Don’t Ask Aadhaar Number. Ask Virtual ID. It is permitted

After the 1448 page judgement on Aadhaar, it appears that some of the Private Sector companies are worried about the e-KYC process they were using for their business and whether they need to go back to the manual KYC process which is more expensive and as much prone to fraud if not more than the e-KYC.

The Judgement has held that Aadhaar is basically valid, its security systems are secure enough and it can be used by the Government for it Direct Benefit Transfer projects.

At the same time, it has held that Aadhaar number should not be used by the private sector under certain circumstances.

The Private sector has been worried about the part of the judgement that relates to the Section 57 of the Aadhaar Act which states as follows:

Section 57:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Section 8 of Aadhaar Act states as under:

8. (1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.

(2) A requesting entity shall—

(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and

(b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication

(3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely:—

(a) the nature of information that may be shared upon authentication;

(b) the uses to which the information received during authentication may be put by the requesting entity; and

(c) alternatives to submission of identity information to the requesting entity.

(4) The Authority shall respond to an authentication query with a positive, negative
or any other appropriate response sharing such identity information excluding any core biometric information.

Chapter VI of the Aadhaar Act relates to the “Protection of Information” and prescribes that the authority shall ensure the security of identity information and authentication records of the individuals etc.

According to the judgement of Justice Ashok Bhushan,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

According to the judgement of the three other Judges namely Justices Dipak Mishra, A.M.Khanwilkar and A.K.Sikri,

“Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities.

Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.”

There appears to be some confusion prevailing in the market about the impact of this judgement on the companies using e-KYC if we go by the following reports.

  1. Telcos State at long KYC process after Aadhaar is hit.: DNA

This report states

The road ahead for telecom players especially new player Reliance Jio for addition of new subscribers might become become tedious with the Supreme Court ruling that Aadhaar is not mandatory for new mobile connections….The Supreme Court on Wednesday struck down Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar number to verify new subscribers.”

It also states:

Aruna Sundarajan, secretary, department of telecommunications, on Thursday confirmed that e-KYC system to register mobile users using Aadhaar have been stopped…It is learnt that DoT plans to soon come out with alternative for digital verification e-KYC if it has not to done through Aadhaar”

2. DOT to consult UIDAI, law Ministry on road ahead post Aadhaar order-ET

This report states:

Mobile phone companies said the court verdict would lead to delays in getting phone connections and increase the cost of customer acquisition, in some cases by as much as 10 times. These operators had adopted the Aadhaar-based real-time electronic KYC (know your customer) process to issue mobile connections, compared with physical verification that used to take five to seven days. 

It appears that the above apprehensions are misplaced.

The Judgement clearly states that “Only a part of Section 57” is considered not constitutional and that part is that “Private Companies may use Aadhaar authentication on the basis of a contract and in the absence of a law”.

The judgement does not affect

a) If the authentication is not using Aadhaar number or demographic information on the basis of biometric

b) If the authentication is on the basis of a law and not contractual consent alone. (not backed by law)

It is therefore feasible for the private sector to use Aadhaar Virtual ID instead of the Aadhaar ID for authentication purpose without using the biometric but using the OTP system.

In fact the UIDAI had already mandated that use of Aadhaar number was restricted only for the “Global AUA users” and not “Local AUA users”. Only the Banks in the private sector were therefore able to use Aadhaar numbers and all others including the Telcos were required to use the Virtual ID (VID) and they also may have to now switch over to VID use.

VID is not Aadhaar

The VID is not Aadhaar number. It is one of the services offered by UIDAI where by the Aadhaar users at their request is provided an additional ID which is a 16 digit number which can be changed any number of times.

I repeat VID is not Aadhaar number but a separate ID not affected by the current judgement.

It is another aspect that the private sector including the Telcos and the Fintech companies ignored the repeated d of UIDAI and the compliance  suggestions of Naavi.org and refused to implement the 16 number identity as an alternative e-KYC process.

