The Aadhaar VC

The outcry over Aadhaar in Google Wallet misreads what verifiable credentials actually do: lets us prove who we are in a privacy-protecting way. India built this capability long before the rest of the world—the real risk now is that we use it too timidly.

Last month, when Google announced that Indian residents can now store their Aadhaar verifiable credentials in their Google Wallet, the reaction was shrill. Since then, much ink has been spilt about the implications of this announcement and what it means for our personal data and digital sovereignty. Reading these pieces, it seems that much of the concern stems from an imperfect understanding of what has been implemented and the benefits it can bring.

The Physical Route

To understand what this is all about, refer to Section 4(3) of the Aadhaar Act, which states that holders of an Aadhaar number can voluntarily use it to establish their identity. They can do so physically—by presenting their Aadhaar card to whoever asks for it—or electronically, through authentication processes or offline verification.

The most common use of Aadhaar is physical. When someone asks for proof of my identity, I pull out my Aadhaar card and show it. Truth be told, even though Aadhaar was designed to be an identity number, it is primarily used as an identity card. This is unfortunate because the physical Aadhaar card was never designed for this and lacks tamper-resistant features that would have made it hard to duplicate. Today, anyone with working knowledge of Photoshop can produce a fake Aadhaar card that is indistinguishable from the original.

There is another problem with the physical card. Once you hand it over, a photocopy captures all the information on it, regardless of what exactly the verifier needs to know or whether you intended it. There is no mechanism for selectively disclosing information in a way that protects our privacy.

Authentication and Verification

Online authentication is a far more reliable way to prove your identity. It allows a requesting entity to confirm that the details claimed by someone presenting an Aadhaar number match those associated with the Aadhaar number in the Central Identities Data Repository (CIDR). This is the process that banks and telecom companies use to onboard new customers for their services, and it has been approved under the Prevention of Money Laundering Act as a valid method of KYC verification.

However, online authentication can only be carried out by entities specifically registered with the Unique Identification Authority of India (UIDAI) as Authentication User Agencies (AUA)—and not everyone is allowed to become one. What’s more, since each authentication is performed in real time against the Aadhaar database, it comes at a cost that not everyone is willing to bear.

Offline verification yields the same results without connecting to the CIDR. The user presents a digitally signed credential issued by the UIDAI; the verifier checks this locally and obtains the same assurance of the holder’s identity as online authentication would have provided. The UIDAI itself is never in the loop.

Just as with online authentication, not everyone is permitted to conduct offline verification. That privilege is reserved for registered Offline Verification Seeking Entities (OVSEs)—the only entities legally permitted to verify an Aadhaar number holder under the provisions of Section 8A of the Aadhaar Act. They can do so only with the consent of the Aadhaar number holder for the specified purpose and are not allowed to share this information with any other entity. As a result, they operate, for all intents and purposes, under similar constraints as AUAs who conduct online authentication.

Untapped Potential

Why then is there a furore over Google being appointed an OVSE? All that Google is allowed to do is provide users with a digital store for an identity credential issued by the UIDAI. Functionally, this is no different from downloading a digital copy of your Aadhaar from the UIDAI website and storing it on your laptop, mobile phone or a cloud provider of your choice. By law, Google and all the other 100 or so OVSEs that have been appointed operate under strict data security obligations and legal restrictions against the unauthorized use or sharing of this information.

Around the world, verifiable credentials are fast becoming a reliable identity solution. If anything, India is playing catch-up in a field it once dominated. The EU enabled verifiable credentials under its revised eIDAS regulation, and every member state is now obliged to offer its citizens a digital identity wallet that supports verifiable credentials by the end of this year; and by December 2027, every private-sector provider in the EU is required to accept them. In the US, mobile driver’s licences in the form of verifiable credentials are now accepted at TSA checkpoints across 20 states.

If anything, I worry that we are not doing enough. Section 4(3) allows us to share our Aadhaar with whomever we choose. If that is the case, why can I not share my Aadhaar verifiable credential with any hotel I want, regardless of whether it has been designated as an OVSE or not? I would rather do this than allow them to take a photocopy of my physical card and worry that the copy they just made will one day end up in the trash. If I ever need to prove I am an adult, why can I not just generate a verifiable credential that selectively masks all identifying information and just confirms that I am above 18, so that I don’t have to share any more information than I have to?

India built a world-class digital identity system long before other countries started to think about it. It’s high time we allowed our citizens to unlock the full potential of what we built.