Explained: Securing your Aadhaar data

The UIDAI, the statutory body mandated to collect Aadhaar data, issued the first press release on May 27, warning the “general public not to share photocopy of one’s Aadhaar with any organisation, because it can be misused”. Instead, it recommended that “a masked Aadhaar, which displays only the last four digits of your Aadhaar number,” be used for such purposes.

It also asked the public to avoid using public computers to download their e-Aadhaar. If they did so, it reminded them that they should ensure that any downloaded copies of the same are “permanently deleted from that computer.”

The press release said “only those organisations that have obtained a User License from the UIDAI can use Aadhaar to establish the identity of a person.” It added that “hotels or film halls are not permitted to collect or keep copies of Aadhaar card,” stating that “it is an offence under the Aadhaar Act 2016.”

It asked users to verify that any private entity demanding to see the Aadhaar card should have a valid User License from the UIDAI.

What led to the withdrawal?

After the press release, many started pointing out that this statement was needed, given concerns over the misuse of Aadhaar data. Many private entities in the country insist on an Aadhaar card, and users often share the details. There’s no clarity on how these entities keep these data private and secure. In the past, there have been reports of Aadhaar databases being sold.

More recently with Covid-19 testing, many would have noticed that most labs insist on Aadhaar card data, including a photocopy. It should be noted that it is not mandatory to share this for getting a Covid-19 test done.

On May 29, the UIDAI withdrew the May 27 press release, on the ground that it could be open to misinterpretation. The updated statement said, “However, in view of the possibility of the misinterpretation of the Press Release, the same stands withdrawn with immediate effect.”

It said “Aadhaar card holders are only advised to exercise normal prudence in using and sharing their UIDAI Aadhaar numbers”, and that there are enough security features to keep it safe.

So, how does one keep one’s Aadhaar data safe?

While a regular user cannot control data breaches, there are some steps to ensure that one’s Aadhaar card number is not used by anyone else. Some of these steps include using a two-factor authentication on the Aadhaar card, turning on the biometric lock, and using Virtual Identity or VID for authentication. A look at the steps to keep in mind:

Two-factor authentication: It is imperative that your Aadhaar is linked to your primary mobile number and email ID. This is where UIDAI will send the one-time password (OTP) if someone tries to access your Aadhaar account or using it for any verification. If you’ve changed your mobile phone number for any reason, it is best to go to an Aadhaar enrolment centre and update this information as soon as possible. Aadhaar verification can only happen with this OTP.

Masked Aadhaar copy: You can download a ‘Masked Aadhaar’ copy from the official UIDAI website. You can then share a photocopy or version of this, instead of your full Aadhaar id. This version only has the last four digits of your Aadhaar number, instead of the full number. To download, go to https://myaadhaar.uidai.gov.in. Select the option “Do you want a masked Aadhaar” and proceed to download a version with only the last four digits.

Locking biometrics: If you are worried about misuse of your Aadhaar biometric data, you can also lock it from the UIDAI website. Logging into MyAadhaar shows this as one of the options on the dashboard. According to the website, “When you lock your biometrics (fingerprint, iris, and face), they can no longer be used for authentication. However, OTP-based authentication would continue to be available as needed.”

Users can lock this data temporarily or permanently, depending on preference, and it can be unlocked in both cases. Since it may be necessary to submit your biometric data for certain purposes such as opening a bank account, this would entail temporarily unlocking the data. Locking the data again means it cannot be misused by anyone in the organisation you submitted your biometrics to.

The UIDAI website says locking biometric data “prevents possible misuse of the Resident’s Biometrics Data”. There’s no specification on what this misuse could entail.

Use VID: The Virtual Identity, or VID, is a system of “Limited KYC” (Know Your Customer). This hides the Aadhaar number from the authenticating agency, while still confirming the identity of the user. This is a 16-digit number, but temporary in nature. So, unlike the permanent 12-digit Aadhaar number, the VID is valid only for some time.

The old VID expires when a new one is generated, and only one valid VID number can be there against a particular Aadhaar number at any given point in time. VID confirms your identity to the authenticating entity, say your bank. The VID can be generated from the Aadhaar resident portal or the mAdhaar app on iOS and Android.

Users can also go to the Aadhaar website or app to see authentication history to know if the data has been used without their knowledge. However, this history was limited to the year 2021 when we used the feature.

Newsletter | Click to get the day’s best explainers in your inbox