The Unique Identification Authority of India (UIDAI) introducing a virtual ID and limited KYC to address privacy and security concerns is a case of too little, too late, say experts.

The UIDAI, the agency that administers Aadhaar, said on Wednesday it will now let Aadhaar number holders have a virtual ID, which will come with an expiration data, mapped to the Aadhaar number. It also said only some entities will be allowed to store a person's Aadhaar number.

"This is just as attempt at plugging the loopholes in the system," said Ramanjit Singh Chima, India Policy Director at Internet advocacy group ‎Access Now. He called the proposal "complex and unworkable".

While the Aadhaar debate has many facets, the issue of citizen data leakage and privacy has been in the news since the past week after The Tribune reported that an anonymous seller was, through WhatsApp, offering access to the entire Aadhaar database for as low as Rs 500.

There have also been other reported instances of Aadhaar numbers being available publicly, but the UIDAI has always maintained that there is no threat to citizen data as long as their biometrics are safe and authorised agencies have access to their Aadhaar numbers.

While the UIDAI had been considering the use of virtual ID and tokens since some time, the new measures still do not completely eliminate the need to access the biometric database of citizen data for authentication, and would also require people to re-enroll for the measures to be effective, said Chima.

The new measures also do not specify what happens to Aadhaar numbers that have already been collected by different agencies and entities such as telecom companies, banks or educational institutions.

"What Aadhaar needs is an overhaul of its defective-by-design architecture and not stopgap measures. On January 9 another security researcher found issues in its Android app. It's not a constructive use of time and financial resources to force any inherently insecure system on the citizens," said technology lawyer Mishi Choudhary.

While the lack of a proper data protection and privacy framework has been a longstanding roadblock in deciding how stored data can be treated. There is currently a consultation underway to decide a data protection framework in India.

A large part of the Aadhaar debate is played out nearly every day on social media channels such as Twitter.

"#Aadhaar is here to stay! Happy that the @UIDAI has introduced virtual ID and limited KYC in the spirit of continuous innovation to enhance privacy and security," tweeted Aadhaar architect Nandan Nilekani after UIDAI's announcement.

There were also several contrarian views put out against the new features.

"We are all into this together as security breaches don't discriminate based on political affiliations. We need a nuanced discussion on law, policy, tech and impact on society for any project that has largescale implications and not Twitter yelling," added Choudhary.