Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

MHA advisory on Cyber Crime Prevention and Control

Posted by Vijayashankar Na on January 31, 2018
Posted in Cyber Law  | Tagged With: , , , , | No Comments yet, please leave one

The Ministry of Home Affairs released a circular on 13th January 2018 to all the State Governments and UT Administrators recommending some measures towards better Cyber Crime prevention in the respective Sstates and UTs.

Copy of the Advisory

The Circular took forward a couple of recommendations which the T. K. Vishwanathan Committee on amendment to ITA 2008  was supposed to have proposed.

In particular, it has now proposed that the States should act on the setting up of

a) State Cyber Crime Coordination Cell and

b) District Cyber Crime Cells

This was proposed as a suggested amendment to the Criminal Procedure Code. Instead of the Center attempting to make amendment to CrPc, it appears that the responsibility has now been cast on the respective State Governments.

We need to wait and watch which State Governments are more concerned about Cyber Crime prevention and take action.

In these suggestions, it is proposed that the State may set up a State level coordination cell headed by a senior police officer of the ADGP/IG rank and ensure a district level, station level facilitation of cyber crime prevention activities. This will ensure that a police officer with the right kind of orientation to Cyber issues can be assigned this responsibility and the legacy system which is burdened with physical security responsibilities is not burdened with Cyber Crime prevention management which is alien to their culture. It is a great opportunity for the Police system to bring about a seminal change in the way Cyber Crimes are presently handled in the States.

The second suggestion to form District level Cyber Crime cells is also a significant step in the direction of better Cyber Crime Prevention since it envisages a support system for the SPs in the districts in which at least three domain experts in Information Technology. Mobile Telephony, Digital Forensics and Cyber Laws hired from the market. This is an acknowledgement that it is not always possible to get the expertise from within the recruits to the Police system and there is a need for public-private partnership.

The procedure to be adopted for involving the external persons need to be properly conceived. It is preferable if these “Experts” are not on an employment contract. If so it will become another Government job and will be decided on the basis of money and influence. Instead the SP should be given powers to recruit the assistance of experts by creating an expert panel and pay consultancy fees on short term contract basis. Only then the services of real experts would be available. Otherwise the system would degrade over a system into yet another Government department and will not be of use.

The Advisory of the MHA highlights the need for inter-state cooperation in Cyber Crime investigations which should be facilitated to a large extent if the State level Coordination cell becomes operational in most of the State. Naavi.org had tried to convince TN and Karnataka Cyber Crime Police Stations to take an initiative in this direction more than a decade back to bring together all the four southern states into a monthly meeting. But the idea was not taken up formally to higher levels by the then officers though I had received a positive response from both TN and Karnataka officers.

The idea of “Mobile” Cyber Forensic labs proposed is also a recommendation that had been made to Karnataka Police long time back and it is good to see the idea being revived now. The Mobile units would assist in “Quick Response” to Cyber Crime complaints so that evidence should be secured at the earliest. It is needless to say that the evidence gathering team should be fully aware of the legal issues involved in maintaining the Chain of Custody and the Section 65B evidentiary certification requirements so that they donot accidentally render evidence un-usable.

The Advisory also suggests use of BPR&D resources for capacity building and release of funds for training of Police on Cyber Crime related skills. Hopefully it would be put to good use by the States.

Another important suggestion made by the advisory is to set up a “Cyber Intelligence” system to monitor the Internet including the “Deep Web”. This brings us back to another ancient suggestion made by Naavi to set up a “Friends of Cyber Police” system where voluntary members from the public would assist the Cyber Crime Police with information and assistance to track crimes.

We must however recall the recent incident where a hacking group had stated that when they had penetrated several sleeping terror cells and wanted to pass on the information to the Government, there was lack of interest . This was perhaps in Kerala where the State Government is known to be supportive of some communal forces and hence might not have shown interest. But I hope MHA must have by this time taken up the matter under their investigation and the Central Government should take steps to see that such complaints should not arise in future.

As regards “Online Complaints”, it appeared that the website mentioned in the advisory is still not functioning. I had recently put out a detailed article How Do We Improve Cyber Crime Management System in India?.. and also suggested a procedure  to Relieve Cyber Police in India of needless burden and make them more focused.I wish the suggestion is taken up for immediate implementation at least by some of the States.

