Chennai: With the introduction of the 16-digit virtual ID, UIDAI must ask all service providers to delete the Aadhaar numbers they have stored till date on their servers, say activists, lawyers and cybersecurity experts.In the case of telecom companies, banks and other financial institutions, cybersecurity experts warn that there should be an audit to ensure that all ‘financially sensitive information that could be vulnerable to fraud, including the Aadhaar number are erased.’ To prevent instances like that of Airtel storing customer information, cybersecurity experts say that the 16-digit virtual ID should be modelled along the lines of UPI to ensure financial safety. “Its a case of fire-fighting and disaster management. Apart from the recent Tribune report, which highlights vulnerabilities, remember there were 2 crore Aadhaar card details exposed in May 2017. Was the government, UIDAI or any of the service providers held liable? Were we citizens able to sue, ask for damages for the loss of data, identity theft? Even today, the introduction of the 16-digit virtual PIN is an admission of compromised security,” says Gopal Krishnan, activist, Citizens Forum for Civil Liberties, New Delhi.With regard to effective implementation, cybersecurity expert Nitin Bhatnagar says, “The implementation process requires guidance from security specialists who understand tokenization process and need adequate time. All the AUA/KUA will have to start afresh to follow this tokenization process to improve security.”But what happens to the information already stored by these agencies, banks and telecom providers. “Nothing. So far there is no legal liability. Aadhaar card details, which are currently stored in their servers might continue to remain with them. And the sad thing is — law-abiding citizens, who decided to give their Aadhaar numbers everywhere to everyone, much before the deadline of March 31, 2018 —will now be at risk. They have already given their Aadhaar information everywhere and there is no law mandating that storage of such information is illegal - so at any time their details can be compromised. Even the new system of virtual ID works no different from a ATM PIN or M-PIN, it is vulnerable to hacking,” says Ramesh Kumar, cyber law expert. Lawyers say there is no legal recourse currently available for citizens whose Aadhaar numbers are being stored by banks or telecom companies/insurers. “So far none. In fact their defence will be that rules required them to ask for Aadhar numbers and link them. The virtual ID is a new format introduced by UIADI only now and could not obviously be retrospectively imposed,” said Sanjay Hegde, lawyer, Supreme Court. Banks say that they have not received any information from RBI or UIDAI on deleting the Aadhaar numbers currently in their database. “What has already been collected still remains in our system. We have not received any fresh instructions from any of the authorities on deletion of the Aadhaar numbers from our database. nothing to my knowledge. Going forward, we will be collecting the 16 digit virtual ID from customers,” said Parthasarathi Mukherjee, MD, Lakshmi Vilas Bank. DCB Bank MD Murali Natrajan said that it “remains to be seen what needs to be done with the Aadhaar information already collected.”