Aadhaar Judgement….2.. The Answers and Conclusions of the majority

Posted on October 5, 2018 by 98410spice

This is a continuation of the earlier article “Aadhaar Judgement..1..Debate the Areas where Clarity is Required”

The Aadhaar judgement is said to be the second longest case in terms of continuous hearing next only to the Keshavananda Bharati case in 1973 and underscores the importance and urgency assigned to the case.

The petitioners tried to argue that Aadhaar was unconstitutional, constituted an instrument of state oppression through surveillance and had to be scrapped. The data leaks of Aadhaar was quoted to argue that the system could cause serious privacy breach issues since the biometric of citizens could leak. They also argued that there was denial of basic services because of the failure of Aaadhaar authentication. In particular, the mandatory linking of Aadhaar to PAN cards, opening of Bank accounts were alleged to be an over reach of powers of the Government.

The net demand was that Aadhaar had to be scrapped.

The Government argued that it was useful to ensure that Direct Benefits of the Government reach the right persons, reduce/eliminate corruption. Even during the trial, Aadhaar introduced the Virtual Aadhaar ID and made several moves to strengthen the system to ally the fears of lack of security. UIDAI also explained the security practices and tried to convince that the system had a useful role in the Governance and did not violate Privacy.

Unfortunately, the case became a battle between the Government which was using Aadhaar Unique ID to curb black money and those who were simply Anti-Modi. All other principled explanations were only excuses.

In the entire cacophony of the media, every body forgot that there were two other stake holders to the debate. First was  the “Honest Tax Paying Citizen” whose legitimate income and wealth were being eroded because of the corruption, black money and benami holding of properties all of which were threatened by the Aadhaar linking. Second was the business which adopted the use of Aadhaar for e-KYC and real time authentication of electronic documents through e-Sign. These stake holders were not impleaded into the arguments.

The Supreme Court bench which heard the arguments should have realized at some point of time that there was a possibility of them taking a decision which could hurt the interest of these stake holders and their interests were not being represented either by the petitioners who were Anti Modi and the Government which was Anti-black money, and voluntarily called in the other stake holders to explain their view points.

Today we are debating the consequences of one interpretation of the judgement from the petitioner’s side which strongly believes that the judgement bans the use of Aadhaar in any form by the private sector and severely restricts the use even in the Government sector.

The Government may defend its position by drafting suitable law to protect it’s interests but the private sector and the citizens may not be able to voice their opinion adequately.

However the PDPA 2018 (Personal data protection act 2018) which is in draft stage with the Parliament presents an opportunity for these stake holders to express their thoughts either through the public comments to be submitted before 10th October 2018 or through the MPs during the Parliamentary discussions.

This series of articles are aimed at stimulating the thoughts of interested persons so that they donot lose this opportunity.

The Srikrishna Committee made a detailed suggestion on changes to be made to Aadhaar though they were not included in the PDPA2018 draft. Now is the time to take a look at these recommendations and read it along with the Supreme Court judgement and incorporate it in the draft PDPA 2018.

Naavi.org therefore focusses in these discussions only on Aadhaar related discussions. Other than this, Naavi has only a few suggestions for amendment such as

a) “Making Criminal Offences Bailable”,

b) “Removing the Caste from the definition of sensitive personal information” ,

c) “Clarifying that the basic purpose of the Act is to protect the Privacy of Indian Citizens from Privacy infringement through insecure data processing either in India or elsewhere”,

d) “Clarifying that the jurisdiction of any foreign law on data protection shall be exercised only through the Data Protection Authority in India”

I am not going into the details of the above now and go directly into the Aadhaar related discussions which is the need of the hour.

