According to the Caravan report about the proposed new Data Protection Act /Privacy Protection Act which the Srikrishna Panel has tabled, a suggestion has been made for amendment of the Aadhaar Act to introduce what is called “Offline Authentication”.
A discussion has already ensured in the professional circles, how the “Offline” authentication can be done without a copy of the Aadhaar data being kept outside the CIDR and whether it will introduce new data breach risks.
However, I feel that just like the introduction of the Virtual Aadhaar ID which stepped up the security of the Aadhaar data by several notches and took the wind out of the anti-Aadhaar lobby, it is likely that this “Offline Authentication” system may also turn out to be a good practical suggestion that can ensure that Aadhaar system survives the critical scrutiny of the Supreme Court.
Just to think of one of the measures by which this system can be introduced, we can envisage that UIDAI may authorize “Identity Certification Agencies”.
This could be part of the Digi Locker scheme and Digital Certificate Scheme run under the CCA. In such a scheme certain agencies may be licensed to make verification based on “Virtual Aadhaar ID” submitted by the Aadhaar user (Global KYC agents can perhaps use the real Aadhaar ID itself) and maintain a mirror identification data base of “Members of its service”.
These agencies could be be similar to the “Data Trusts” which Naavi had proposed earlier. Individuals could deposit their ID information with these agencies who may be private sector agencies who may have access to technology which they claim are better than that of UIDAI. Their data base may be maintained on the basis of their membership and the linked Virtual Aadhaar ID.
If there is any data breach at these “Trusted Intermediaries”, then UIDAI cannot be blamed. Also the loss can be recouped with the change of the Virtual Aadhaar ID.
Hence this move will both address the issue of insulating the CIDR from too much of access by public and also silence the critics by challenging them to be the secure repositories of the data if they are capable rather than blaming the Government all the time.
For the positively minded, this is an additional opportunity to create a business out of the need to secure personal data.
It is therefore time for the Critics of Aadhaar to accept the challenge thrown at them by the Srikrishna panel and find solutions to make offline Aadhaar authentication feasible without the fear of personal data breach.