This suggestion was based on an actual experience where it was found that Mumbai Cyber Crime Cell was reluctant to initiate an investigation of a complaint by issuing an IP resolution request and the delay will ensure that the tracking trails vanish. The Mumbai Cyber Crime Police were therefore guilty of deliberately allowing the potential accused to get away and the top management of the Mumbai Police were unable to take preventive action. This will remain an example of how corruption in the Cyber Crime policing system affect the success of Cyber Crime investigations and Naavi.org will continue to talk about this though it may not be palatable to MHA both in the center and Maharashtra state.

The suggestion of the online complaint receiving system along with the suggested “Friends of Cyber Police” and “Raising of IP resolution request by designated NGOs” would go a long way in addressing the issues raised by Naavi in the Mumbai Cyber Crime investigation fiasco.

I hope the MHA takes up follow up action on the Advisory and push at least the BJP ruled states to start implementing the suggestions.

Naavi

Reference Articles

How Long Will Google take to resolve an IP Address?… Make all intermediaries pay for the delay
I was on 16 and Going on 17….I need everyone….to know me and comply…says ITA 2000/8 Proposed Amendments to ITA 2000 and Privacy Protection
Redefining the scope of ITA 2008.. in the amendments..
Suggestions on Modification of ITA 2008
Domain Name Regulation in ITA 2000..to be amended
Police, Prosecutors and Judiciary: Please Don’t Create Fake Laws out of your misinterpretation
How to Relieve Cyber Police in India of needless burden and make them more focused

Corporate Governance and GDPR risk

Posted by Vijayashankar Na on January 30, 2018
Posted in Cyber Law  | Tagged With: , , , | No Comments yet, please leave one

As the D-day  for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time  in the future and impose liabilities.

GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.

Article 3 of GDPR has created extra territorial jurisdiction as follows.

GDPR is applicable  “regardless of whether the processing takes place in the Union or Not” 

1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union

2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union

This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.

However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.

Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .

If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.

GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.

From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.

So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks.  If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence  the potential liability cannot be swept under the carpet.

Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.

We need to wait and see whether these companies will be compliant to this requirement or not.

Naavi

Aadhaar has been the center of Privacy debate for quite some time in India and has even attracted international attention. Amidst the criticisms that Aadhaar system is not properly secured and therefore it may lead to loss of privacy of the citizens, Supreme Court took up a petition on whether Aadhaar infringes Indian Constitution and should be discontinued. Initially, the Aadhaar baiters scored a victory as Supreme Court under the previous CJI hurriedly constituted a 9 member bench and passed a judgement stating “Aadhaar is a Fundamental Right”. It appeared as if the judgement was a tool given to the smaller bench which was hearing the Aadhaar constitutionality issue to scrap Aadhaar.

However things have changed in the last few weeks. First the new CJI shuffled the bench and case allocation rules so that politician advocates who wanted to get the Aadhaar case heard by a bench of their choice were frustrated in their design.

The case is now being heard in a more neutral bench than what the politicians intended.

At the same time, UIDAI came up with its own master stroke introducing the “Virtual Aadhaar ID ID (VAID) proposition which has changed the scenario of security in such a manner that one of the key argument against Aadhaar that it leads to breach of privacy has been put to rest.

Naavi had been suggesting for a long time that the principle of “Regulated Anonymity” should be applied to secure Aadhaar and actually hoped that this would be a good commercial business proposition to be used by an enterprising private business entity. Now Aadhaar by introducing the system of VAID has come up with its own version of “Pseudonomization”   which would perhaps take the Privacy protection up by several notches.

The VAID system is expected to be in operation by March 2018 on trial basis and mandatorily by June 2018 unless some extension is given. Once the system comes into use, all KYC agencies will have to be prepared to use the VAID which may be a 12 digit randomly generated number which is mapped to the real Aadhar ID of an individual for all their KYC enquiries.

In other words, the KYC authority will not receive the real Aadhaar ID  for its KYC purpose but receive only a randomly generated, changeable VAID number. This may perhaps be forced  by UIDAI by mandating that the AUA/KUAs donot shall stop using the real Aadhaar ID for any KYC queries.

As for the users, they will have the option of generating a VAID against their real Aadhaar ID and ascribe it a date of expiry or designate a specific one time purpose. Such number would meet the requirement of SIM card verification or even Bank account verification.