For the purpose of this discussion, I am ignoring the part of the judgement attributed to the dissenting judge (D Y Chandrachud) contained in pages 568 to 1048 of the judgement. The judgement of the other four judges is recorded in two parts, the first part between Pages 1-567 (Dipak Misra,A.K.Sikri , A.M.Khanwilkar and the second part between 1049-1448 (Ashok Bushan). Even within the two parts of the majority judgement, I am focussing on

a) Pages 540 to 567 containing the 9  Issues discussed and Answers provided by the first three judges

b) Pages 1442 to 1448 containing the 18 conclusions listed by the Judge

This reduces our span of reading from 1448 pages to 35 pages. But this is the relevant portion of the judgement. In writing any judgement, the judges do quote what the petitioner has said, what the respondent has argued, what another judge has said in a different judgement, what did he consider relevant etc. These discussions are important for academicians to understand why a Judge came to a specific conclusion  but the operative part of the judgement has to be taken only from the “order”, “Summary” or “Conclusion”.

If there is any difference between what is expressed as a firm view of the judge in the body of the judgement and in the conclusions part, it could be due to the judge consciously taking the stand as given in the conclusions.

Even if it is a drafting error the erroneous order stands unless clarified separately. We may recall that a High Court Judge in Karnataka made a totalling error in a judgement and declared that (late) J Jayalalitha was not guilty of corrupt practices and this arithmetic error had to be challenged in Supreme Court as an “Appeal” which was kept pending until the lucky accused passed away.

We therefore continue our discussions in the next article with a discussion of the 35 pages relevant for our discussion.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 3 Comments

Aadhaar Judgement…1… Debate the areas where clarity is required.

Posted on October 4, 2018 by 98410spice

The 1448 page Aadhaar judgement has created some confusion in the industry circles about what exactly is the impact of the judgement on the industry.

In particular, key industries which are concerned are the FinTech industry, Telecom industry and Banks. They were using Aadhaar as the base for conducting e-KYC which could be completed in realtime and at a very nominal cost such as around Rs 15-25 as against manual KYCs which may cost upwards of Rs 200/-. The e-Sign system which was “Electronic Signature” under ITA 2000/8 also depended on e-KYC.

After the judgement, there is a doubt on whether private sector can continue to use Aadhaar as a basis of conducting KYCs. KYC is an important element of opening of Bank accounts and curbing of benami accounts. It is not good for the Country if hurdles are placed on the KYC system and we fall back on the old practices where black money thrived through fake accounts all round.

Hence proper clarity is required on whether the judgement means a “Ban on use of Aadhaar for KYC” or requires only a modification in the current approach.

The honourable Supreme Court and those who swear by “Freedom for Everything” donot like the word “Ban” whether it is for Crypto Currencies or for Sabarimala temple entry. But this “Ban on Aadhaar” is  sweet news for many of these freedom lovers.

Unfortunately, the Supreme Court often is swayed by the popular gallery opinion when such issues arise. Aadhaar judgement has tried to avoid it to the extent possible but still the pressures from the lobbies which control public opinion and trying to manipulate the Supreme Court judgement has ensured creation of so much confusion in the minds of the Judges that some parts of the judgement remain ambiguous and reflect the confusion of the judges.

Another aspect on which the Judgement is treading on a dangerous path is in diluting the Information Security aspect of transactions where Aadhaar is used by trying to make prescriptions on what elements of transaction data are to be collected and what period they should be retained etc.

It is our responsibility that the mistakes or ambiguities in the judgement have to brought into public debate. This matter is of such importance that the debate would go on for a long time. But we need to set the direction for the discussions and contribute some thoughts before the Government freezes on the public comments to the draft Personal Data Protection Act 2018 (PDPA 2018) which will close by 10th of October 2018.

Within the short time available, a few thoughts of the undersigned would be shared through these columns so that they may be considered when the draft of PDPA 2018 is discussed in the Parliament.

It is possible that some may feel that these views are spectacularly wrong and have to be rejected outright. Nevertheless, it is essential that if Supreme Court has unfairly brought obstructions to the legitimate business, it has to be pointed out.

At the same time, the industry has to be also faulted for not understanding the direction in which the wind was blowing and remained adamant despite an attempt to make them realize that some changes were required in their current practices of using Aadhaar.

But we are not keen on telling the indusry players “I told you so…you ignored…and now you suffer..”. Nor  are we interested in criticising the Judiciary that they did not understand the technology issues and were swayed by the anti Aadhaar sentiments in the eco system. What we are interested is in suggesting that we interpret the judgement in such a manner that the concerns of the Judiciary are addressed but at the same time concerns of the industry are not brushed aside.

