Today’s Deccan Herald reports that the Abhinav Srivastava case may result only in a fine and not in imprisonment as per sources inside the Police. It says “IITian may walk free as he only developed ‘innocuous app'” making everyone sit up and wonder what is happening.

If this is true, then did all the media make a hue and cry about nothing? Or is it possible that there is some confusion within the Police circles themselves about how to proceed with the case.?

For the time being I rule out the possibility of media being used by the Police to plant stories so that some information can be elicited from public which can make it possible for them to correct the mistakes in the way the complaint is being handled at present. This is a strategy often used by Police in other criminal investigations.

Probably the media is also confused about the nature of the incident, whether it is a crime? if so is it a civil wrong or a criminal offence? whether it should be the Adjudicator who should lead the investigation or the Police? …etc

Yesterday, we accessed a copy of the FIR filed by the High Grounds Police Station. This was dated 26/07/2017 and records crime number 0130/2017. It is based on a complaint filed by one Mr Ashok Lenin whose address is given as the address of UIDAI at Khanija Bhavan, Reace Course Road, Bangalore.

The details given of the complaint in the FIR are sketchy and indicate in summary that

“one Mr Abhinav Srivastava using a company by name Qarth Technologies Private Limited created a Playstore App and through it misused the information in Adhaar website and was giving it out as e-kyc in association with some unknown person and thereby is creating leakage of Adhaar data.”

The FIR was registered under Sec 65/66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. While the complainant seems to have indicated that Sections 37 and 38 of Aadhar Act has been contravened, the FIR itself does not include these sections. The FIR has been submitted at 8th Addl CMM Court, Nrupathunga Road, Bangalore.

However, after this was published in the website of naavi.org, information was received that this FIR is no longer valid since a new FIR has been filed by the Cyber Crime PS after the case was transferred to them. Since ksp.gov.in website does not list Cyber Crime Police Station and its FIRs, the new FIR filed by Cyber Crime PS is presently not available with us. We can neither confirm or deny if the new FIR exists and if so whether any change has been made in the FIR of High Ground PS or will be made in future after another round of investigation.

While investigations will be continued by the Cyber Crime PS and appropriate action will be initiated, from the academic perspective some points come for discussion.

The complaint was filed by a person who is an official of UIDAI. According to the Aadhar Act, complaints under the Act can only be taken note of if filed by UIDAI or by an official under its authority. The FIR does not indicate that the complaint was made by Mr Lenin along with a letter of authority signed by the CEO of UIDAI. So whether it was a personal complaint or a complaint under the Aadhar Act needs to be ascertained. Probably a letter from UIDAI either by the CEO or through a resolution of the Board is required to be filed by who so ever signs the complaint and submits it to the Police. Without this, the FIR/Chargesheet could be considered invalid.

Further UIDAI has made a public statement by the CEO, Ajay Bhushan Pandey himself stating

“No one could get data of any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app.”

Once UIDAI confirmed that there was “no unauthorized data access”, it was clear that the foundation of the complaint itself had become hollow. From the revelations made by Mr Abhinav Srivastava, it was clear that the App would access other websites where there was no restriction on accessing the “Appointment Request through e-hospital app” and place a request along with the Adhar number. This would generate an OTP to the Aadhar owner and once provided, some demographic data would get displayed on the website which can be parsed, filtered and presented in a user friendly format.

The App was actually being used by the Adhar owner himself and hence it was an authorized Aadhar user who was actually using a tool developed by Mr Abhinav and downloading his own data instead of going to the Aadhar website himself and downloading the information.

(P.S:This is based on the information now available unless Police unearth any other way Mr Abhinav was collecting the data for use at his end)

In this process, it was clear that the very basis of the complaint that there was “Unauthorized Access” was perhaps incorrect. Hence the complaint was filed on a wrong understanding of what had happened. Because the complaint had been made by UIDAI, it was immediately acted upon by the Police. While registration of the complaint was fine, the need for actioning an immediate arrest and including clauses from IPC such as 468 and 471 was perhaps unwarranted. An FIR under Section 66 of ITA 2000/8 with a bail in the station would have been a reasonable response from the Police if they had not been pushed by some panic stricken UIDAI official that some national calamity had happened.