How Virtual ID secures the system

The exact architecture that UIDAI may use for the purpose is not known and need not be made public. However, it may consider the following features.

(P.S: This diagram is only an illustrative representation of a suggested architecture. This is not what UIDAI may implement)

The first change could be that access to CIDR will be only through an internal system and access by AUA/KUA would be stopped at an intermediary server.

Public will access a Virtual ID generator (S-1) service as and when they want. They will provide the real Aadhaar ID to this server and obtain a Virtual ID. This ID will be randomly generated and will have an expiry tag and stored in another system. S-1 will then deposit the information to S-2 where a map of Real Aadhaar ID and Virtual Aadhaar ID is maintained and updated with a history of VAIDs associated with a given Real Aadhaar ID.

When a user requires a service, he will provide only his VAID to the AUA/KUA who will send their request to another exclusive server of UIDAI where the request will be processed (S-3). This server will push a request to S-2 which will re-identify the VAID and forward the KYC request to CIDR,(Central Identities Data Repository).  CIDR will push the required information back to S-3 for onward transmission to the AUA/KUA.

In this structure, S-2 which holds the map of the real Aadhaar ID with the Virtual Aadhaar ID will be accessed only by internal servers one accessible to Aadhaar users and the other accessible to the AUA/KUAs.

S-1 will only generate VAID and does not store any data after the process is over. CIDR is accessible only from S-2. S-2 will not hold any data other than the mapping of the real ID and Virtual ID. S-3 will allow passing through of  Virtual ID and the KYC information but will never access the real ID.

S-1 and S-3 will be only transaction servers and need not store any data except in transit. Firewalls will manage the access to different servers and ensure that Aadhaar demographic or Biometric data is not accessed by any outsiders except through queries passed through S-2.

How Biometric Security Can be fortified

Presently, the Aadhaar has a record of 10 finger prints and iris scan for biometric identity purpose. To this multiple face parameters may get added with the new addition of the Face recognition feature. Face recognition in intended to be used as an alternative biometric in cases where finger print recognition fail so that false rejections can be reduced.

Additionally, we can consider that one or more Face parameters would be an add on to the many biometric identification parameters (10 finger prints+Iris scan). Totally therefore there may be around 11 plus biometric parameters which can be used for authentication.

Considering the possibility that as of now some biometric data might have been compromised, or biometric devices may be manipulated for a store and replay attack, UIDAI may consider a “Double/Multiple biometric authentication” on an “Adaptive Authentication Principle”.

Under this system, biometric of one finger is first obtained. When this is successful, the server may randomly chose another biometric feature to be provided with or without mobile OTP as well. With such a system there would be simultaneously three parameters that are verified for authentication and the second authentication would be a random variable and provide a defense against most of the normal attacks.

Assuming that UIDAI has other security features already installed for preventing the store and replay attack, the addition of a random additional biometric parameter based authentication will fortify the current system and make an enormous improvement in the system.

Since it is possible to get the biometric device ID and its location as a transaction input, the adaptive authentication can be configured with the known behavioural pattern of the user as is done in credit card transactions.

One issue that needs to be tackled in the suggested system is the latency of the transaction and connectivity. But this is a challenge that can be handled and should be handled in the interest of security.

(P.S: I presume that the current team of UIDAI consists of more accomplished information security experts than the author and hence what is discussed above may be steps which are already in place. They are however discussed here to inform  public  that security of aadhaar is feasible.)

Naavi

 

In the on-going petition in Supreme Court, Aadhaar faces a tough battle against multiple opponents.

The background under which the Aadhaar case has come up for hearing itself suggests that there are some undercurrents of opposition to Aadhaar even within the judiciary. The recent attack by a few Judges on the CJI citing “Threat to Democracy” also looked like having it’s roots in the Aadhaar controversy.

The main reason why Aadhaar is being opposed by a section of the society, is that the way it is being implemented by the Modi Government is choking the people who want to hold black money in benami bank accounts and properties and this is considered an existential threat for them. Such Black money holders are there in all walks of life.

Black Money out of Tax Evasion

There are professionals like doctors and others who have made money from their hard work but has for reasons of their own not accounted it for taxation purpose and therefore accumulated benami wealth. Many businessmen also accumulate black money from their hard work because they have not paid taxes properly. They all have a logic that taxation system is badly structured, it is a disincentive for honest hard work. Politicians applying most of the tax collections for bribing the voters for the next election makes it worse since citizens have no respect for tax and tax avoidance is considered not as bad as other crimes.