I hope that in the next few articles, we shall throw up some thoughts which the larger audience may start debating. I wish we had more time to have a series of public interactions explaining some of these thoughts and eliciting an informed response from experts. But the time available before October 10th is too short. Hence I am placing my views here and leaving it to the experts to debate elsewhere.

Let us go ahead in trying to drill through the 1448 page judgement and how it is likely to affect the industry.

…..To be Continued

Naavi

Reference: The Copy of the Judgement

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | Tagged | 1 Comment

Facebook data breach, punctures the argument against Data Localization

Posted on October 2, 2018 by 98410spice

Leading upto to the discussion on PDPA 2018 in the Parliament, there is an orchestrated opposition to the Data localisation aspect recommended in the PDPA 2018. However, the Face Book data breach which has reportedly compromised over 50 million accounts including about 5.6 lakh accounts of Indian customers of Face book has  punctured the argument placed by those who are opposing the Data localization.

One of the strong arguments that was placed against Data localization was that Indian Data Centers are not secure enough and it will increase the attack vector etc.

Now it is proved that Data Centers in US could be as much vulnerable if not more if they were in India. The truth is whether the data center is in India or in US, the security threats are same. The security devices used, strategies used and even the hardware used are all same whether the data center is in India or in USA.

What is different is the service aspect such as continuity of service, the power cost etc which needs to be addressed. But this is not presently considered as an issue. The Manpower costs as well as the Land cost in India can be much lower than setting up of a Data Center in US or other foreign centers. Hence the cost factor is in favour of India.

What is critical for Data Security is however the “Manpower” . From the skill levels, Indians are on par with the rest of the world. Where the Indians may score over the rest is that Indian culture still respects “Ethics” much more than in the west.

Though there are elements in India which continue to corrupt the individuals, the inherent nature of Indians make it possible for Indians to raise above corruption rather than in the west where there may be a rationalization of corruption as a legitimate business practice. We have perhaps seen how in the last 4 years, Government of India has  taken steps to curb corruption in India and slowly, a generation of young persons are coming up with a commitment to the national ideals which include honesty and integrity. If this is nursed properly, then the quality of Data Security Professionals in India would improve.

Thus the argument that if Data Localization is imposed through law, we will hurt the interests of the Industry is incorrect and has to be rejected outright.

We also need to recognize that what the PDPA 2018 wants is that “Sensitive Personal Data” collected in India need to be kept in India and in the case of other Personal data, only one active serving copy need to be maintained in India.

If we want the Government of India to protect our personal data, it is necessary for us to entrust it with the ability to put fences around it and this would be possible only if the law enforcement in India has an access when needed to conduct investigations when breaches occur.

On the occurrence of a data breach, a large part of the data repository becomes a “Potential Evidence” and is required to be retained. We cannot allow such data to be outside the control of the law enforcement and we cannot allow the Data Fiduciaries to remove them from access.

Now taking the Face Book incident,

a) We donot know how many Indian citizens have been affected adversely since we need to depend on Face Book for this purpose.

b) We believe as per the statement of Face Book that what has been breached is only “Access Token” related data and not other data.

c) Such data which could be normally expected to be in hashed form. But we are not sure if any plain text data has been lost.

d) We also need to know if the Access tokens lost included those which can be used in a “Store and Replay attack” on a “Face Book Banking Account” or similar critical use case scenario.

For all these questions to be answered today we are dependent on Face Book and cannot conduct an independent investigation, though CERT IN may have necessary powers under law.

There is definitely the Indian law which makes Face Book an intermediary and imposes due diligence and reasonable security obligations on Face Book and the remedies under Sections 43, 43A, 66, 72A etc of ITA 2000/8 which can be read with Section 79 and Section 85 to elicit cooperation from Face Book.

But in practice, Indian agencies will not be able to force Face Book except through a prolonged judicial grind through the High Courts and Supreme Court where the balance of favour is always with the Privacy Activists who will ensure that the Law Enforcement does not get access even to legitimate crime related evidence.