Now we understand that the total commercial benefit that the person gained was around Rs 40000/- from advertisements running on the App and not from selling of unauthorizedly accessed data. This also is insignificant for any serious commercial gain case to be made out.

The Complaint said “Some unknown person” collaborated with Mr Abhinav. But where was this “Unknown person”? ….. Is it the Hospital? Is it the NIC? Is it Google Ad supplier? or is it the persons who downloaded the App? or is it the company Qarth technologies which is a subsidiary of Ola Cabs (ANI Technologies Ltd)?. It appeared that this “Unknown Person” was added only to ensure that Section 120B could be added and a “Conspiracy” could be brought in.

When the case was transferred to Cyber Crime Police Station, we can expect that they identified that the FIR was not properly filed and without the case being also filed on the e-Hospital website and/or NIC as the e-Hospital platform owner, the complaint only against Abhinav would be difficult to sustain. They also would have pointed out that if UIDAI maintains that “There is no data loss, No data Breach” etc., then the Courts may frown at the Police for registering a Case against a “Zero Loss” incident.

It is also necessary that information was available in the public domain through an article in www.naavi.org which was a reasonable notice of such incident occuring several months ago. This article was  titled “Online Registration System for Indian Hospitals.. No Privacy Policy?” and was published on  4th November 2016. On the same day, I had sent an e-mail to info@nimhans.kar.nic.in and ms@nimhans.ac.in drawing their attention to the article and expecting them to check with their Information Security department on the issues raised. The article focussed on the lack of a “Privacy Policy” but any professional Information Security professional in say NIC would have understood that the application enables dispensation of aadhar information without the information seeker committing himself to any terms of use or NIMHANS protecting itself with a privacy policy/privacy statement.

Though everybody in the information security loop had a notice through this published article nearly 9 months ago, no body seems to have had the intelligence to recognize that there was a vulnerability in the system which could create a risk.

If the Police now try to pursue the case, there will definitely be a question of the role of “Lack of Due Diligence” by the Hospital site/s which were accessed by the Abhinav App and in the absence of any “Terms of use” how it can be considered as a criminal offence that Mr Abhinav created an app to help the Aadhar owner to access their personal data through the use of these websites.

We can question that Mr Abhinav was also not aware of Cyber Law Compliance as otherwise he should have sensed that he should have sought some kind of permission to use the hospital app for a purpose other than seeking an appointment for which it was primarily meant.

But if the hospitals as an organization, NIC as an institution and UIDAI as a National Critical infrastructure with the nation’s best security officials in their roles did not recognize any threat nor had the system to monitor such articles which  can be accessed simply with a google alert in the name of UIDAI or e-Hospital or NIMHANs etc , then how can an individual like Abhinav be more resourceful?..could be his defense.

If Police pursue their case against the intermediaries such as the hospitals and NIC and ask them questions on “Lack of Due Diligence” or “Negligence”, there will be embarassment for these organizations. At the same time, without the UIDAI admitting that there was some kind of a breach, it is difficult to question any downstream user including NIC, Hospitals or Abhinav.

If the Police try to pursue the case only against Abhinav and does not open the pandora’s box of “Due Diligence by Intermediaries”, then obviously there will be a charge of unfair targetting of the individual in a discriminatory manner which would be an embarrassment for the Police itself.

If the Case needs to be pursued therefore UIDAI should first admit that there has been a “Security Breach” with or without “Data Breach”.

If not, they should withdraw their complaint and a fresh complaint has to be filed by all the hospitals which have been used by the Abhinav App on different occasions which should say that their platform was not meant for public to use it as an aadhar information extraction device even if it was their own. But then they will have to answer why they could not say so on their website in the form of terms of use or privacy policy document. Will they admit that all these organizations donot know the basics of Section 79 requirement of ITA 2000. Their pride will not allow them to admit.

Hence they may not be interested in filing a complaint.

If UIDAI withdraws its complaint and no body else is prepared to register the complaint, what action can the Police take?… They also would not perhaps be interested in inventing some reason to keep the case going since anyway at some point of time in future it may be dismissed by some Court with perhaps some strictures.

In the light of the above, I am not surprised at the indication of the Deccan Herald Report that the complaint would be reduced into a non criminal violation. May be it may be diluted further and even be dropped altogether.

We need to wait an watch…

Naavi