If tax compliance is to be ensured Government must lower the incidence of direct income tax or better abolish it all together though the communists will cry on the obsolete principle of “Taxing the Rich”.  Consumption Tax is the best form of taxation and Income Tax at least on individuals can be done away with.

Black Money out of Corruption

On the other hand there are another kind of Black money wealth owners who have accumulated their wealth out of corruption. This includes  corrupt individuals in different walks of life including bureaucrats and Politicians. Compared to the black money owners who have earned honestly but accumulated black money through tax evasion, the corrupt set of people actually generate black money and they should be treated with an iron hand.

Unfortunately our tax system does not distinguish between these two categories of black money holders.

Now, the proposal to link Aadhaar with the Bank accounts and other properties hurt both these categories of black money owners equally and both of them are now up against the Aadhaar.

Current Aadhaar Debate

The current debate in the Supreme Court is on the grounds that Aadhaar violates the Indian Constitution and creates a “Police State”.

The Anti Aadhaar lobby is on a fishing expedition to  find reasons to hold Aadhaar as “Anti Constitutional”. One route they are trying is to say that “Aadhaar violates Privacy” which the Supreme Court has recently held as a “Fundamental Right”. In fact the Puttaswamy judgement is the foundation under which the present Aadhaar trial is being conducted and there is a view that the Puttaswamy judgement was preparatory to scrapping of Aadhaar by the current bench. One explanation for the revolt of the 4 judges is that the CJI frustrated the conspiracy to scrap Aadhaar by changing the bench composition. This allegation cannot be dismissed easily since political parties, Anti Government Advocates and Modi haters were prominently associated with the revolting judges.

Aadhaar Security Critics

While this group of Anti Aadhaar advocates are motivated only by a desire to prevent Aadhaar being used to fight Black money, there are another set of Aadhaar critics who have been unhappy with the security aspects of Aadhaar. This lobby has been criticising Aadhaar because the lack of security could lead to security risks for the users including loss of money in the Banking transactions and loss of identity of biometric is compromised. It is this lobby which opposed the UIDAI contracts being given out to foreign agencies, UIDAI using a foreign Digital Certifying Agency to secure its server etc.  Part of this Security lobby also is concerned with the black money money fight both for or against it.

Some of the security arguments that have been held out by professionals like the undersigned to criticize Aadhaar has been now used by the Pro Black Money lobby to justify their arguments demanding scrapping of Aadhaar.

Just like the undersigned, there are many security professionals who are against Black Money but have been critical of Aadhaar from the security perspective. Some of them have been peeved by the arrogance of the UIDAI authorities in not listening to the security warnings and some times even initiating legal action against ethical reporters of security vulnerabilities. On the one hand UIDAI has been soft on agencies like Airtel who have misused the system and also those who were caught storing bio-metrics and reusing them, they went hard against other non malicious technology specialists who ignorantly violated law out of their “Technology Intoxication”. As a result today there are many security professionals who are in favour of the Government in its black money initiative but are angry against UIDAI authorities and are silently enjoying its predicament.

It is only a few of these people which includes the undersigned who have decided to keep our security differences aside for the time being and join hands for the cause of removing black money and corruption with the efficient use of Aadhaar.

Creating a Bridge of Trust

Unfortunately, UIDAI has no channel of communication with such supporters of Aadhaar. Had UIDAI introduced a “Bug Bounty” program as we had suggested some time back, a lot of security professionals who are critics today would have been friendly and come up with many useful suggestions. Today there is complete lack of trust between security professionals and UIDAI and they are not ready to share their security thoughts with UIDAI. Some of them are afraid that if they admit that they have found vulnerabilities, UIDAI may hoist cases against them and some of them are themselves as egoistic if not more than UIDAI and would not volunteer their suggestions.

The need of the hour for UIDAI is therefore to construct a bridge of trust between itself and the security specialists so that there is a flow of positive security ideas from the good intentioned critics to UIDAI.