The reason  that Data is not so easily accessible for the Law Enforcement since it lies else where. This makes a strong case for “Data Localization” so that if there is a data breach event, the local law enforcement authorities which in future includes the Data Protection Authority will be able to do its duty.

Now there is an opportunity for Face Book to prove that the apprehensions of the ideal situation where “Data Access” is sufficient and “Data Localization is irrelevant” does exist here, by providing access to the CERT IN to the Face book servers to conduct whatever investigations are needed to be done.

I believe that CERT IN should demand such access and ensure that the interests of the 5.6 lakh users who are reported to have been affected in the incident are protected. I also believe that the details of who all were affected and by how much is a “Potential Evidence” which may surface at some point of time in future and CERT IN may be called in to submit such evidence to Courts in India.

Already, Face Book has temporarily de-activated the “View-As” service and would perhaps delete evidence that may be present in their systems about the damage that has occurred. CERT IN has to take steps to secure the evidence in the form of what all Access Tokens were lost and what they contained etc.

We look forward to further developments in this regard.

Naavi

Posted in Cyber Law | Tagged | 1 Comment

Corporation Bank net Banking System goes for a toss?

Posted on October 1, 2018 by 98410spice

 

It is not clear what is happening at Corporation Bank and its online Banking system. Earlier the Internet Banking system was borrowed from the old ICICI Bank and it was working in the SB environment though not in the Current account environment.

In between the Bank made changes in the account numbering system which itself caused problems for the customers who had to keep reminding the Bank the old number and the new number when NEFT payments were requested from their clients from elsewhere.

Now Corporation Bank is migrating to the Finacle System and has disabled the old system completely. The Bank requires every one of the earlier customers to re-activate their accounts in the new system instead of migrating the accounts automatically into the new system.

Additionally the migration is not working since if the old credentials are used, the system is still throwing an error.

Attempt to contact the help lines over 1800 as well as the land lines have failed. The website does not give e-mails of the corporate departments and the landlines are unattended.

There is therefore a concern if Corporation Bank is presently under some sort of an IT freeze arising out of the change in the CBS system. This is actually a “Denial of Access” to the customers arising out of bad management of IT.

We can recall that once in the past the Bank had a similar problem which required an automatic Internet holiday because of system problems.

I have called for clarification from the Bank and when received will share with the public. In the meantime if other customers of the Bank have similar problems, please do write to me over e-mail in the contact page.

Naavi

Posted in Cyber Law | 11 Comments

Data Protection Professionals in India… here is your organization..for you to build…

Posted on September 29, 2018 by 98410spice

Data Protection as an activity is in the news. Ever since GDPR opened the flood gates of discussion on the role of Data Protection, the entire IT industry has been continually discussing the pros and cons of the emerging laws.

The recent Aadhaar judgement has placed a question mark on the business processes of many companies including the whole group of Fintech Start ups who are wondering what is the future for them.

The PDPA 2018 draft is still open for public comments for 12 more days upto 10th October 2018, so that public comments including how the Aadhaar related issues can be accommodated in the draft bill. With the Aadhaar judgement heavily dependent on the passage of this bill, the Government is likely to push it for advanced discussion in the Parliament during the winter session and probably its passage before the change of this Government.

At this momentous time, India needs a body that should empower the Data Protection Professionals to ensure that they are empowered with the necessary knowledge and skills and apply it with an ethical mindset.

With this objective in mind, a new Section 8 Company, has been established by Naavi along with some of his associates in Bengaluru, by the name of “Foundation of Data Protection Professionals in India”. (FDPPI).

Full details of this organization is available at www.fdppi.in

FDPPI also has as its objective bringing together different organizations both formal and informal working on similar objectives and emerge as a “Federation of Data Protection Organizations”. 

FDPPI will also develop appropriate Codes and Practices for different organizations on Data Protections and also develop the “Trust Scores” for Data Protection Practices. It will also provide support in the form of Data Audits as envisaged under PDPA 2018.

FDPPI will also offer  several other services relevant to the industry.

