Recently UIDAI filed a criminal case against three entities namely Axis Bank, Suvidhaa Infoserve and e-Mudhra and temporarily barred them from using the Aadhaar authentication services.

The allegation was, that these agencies had indulged in “Unauthorized Access” of the UIDAI server and committed “Impersonation” with “Forged Digital Identities”.

What these entities did can be called “Stored Biometric Attack” where the biometrics of a valid user given for a valid transaction is copied and stored unauthorizedly and used subsequently for other transactions.

We can appreciate UIDAI for having identified the unauthorized nature of the transactions by a statistical evaluation of the biometric parameters.

It was obviously a violation of the contractual arrangement between the UIDAI and the authenticators and  UIDAI can take both civil and criminal action.

Under Section 34 of the Aadhaar act, the offence was punishable with imprisonment upto 3 years and a fine.

At the same time under ITA 2000/8, the offence could be charged under Section 66, 66C and 66D each having an imprisonment of upto 3 years.

Though the accused defended their position by stating that they were only doing a testing of the process and hence there was no fraudulent intentions, primafacie offence was established.

Under any due diligence process therefore, the regulators namely RBI for Axis Bank and CCA for e-Mudhra had to take some action that justified that they had also taken note of what could be potentially called a “Criminal Breach of Trust” and “Contravention of multiple statutes”.

Since UIDAI server is also a “Protected System” under Section 70 of ITA 2000/8, even an attempt to access it except in an authorized manner is an offence which may invoke imprisonment of upto 10 years and arrest without bail provisions.

We however donot know if UIDAI, RBI and CCA have all agreed to ignore the serious nature of the offence and condoned the offence. Since a complaint has already been filed, Police should also agree to look at the other way and probably a competent Court needs to approve the compromise as a compounding under Section 77A of ITA 2000/8 and or other provisions of law.

In the meantime it is observed that e-Mudhra website shows that CCA has initiated some punitive action against the Certifying authority by disallowing renewal of earlier digital signature certificates issued by the Company while not yet barring issue of new digital signature certificates.

The note on the website states “As per the latest CCA Identity Verification Guidelines, renewal of digital signatures is no more permitted. It is required to carry Fresh identity proofing for each DSC to be issued till further orders.

It is not clear if this is a fall out of the UIDAI case or it was for some other irregularity in e-Mudhra’s KYC process observed by CCA.

However, this opens up a debate on what the order could mean for the present and immediate future for e-Mudhra customers and holders of digital certificates issued by e-Mudhra in the past.

Firstly, if any current holder of a valid digital certificate issued by e-Mudhra approaches them for renewal, they are advised to submit physical documents of identity and address proof duly attested by a Bank Manager or a Gazetted officer etc. In other words, the earlier digital certificates issued by e-Mudhra and confirmed by CCA is not accepted as valid for the parameters represented there in which are presumed to be “Un Trustworthy”.

If so, it means that the digital certificate is being declared void or “revoked”. Hence any contracts, tenders etc signed using these certificates in the past may also be considered invalid. All these contracts need to be re-signed to protect the contractual interests of the parties.

Secondly, e-Mudhra has the responsibility for KYC but it is  refusing to do its own KYC or accept the past KYC represented by the current digital certificate and instead pushing the applicants to Bank Managers who charge commission for attestation from the customers. In other words, the cost of KYC is being pushed to the customers besides making the Bank Manager responsible for the validity of the digital certificate issued by the Certifying authorities.

This is an anti-consumer issue which CCA should not allow.

Also, if the Certifying authority wants to use the attestation of a Bank Manager, it needs to enter into a contractual arrangement with the Bank and consider the Bank as its “Agent for KYC” and also incur the expenditure directly. This was the system when digital signature certificates were originally issued in and around the time of their origin in India around 2002.

Since e-Mudhra does not have the specimen signature of any Bank Manager, the KYC has no legal footing and it would be easy for fraudsters to forge the signature of Bank Managers and obtain digital certificates completely eroding the sanctity of the digital signature system in India.

This is a serious fraud risk to the digital signature system in India.

Companies like e-Mudhra does not have an adequate process of Grievance Redressal as per Section 79 of ITA 2000/8 and CCA has not so far asserted its authority and ensured ITA 2000/8 compliance by these agencies. Hence I have not been able to get official clarifications directly from the company in this regard.

In case there is any doubt about  e-Mudhra’s past certificates being tainted according to CCA, there is a need for CCA to disclose the circumstances under which e-Mudhra has been advised not to renew the old digital certificates except with a new set of physical KYC documents.

If however, irregularity if any is not serious, but the CCA took the extreme step of disallowing the renewal not recognizing the legal effect of casting a doubt on the reputation of e-Mudhra as a “Trusted” party and a custodian of the identity of all its existing digital certificate owners, it should admit its mistake and immediately revoke its order so that e-Mudhra can start renewing its current digital certificates online.

At the same time, e-Mudhra needs to also disclose on the website the position of the UIDAI complaint and its implications on the criminal liability which extends through Section 85 of ITA 2000/8 to all the Directors and the officials in charge of the business.

It should also be a disclosure under corporate Governance both at E Mudhra and its holding company, failing which it may attract attention of SEBI.

I have tried to obtain clarification on this matter from both e-Mudhra and CCA over the last one week but it is clear that the seriousness of the issue has not been recognized. My queries have not gone beyond the customer service executives to the senior management.

I hope that at least now, both e-Mudhra and CCA would move fast and try to resolve the issues raised here. In the meantime, I have raised a formal Adjudication complaint against e-Mudhra with CCA and awaiting the response. I suppose this will perhaps be the first adjudication application filed with CCA and hence some procedural precedence need to be established for future guidance.

I regret the inconvenience/embarassment this may cause to e-Mudhra which in the past was actually better than some other Certifying authorities in following good practices. But in the interest of the digital certificate environment in general and the interests of adoption of the right practices in the interest of Indian consumers, we cannot brush under the carpet the current issues and hence I am bringing this to public knowledge.

Naavi