Recently Justice B N Srikrishna conducted a series of public consultation programs through out India to gather public opinion on the proposed Data Protection Act. During these discussions he had to face lot of brickbats only because of Aadhaar. There were many citizens and security professionals who were commenting on the Data Protection law citing  Aadhaar related issues. It was heartening to note how Justice Srikrishna was humble and patient in listening to all critics and trying to take the essence of the suggestions made out during the interactions. He was not only able to extract valuable suggestions but also create a bridge of trust with the public that he is doing his best to come up with reasonable suggestions for the drafting of the complicated data protection law which people expect to protect “Privacy” which no body is willing to define.

UIDAI must take a leaf out of Justice Srikrishna and learn some PR lessons of how to bridge a friendly relationship with the community.

In this direction I suggest that Aadhaar authorities need to hold open house discussions in different cities of India on a regular basis and listen to the criticisms and suggestions from the community of academicians and security professionals. At the same time, they should open up a channel of communication with the public to hear out their grievances and suggest amicable resolution. This public interaction could be through the web and include a Bug Bounty program as well so that whistle blowers who have valid suggestions.

In the recent days, I have found many respectable security professionals express a view in private discussions that “Let the Government suffer, they will learn a lesson” and recommending that no vulnerability should be reported and Government will learn the lesson when hackers exploit them.

I feel that this indicates a dangerous turn of events when honest persons turn away from their duties to the nation to report vulnerabilities to the Government.

Today’s news report that  a hacker’s group in Kerala has generated a valuable counter terrorism cyber operation in which they have identified a number of “Sleeping Terrorist Cells” promoting terrorism in India. It is also reported that when these hackers (ethical hackers) tried to draw the attention of the security agencies, they did not get the response that they anticipated.

This is a very sad state of affairs where honest citizens who want to help the Government are left to feel that they are unwanted by the authorities.

This feeling is not new and most of us have experienced it in the past. Some journalists often complain about the Lutyen’s lobby operating in Delhi and often acting against the interests of the country. There is a similar lobby of Security experts in Delhi who are close to the decision makers in the current Government also who ensure that Government is not provided the right kind of advise on security matters.

Mr Modi needs to ensure that this “Lutyen’s Lobby of Cyber Security” is recognized and disbanded and in its place encourage development of a voluntary group of  “All India Cyber Security Advisory committee” whose suggestions reach the right ears in the Government. I suppose the Government would be intelligent to distinguish “Vested Interests” from “national Interests” and ensure that the right flow of valid Cyber security suggestions reach the Government.

This “All India Cyber Security Advisory Committee” which can operate as a virtual committee should be part of the Cyber Security Infrastructure of the Government. One off shoot of this suggestion that can be tried in this direction is for UIDAI to invite suggestions from the public on how to secure Aadhaar both through a virtual committee as well as through open houses.

Time is now ripe since UIDAI is now considering revamping the system with the introduction of

a) Virtual Aadhaar ID

b) Use of face recognition

as additional parameters of use. Both have important security implications and any system which is introduced now should be made as robust as possible. We consider that presently most of the Aadhaar data base has already been compromised and there is no way the compromise can be rectified. However, if some thing can be salvaged it is necessary that we use the two new parameters of Virtual ID and Face recognition in such a manner that at least in future compromises does not happen.

I am sure that UIDAI would not like to discuss the security issues in the public and it is not recommended also. But there is no problem in inviting suggestions from the public and use as much of it as possible so that the system would be secure.

It is for this reason that the “Bridge of Trust” has to be built between UIDAI and the information security community.

Will UIDAI authorities come down from their pedestal, take a cue from Justice Srikrishna and start talking to their critics?

Naavi

It is reported that a group of Private Companies have indicated their desire to implead themselves in the Aadhaar suit in the Supreme Court and the Supreme Court is yet to approve their request.

Article in Economic times

According to the report, the petition has been filed by the Digital Lenders Association of India (DLAI), which includes startups such as CapitalFloat and Lenoding-Kart, is also backed by others such as early-stage investment firm Khosla Labs, bike-sharing startup Yulu Bikes, Transaction Analysts, which provides authentication services, and Handy Online Services which provides background verification of blue-collar workers.

It is clear that Aadhaar case is a fight between those who think Aadhaar is beneficial to the society and those who think it is a violation of their right to remain anonymous in financial and other transactions.

In this fight the honest citizens of the country have as much right as those who are opposing Aadhaar either for political reasons or for their vested interests of keeping their black wealth from being identified.