Even the Certifying Authorities licensed under the ITA 2000/8 by the Controller of Certifying Authorities  who are required to use e-KYC for e-Sign failed to adopt to the use the 16 digit number though in this case the fault lies with CCA more than the Certifying Authority for not amending the e-Sign regulations.

The road ahead for the private sector now is

Switch over to the use of VID immediately. If the customers donot know what is VID and how to use it, educate them as part of the authentication process and guide them how to generate a VID and how to use it.

In the mean time, it would be necessary for the CCA to issue additional guidelines to the CAs and also tweak its own API for e-Sign to be able to receive e-Sign related e-KYC requests with the VID as the input.

Retention of Aadhaar Authentication Data

There is one issue which remains to be sorted out and that relates to the “Retention of Aadhaar authentication data” and whether such data cannot be retained for more than 6 months .

Since the private party using authentication based on VID, only retains the VID number and VID authentication data, there will be no restrictions on its retention of the VID authentication data beyond the period of 6 months.

At the back end, UIDAI has records of VID issue and also the VID authentication data. The VID authentication data sent to the authentication requester can be retained as the replica of what is retained by the requesting party.

The VID issue data is a server log record that maps the issue of VID with an Aadhaar ID. It includes the request received from the customer for generation of VID and the meta data associated with it. The question now is whether UIDAI can retain this VID generation data beyond 6 months.

It is to be noted that there  would be a conflict with the law of evidence  under IPC and ITA 2000/8 if the meta data associated with the VID issue is indiscriminately deleted.

Normally this data is transaction data and there may not be any dispute associated with it. In such instance it is not an “Evidentiary Data”.  However, the authentication data becomes an evidence when the authentication is part of a suspected offence.

In other words when there is a suspected misuse, then the authentication data becomes “evidence” and has to be retained as long as required. This is similar to the retention needs of CCTV footages.

If there is no suspected offence,  the authentication data may not be deleted after a reasonable period. At present according to the judgement this reasonable period is 6 months. But where there is a suspected offence associated with the data, it has to be treated as “Evidence” and needs to be retained as long as required.

It is open for the Government to use a notification under Section 67C of Information Technology Act 2000/8 to prescribe that the e-Sign authentication information available with the CA or the UIDAI shall be retained for at least 5 years even when the data is not identified as a “potential evidence”.

In my opinion this is required to be done by the MEITY immediately or atleast before the next 6 months.

It is clear that the petitioners of this case did not bring the requirements related to VID  to the attention of the Court may be because they felt that  it would be detrimental to their interests. (Refer this article for more details).The  advocates on behalf of the respondents also failed to bring it to the notice of the Court.

It would have been prudent if the Court had on its own commented on the VID and clarified that it is not Aadhaar but there was technically no reason for it to do so and therefore did not make any reference to it.

The concern of the Court that runs through the current judgement was mainly to the use of “Biometric” by the Private sector companies and also “Exploitation” of the demographic data by the private sector.

Use of OTP eliminates the concern on Biometric and use of VID  for e-KYC and e-Sign can hardly be called “Exploitation”.

Hence use of VID with OTP for e-Sign and other authentication purpose by private sector companies is not affected by this judgement.

Naavi has always held that UIDAI should stick to yes or No answers to each of the fields queried under an authentication request and has not been in favour of an API that populates the user end form with the demographic data drawn from the UIDAI. The judgement corroborates this view.

The CCA should therefore take a re-look at the API used for e-Sign and ensure that the details of each field is filled up by the applicant of an e-Sign and the UIDAI only ticks each field queried with an “Yes” for completing the authentication. We have no reason to believe that this is not done now and if not can be done immediately.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

This entry was posted in Cyber Law and tagged , . Bookmark the permalink.

1 Response to Don’t Ask Aadhaar Number. Ask Virtual ID. It is permitted

  1. Pingback: Recent Developments in PrivacyProtection in India – Privacy Knowledge Center

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.