FDPPI envisages that under its banner, all stake holders in Data Protection starting from Data Processors, Software Developers, Information Security, Compliance and Privacy professionals, Advocates in related areas, Law Enforcement agencies, Academic Institutions and Government bodies will work together to build a Data Secure Nation.

An informal meeting of the provisional members of the organization is scheduled to take place in Bengaluru at 4.00 pm today in which the membership registers will also be open.

We invite interested persons to join either physically or through remote log in to the conferencing room. (Please see details at www.fdppi.in)

FDPPI will be an organization of the people who have direct stake in Data Protection and I invite all to join in this movement.

Naavi

Posted in Cyber Law | 1 Comment

Don’t Ask Aadhaar Number. Ask Virtual ID. It is permitted

Posted on September 28, 2018 by 98410spice

After the 1448 page judgement on Aadhaar, it appears that some of the Private Sector companies are worried about the e-KYC process they were using for their business and whether they need to go back to the manual KYC process which is more expensive and as much prone to fraud if not more than the e-KYC.

The Judgement has held that Aadhaar is basically valid, its security systems are secure enough and it can be used by the Government for it Direct Benefit Transfer projects.

At the same time, it has held that Aadhaar number should not be used by the private sector under certain circumstances.

The Private sector has been worried about the part of the judgement that relates to the Section 57 of the Aadhaar Act which states as follows:

Section 57:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Section 8 of Aadhaar Act states as under:

8. (1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.

(2) A requesting entity shall—

(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and

(b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication

(3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely:—

(a) the nature of information that may be shared upon authentication;

(b) the uses to which the information received during authentication may be put by the requesting entity; and

(c) alternatives to submission of identity information to the requesting entity.

(4) The Authority shall respond to an authentication query with a positive, negative
or any other appropriate response sharing such identity information excluding any core biometric information.

Chapter VI of the Aadhaar Act relates to the “Protection of Information” and prescribes that the authority shall ensure the security of identity information and authentication records of the individuals etc.

According to the judgement of Justice Ashok Bhushan,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

According to the judgement of the three other Judges namely Justices Dipak Mishra, A.M.Khanwilkar and A.K.Sikri,

“Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities.

Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.”

There appears to be some confusion prevailing in the market about the impact of this judgement on the companies using e-KYC if we go by the following reports.

  1. Telcos State at long KYC process after Aadhaar is hit.: DNA

This report states

The road ahead for telecom players especially new player Reliance Jio for addition of new subscribers might become become tedious with the Supreme Court ruling that Aadhaar is not mandatory for new mobile connections….The Supreme Court on Wednesday struck down Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar number to verify new subscribers.”

It also states:

Aruna Sundarajan, secretary, department of telecommunications, on Thursday confirmed that e-KYC system to register mobile users using Aadhaar have been stopped…It is learnt that DoT plans to soon come out with alternative for digital verification e-KYC if it has not to done through Aadhaar”

2. DOT to consult UIDAI, law Ministry on road ahead post Aadhaar order-ET

This report states:

Mobile phone companies said the court verdict would lead to delays in getting phone connections and increase the cost of customer acquisition, in some cases by as much as 10 times. These operators had adopted the Aadhaar-based real-time electronic KYC (know your customer) process to issue mobile connections, compared with physical verification that used to take five to seven days. 

It appears that the above apprehensions are misplaced.

The Judgement clearly states that “Only a part of Section 57” is considered not constitutional and that part is that “Private Companies may use Aadhaar authentication on the basis of a contract and in the absence of a law”.

The judgement does not affect

a) If the authentication is not using Aadhaar number or demographic information on the basis of biometric

b) If the authentication is on the basis of a law and not contractual consent alone. (not backed by law)

It is therefore feasible for the private sector to use Aadhaar Virtual ID instead of the Aadhaar ID for authentication purpose without using the biometric but using the OTP system.

In fact the UIDAI had already mandated that use of Aadhaar number was restricted only for the “Global AUA users” and not “Local AUA users”. Only the Banks in the private sector were therefore able to use Aadhaar numbers and all others including the Telcos were required to use the Virtual ID (VID) and they also may have to now switch over to VID use.

