 16-digit virtual identity in lieu of their Aadhaar number with banks and state departments at the time of authenticating their identity, the government said in a statement. Banks and companies will be given “agency specific” unique tokens to avoid storing customers’ Aadhaar data, it said.
The update marks an “important evolution” of the Aadhaar system but comes too late to mitigate the risk of the misuse of any information that’s already been publicly disclosed, said Saksham Khosla, a research analyst at Carnegie India.
At the same time, “the process of generating a virtual ID introduces more transaction costs into an authentication system already beset by exclusion,” Khosla said. “The Indian state’s record of last-mile communication, especially of tasks requiring a fair amount of digital literacy, is not encouraging.”
The Aadhaar authority will release the application software needed by banks to change their systems by March 1. Companies have until June 1 to fully migrate to the new system.
Meanwhile, India’s Supreme Court is scheduled to start a final hearing on the legality of Aadhaar on January 17.