Supreme Court cannot ignore the voice of those who support Aadhaar and there is no reason that they should delay the acceptance of the impleading suit from non Government companies or individuals.

I hope the Supreme Court will see reason and act in a fair and equitable manner.

Naavi

In the case of Justice Loya’s death due to heart attack, many senior advocates like Mr Dushyant Dave and Indira Jaisingh as well as politicians like Mr Rahul Gandhi are complaining that an enquiry needs to be ordered under the supervision of the Supreme Court. Common Citizens perceive that there is a political conspiracy in this complaint so that they can then hold their gun at the head of Mr Amit Shah and say that he is a suspect and therefore should not be MP etc.

Similarly the Aadhaar case is another case before the Supreme Court where there appears to be a conspiracy to some how derail the intention of the Government to use Aadhaar identity to prevent Black Money Transactions and benami Property holdings. It is very clear to common citizens that the intense opposition to Aadhaar linking to financial information is because it will make it difficult for Black Money holders to keep Benami Bank accounts and Properties.

To sustain their argument, people are complaining that “Aadhaar infringes the fundamental right of Privacy”, “Aadhaar creates a Sureveillance State” etc.

There is no doubt that the Privacy Judgement under the Puttaswamy judgement was expected to help the Anti Aadhaar lobby and hence there was a fight within the Judiciary to fix the bench. Now that the CJI has not allowed it to happen, the politicians are trying to impeach the CJI himself.

All these developments confirm my doubt that there is a serious conspiracy behind this “Aadhaar is un-constitutional” petition led by the Black Money supporters and this is a fight between the honest citizen of India and the Benami property holders. The Privacy arguments are only a cover for ensuring that the Benami property and Black Money owners can enjoy their ill gotten wealth as they were used to in the pre-Modi days.

There was a strange argument presented today as indicated in an affidavit now in the public domain.

According to the afidavit,

1.the  project poses a constitutionally impermissible danger to citizens’ basic civil liberties including their privacy”.

2. “this project is highly imprudent, as it throws open the clear possibility of compromising basic privacy by facilitating real-time and non-real-time surveillance of UID holders by the UID authority and other actors that may gain access to the authentication records held with the said authority or authentication data traffic as the case may be.”

3. it is quite easy to know the location and type of transaction every time such authentication takes place using a scanner for fingerprints or iris and the records of these in the UID / “Aadhaar” database.

4.  it is not dissimilar to knowing the place from where a person made a call using his / her mobile phone. Just as the mobile phone connects to a tower from where the phone signals are sent to other towers and the servers of the mobile phone companies, biometric scanners also have SIMs and IP Addresses to locate the place from the transaction took place and its nature. Any administrator of the UIDAI server or any employee or other person with access
to transaction data, with a little help from the servers (Authentication User Agents and Authentication Server Agents, as they are called in UIDAI literature), through which authentication request is sent to the UIDAI, will be able to track the transaction and the person carrying out the same.

5. that UIDAI recommends that each point of service device i.e. the device from which an authentication request emanates, register itself with the UIDAI and acquire for itself a unique device id, which shall then be passed to the UIDAI along with the request for every authentication transaction. I state herein that the said method of uniquely identifying every device and being able to map every authentication transaction to be emanating from a unique registered device, further makes the task of tracking down the exact location and place from which an authentication request emanates easier.

6. a centralized database has the problem that once hacked all data can be lost. Specifically, consider if the Army personnel use this as an authentication mechanism before getting their salaries. The location from which they authenticate can be found as it will be done via a scanner which has an IP address / is on a mobile internet. From the tower to which the scanner connects via its SIM card, its location can be found. This data will be available in the
logs of the Aadhaar system. Any compromise of the Aadhaar system means that the hackers can know the exact location of each army personnel of the country at the time when they take their salary. This can be a big risk to national security, and this is just one example as to why it is, in my opinion, imprudent to use such a system.

I am sorry to say that the above arguments are contrived and cannot be considered as valid arguments to oppose Aadhaar.

My doubts arise from the following.

  1. “Privacy” is a loosely used fig leaf to cover the need for “Secrecy” by the anti-Aadhaar lobby. Just as we say “Your freedom to extend arms ends at the tip if the nose of the neighbor”, the “Right to Privacy” of one person ends with the “Right to Security” of the other person. Though the Supreme Court says that Right to Privacy is a “Fundamental Right”, it can only be a right with a lower priority to “Right to Security”.

