Aadhaar Judgement..3.. Data retention limit of 6 months..

Posted on October 5, 2018 by 98410spice

This is in continuation of the earlier articles on this topic

The First Issue answered by the first part of the majority judgement(signed by the three judges Dipak Mishra, A.K.Sikri and A W Khanwilkar here after referred to as the first part) was

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?
Incidental Issues:
(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

The answer to the above question provided by the judges took note that Aadhaar architecture does not tend to create a surveillance state. It also concluded that there were sufficient authentication security measures taken by UIDAI and adequate oversight. It recorded that use of Registered Devices prevented the risk of store and replay attack. It noted that the Authority does not get the transaction details of an authentication request or the IP address or GPS location of the authentication request.

Taking into account the above, the three judges held

After discussing the aforesaid aspect with reference to certain provisions of the Aadhaar Act, we are of the view that apprehensions of the petitioners stand assuaged with the striking down or reading down or clarification of some of the provisions, namely:

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.
(ii) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.
(iii) Section 33(1) of the Aadhaar Act is read down by clarifying that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing.
(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.
(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.
(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

In expressing the above views, the Court actually descended to the level of drafting internal security guidelines for UIDAI. We cannot expect the Court to be an Information Security expert and hence some of these suggestions could have been avoided. In comparison the drafting of the Ashok Bhushan judgement was better as it avoided going into the details of how UIDAI has to manage the security.

Now coming to the exact recommendations in this Answer 1,

the first prescription is

(i) Authentication records are not to be kept beyond a period of six months, as stipulated in Regulation 27(1) of the Authentication Regulations. This provision which permits records to be archived for a period of five years is held to be bad in law.

By making this observation, the Court has limited the data retention period of the authentication record to 6 months unmindful of the actual requirement which may be dependent on the circumstances.

The Authentication guidelines indicated data retention under two regulations. First was under regulation 18 (1) about the maintenance of logs by requesting party. Second was regulation 27(1) .

This regulation under 27(1) stated:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.
(2) Upon expiry of the period of five years specified in sub-regulation (1), the Authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

The judgement has suggested that the 27(1) is modified to remove the words “and thereafter archived for a period of five years”.

Simultaneously 27(2) may need to be amended to say “Upon expiry of six months…”

The similar provision under regulation 18 (1) which is applicable to the user agencies is not touched by this answer.

The current judgement has not invalidated the possibility of  a law that requires the data to be retained beyond 6 months. One such law which is in existence is the “Evidence Law”. When a certain transaction data is required as  “Evidence” because a potential crime has come to the knowledge of the person holding the data, he has to preserve it until it is required. Otherwise it will be an offence under IPC (Section 204)  and ITA 20008 (Sec 65).

Even the PDPA 2018 can clarify this aspect.

If within 6 months no specific complaint arises, the data may be destroyed.

However, since it is the law of limitation which says that there is a time limit of 3 years for any civil action, the action of the Supreme Court to get the potential evidence forcefully removed after 6 months is snatching a legal right available to the citizens.

I would therefore consider it necessary for the Supreme Court to increase this data retention limit from 6 months to 3 years.

Alternatively, the PDPA 2018 must state that

” System log records and other data which are relevant for the protection of the Privacy of a person shall be retained for a period as required under the law of limitation for a minimum period of 3 years and as otherwise may be required if the data is considered as a potential “Evidence” for a cognizable offence of which the data fiduciary is aware of.”

….To Be continued

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

 

Posted in Cyber Law | 2 Comments

Aadhaar Judgement….2.. The Answers and Conclusions of the majority

Posted on October 5, 2018 by 98410spice

This is a continuation of the earlier article “Aadhaar Judgement..1..Debate the Areas where Clarity is Required”

The Aadhaar judgement is said to be the second longest case in terms of continuous hearing next only to the Keshavananda Bharati case in 1973 and underscores the importance and urgency assigned to the case.

The petitioners tried to argue that Aadhaar was unconstitutional, constituted an instrument of state oppression through surveillance and had to be scrapped. The data leaks of Aadhaar was quoted to argue that the system could cause serious privacy breach issues since the biometric of citizens could leak. They also argued that there was denial of basic services because of the failure of Aaadhaar authentication. In particular, the mandatory linking of Aadhaar to PAN cards, opening of Bank accounts were alleged to be an over reach of powers of the Government.

The net demand was that Aadhaar had to be scrapped.

The Government argued that it was useful to ensure that Direct Benefits of the Government reach the right persons, reduce/eliminate corruption. Even during the trial, Aadhaar introduced the Virtual Aadhaar ID and made several moves to strengthen the system to ally the fears of lack of security. UIDAI also explained the security practices and tried to convince that the system had a useful role in the Governance and did not violate Privacy.

Unfortunately, the case became a battle between the Government which was using Aadhaar Unique ID to curb black money and those who were simply Anti-Modi. All other principled explanations were only excuses.

