In an attempt to address security and privacy concerns around leakage of Aadhaar numbers and data, the Unique Identification Authority of India on 10 January 2018 introduced two new measures – virtual ID and limited KYC.
The VID will not be duplicable by agencies performing authentication of Aadhaar number, and hence will ensure safety of the Aadhaar number. UIDAI, which administers Aadhaar, the VID can be generated and revoked only by the Aadhaar number holder through channels such as the Aadhaar portal and the mAadhaar mobile app. The older VID gets canceled each time the Aadhaar number holder issues a new one.
The VID will not be duplicable by agencies performing authentication of Aadhaar number, and hence will ensure safety of the Aadhaar number. These agencies will be given a UIDAI token specific to them, to enable them to uniquely identify their customers. The UID token, a unique character for system usage, will be unique to every authentication request made by a global or local AUA.
In the absence of strong data protection and privacy laws, the issue of what can be done with stored citizen information is a grey area. The new measures do not specify what happens to the Aadhaar numbers that have already been stored by public or private entities. It also does not mention which AUAs would qualify as global or local.