If Security is not available to a nation, it cannot sustain democracy and protect the Right to Privacy where it is required. Aadhaar is only an identity that holds certain information of the citizens so that the State can know who its citizens are and whether they pose any threat to the security of the nation. (which includes prevention of looting of public money with duplicate employment records or ration card records). National security is therefore paramount and even the “Right of Privacy” has to voluntarily yield to the “Right to Security”.

It is therefore wrong to call Aadhaar as posing a “Constitutionally impermissible danger” to citizens”. As a citizen of India I abhor those who hide their identity and hold benami properties, black money, Bitcoins etc. The Supreme Court has to uphold my “Right to Know exercised through the Government” as much as the “Right to remain secret” which others want the Court to protect.

It would be a challenge for the Supreme Court to demonstrate if it is with the honest citizens of India or it sides with the dishonest citizens of India under some technicalities of protecting the Right to Privacy.

2. The charge that “Other actors” may gain access to the authentication records or data traffic to facilitate “Surveillance” is a speculation. In fact this is true of any activity of a Citizen. If some body is reading this article on the web, it is possible for the ISP to track the activity along with the location from which the person is accessing the web. What is special therefore to blame Aadhaar except to mislead the Court because the petitioner may think the Judge does not know technology so that any claim even if false can be pressed.

3.  If the records of the  finger print scanners can be accessed, it is possible to trace the location of the transaction is no rocket science.

4. As the petitioner himself agrees, this is not dissimilar to the Tower data of a mobile call which if properly analyzed, can trace a person within say 3-5 meters. This does not require Aadhaar at all.

Google earth can have a high resolution image which can identify a person moving around on the street from far above the sky. A person with a google glass can scan the credentials of a passer by instantly. An RFID scanner can scan your credit card even when it is inside your pocket.

While all these are acceptable to the Anti Aadhaar lobby, Aadhaar alone seems to be unacceptable because it is the Modi Government which can take the data if it wants.

This is a purely political opposition to the current Government and not based on any logical consideration. If one is concerned about privacy, we need to stop using mobile and live in a cocoon.

Why do such persons want any benefits of being a Citizen?. Let them not have a Bank account. Let them not have ration cards. Let them live as a hermit lives.

It is dishonest of these persons to ask for all the privileges of being a citizen of India including being protected from a terrorist attack or a Cyber crime attack but they themselves should be out of gaze of any law enforcement authority.

Supreme Court should recognize the inherent dishonesty of these anti-Aadhaar lobby and call the bluff.

5. The registration of the Access devices involved in Aadhaar authentication is a critical security requirement and I donot know how security specialists can oppose this feature. In fact, I am of the opinion that these devices should be made in India by an authority like BEL which manufactures EVMs and made as a tamper proof hardware that will self destruct if any attempt to tamper them is made.  Registration per-se is not some thing that can be objected to.

The petitioner repeatedly qualifies that the security can be compromised with “little help” from insiders. Yes every system can be compromised if an insider provides the “little help”.  What we need is to design the security systems with the knowledge of this possibility.

6. The reference to the army personnel being at risk because he draws his salary with aadhaar authentication is funny. Will the enemy target a specific soldier who is in the administrative office drawing salary?. If he has to be tracked, is it not better to intercept the radio messages or personal mobiles than looking for Aadhaar data?

Overall the petition and the affidavit to my mind appear a weak attempt to mislead the Supreme Court. If we follow the questions made by the judges during the proceedings, it appears that they are more aware than what the petitioners think about the ulterior motive of Aadhaar baiters and would not fall for their tricks.

The above argument does not mean that we are not advocating better security for Aadhaar. Yes better security is required. There has to be checks and balances for preventing misuse. But the security specialists are not helping the Government to fortify the security and at the same time UIDAI is not able to win over a large part of security professionals so that they provide positive suggestions.

There could be many reasons why security professionals are not on the side of UIDAI and we have highlighted it several times in this site. But now it is like war time.

All good intentioned citizens need to fight the anti-Aadhaar lobby which is trying to get Aadhaar being rendered impotent. We can forget the arrogance of UIDAI and defeat the nefarious designs of the Black Market community of India. We can then continue to argue with UIDAI about how the security can be improved.

Naavi