VID is not Aadhaar

The VID is not Aadhaar number. It is one of the services offered by UIDAI where by the Aadhaar users at their request is provided an additional ID which is a 16 digit number which can be changed any number of times.

I repeat VID is not Aadhaar number but a separate ID not affected by the current judgement.

It is another aspect that the private sector including the Telcos and the Fintech companies ignored the repeated d of UIDAI and the compliance  suggestions of Naavi.org and refused to implement the 16 number identity as an alternative e-KYC process.

Even the Certifying Authorities licensed under the ITA 2000/8 by the Controller of Certifying Authorities  who are required to use e-KYC for e-Sign failed to adopt to the use the 16 digit number though in this case the fault lies with CCA more than the Certifying Authority for not amending the e-Sign regulations.

The road ahead for the private sector now is

Switch over to the use of VID immediately. If the customers donot know what is VID and how to use it, educate them as part of the authentication process and guide them how to generate a VID and how to use it.

In the mean time, it would be necessary for the CCA to issue additional guidelines to the CAs and also tweak its own API for e-Sign to be able to receive e-Sign related e-KYC requests with the VID as the input.

Retention of Aadhaar Authentication Data

There is one issue which remains to be sorted out and that relates to the “Retention of Aadhaar authentication data” and whether such data cannot be retained for more than 6 months .

Since the private party using authentication based on VID, only retains the VID number and VID authentication data, there will be no restrictions on its retention of the VID authentication data beyond the period of 6 months.

At the back end, UIDAI has records of VID issue and also the VID authentication data. The VID authentication data sent to the authentication requester can be retained as the replica of what is retained by the requesting party.

The VID issue data is a server log record that maps the issue of VID with an Aadhaar ID. It includes the request received from the customer for generation of VID and the meta data associated with it. The question now is whether UIDAI can retain this VID generation data beyond 6 months.

It is to be noted that there  would be a conflict with the law of evidence  under IPC and ITA 2000/8 if the meta data associated with the VID issue is indiscriminately deleted.

Normally this data is transaction data and there may not be any dispute associated with it. In such instance it is not an “Evidentiary Data”.  However, the authentication data becomes an evidence when the authentication is part of a suspected offence.

In other words when there is a suspected misuse, then the authentication data becomes “evidence” and has to be retained as long as required. This is similar to the retention needs of CCTV footages.

If there is no suspected offence,  the authentication data may not be deleted after a reasonable period. At present according to the judgement this reasonable period is 6 months. But where there is a suspected offence associated with the data, it has to be treated as “Evidence” and needs to be retained as long as required.

It is open for the Government to use a notification under Section 67C of Information Technology Act 2000/8 to prescribe that the e-Sign authentication information available with the CA or the UIDAI shall be retained for at least 5 years even when the data is not identified as a “potential evidence”.

In my opinion this is required to be done by the MEITY immediately or atleast before the next 6 months.

It is clear that the petitioners of this case did not bring the requirements related to VID  to the attention of the Court may be because they felt that  it would be detrimental to their interests. (Refer this article for more details).The  advocates on behalf of the respondents also failed to bring it to the notice of the Court.

It would have been prudent if the Court had on its own commented on the VID and clarified that it is not Aadhaar but there was technically no reason for it to do so and therefore did not make any reference to it.

The concern of the Court that runs through the current judgement was mainly to the use of “Biometric” by the Private sector companies and also “Exploitation” of the demographic data by the private sector.

Use of OTP eliminates the concern on Biometric and use of VID  for e-KYC and e-Sign can hardly be called “Exploitation”.

Hence use of VID with OTP for e-Sign and other authentication purpose by private sector companies is not affected by this judgement.

Naavi has always held that UIDAI should stick to yes or No answers to each of the fields queried under an authentication request and has not been in favour of an API that populates the user end form with the demographic data drawn from the UIDAI. The judgement corroborates this view.

The CCA should therefore take a re-look at the API used for e-Sign and ensure that the details of each field is filled up by the applicant of an e-Sign and the UIDAI only ticks each field queried with an “Yes” for completing the authentication. We have no reason to believe that this is not done now and if not can be done immediately.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted in Cyber Law | Tagged , | 1 Comment