In the entire cacophony of the media, every body forgot that there were two other stake holders to the debate. First was  the “Honest Tax Paying Citizen” whose legitimate income and wealth were being eroded because of the corruption, black money and benami holding of properties all of which were threatened by the Aadhaar linking. Second was the business which adopted the use of Aadhaar for e-KYC and real time authentication of electronic documents through e-Sign. These stake holders were not impleaded into the arguments.

The Supreme Court bench which heard the arguments should have realized at some point of time that there was a possibility of them taking a decision which could hurt the interest of these stake holders and their interests were not being represented either by the petitioners who were Anti Modi and the Government which was Anti-black money, and voluntarily called in the other stake holders to explain their view points.

Today we are debating the consequences of one interpretation of the judgement from the petitioner’s side which strongly believes that the judgement bans the use of Aadhaar in any form by the private sector and severely restricts the use even in the Government sector.

The Government may defend its position by drafting suitable law to protect it’s interests but the private sector and the citizens may not be able to voice their opinion adequately.

However the PDPA 2018 (Personal data protection act 2018) which is in draft stage with the Parliament presents an opportunity for these stake holders to express their thoughts either through the public comments to be submitted before 10th October 2018 or through the MPs during the Parliamentary discussions.

This series of articles are aimed at stimulating the thoughts of interested persons so that they donot lose this opportunity.

The Srikrishna Committee made a detailed suggestion on changes to be made to Aadhaar though they were not included in the PDPA2018 draft. Now is the time to take a look at these recommendations and read it along with the Supreme Court judgement and incorporate it in the draft PDPA 2018.

Naavi.org therefore focusses in these discussions only on Aadhaar related discussions. Other than this, Naavi has only a few suggestions for amendment such as

a) “Making Criminal Offences Bailable”,

b) “Removing the Caste from the definition of sensitive personal information” ,

c) “Clarifying that the basic purpose of the Act is to protect the Privacy of Indian Citizens from Privacy infringement through insecure data processing either in India or elsewhere”,

d) “Clarifying that the jurisdiction of any foreign law on data protection shall be exercised only through the Data Protection Authority in India”

I am not going into the details of the above now and go directly into the Aadhaar related discussions which is the need of the hour.

For the purpose of this discussion, I am ignoring the part of the judgement attributed to the dissenting judge (D Y Chandrachud) contained in pages 568 to 1048 of the judgement. The judgement of the other four judges is recorded in two parts, the first part between Pages 1-567 (Dipak Misra,A.K.Sikri , A.M.Khanwilkar and the second part between 1049-1448 (Ashok Bushan). Even within the two parts of the majority judgement, I am focussing on

a) Pages 540 to 567 containing the 9  Issues discussed and Answers provided by the first three judges

b) Pages 1442 to 1448 containing the 18 conclusions listed by the Judge

This reduces our span of reading from 1448 pages to 35 pages. But this is the relevant portion of the judgement. In writing any judgement, the judges do quote what the petitioner has said, what the respondent has argued, what another judge has said in a different judgement, what did he consider relevant etc. These discussions are important for academicians to understand why a Judge came to a specific conclusion  but the operative part of the judgement has to be taken only from the “order”, “Summary” or “Conclusion”.

If there is any difference between what is expressed as a firm view of the judge in the body of the judgement and in the conclusions part, it could be due to the judge consciously taking the stand as given in the conclusions.

Even if it is a drafting error the erroneous order stands unless clarified separately. We may recall that a High Court Judge in Karnataka made a totalling error in a judgement and declared that (late) J Jayalalitha was not guilty of corrupt practices and this arithmetic error had to be challenged in Supreme Court as an “Appeal” which was kept pending until the lucky accused passed away.

We therefore continue our discussions in the next article with a discussion of the 35 pages relevant for our discussion.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 3 Comments

Aadhaar Judgement…1… Debate the areas where clarity is required.

Posted on October 4, 2018 by 98410spice

The 1448 page Aadhaar judgement has created some confusion in the industry circles about what exactly is the impact of the judgement on the industry.

In particular, key industries which are concerned are the FinTech industry, Telecom industry and Banks. They were using Aadhaar as the base for conducting e-KYC which could be completed in realtime and at a very nominal cost such as around Rs 15-25 as against manual KYCs which may cost upwards of Rs 200/-. The e-Sign system which was “Electronic Signature” under ITA 2000/8 also depended on e-KYC.

After the judgement, there is a doubt on whether private sector can continue to use Aadhaar as a basis of conducting KYCs. KYC is an important element of opening of Bank accounts and curbing of benami accounts. It is not good for the Country if hurdles are placed on the KYC system and we fall back on the old practices where black money thrived through fake accounts all round.

Hence proper clarity is required on whether the judgement means a “Ban on use of Aadhaar for KYC” or requires only a modification in the current approach.

The honourable Supreme Court and those who swear by “Freedom for Everything” donot like the word “Ban” whether it is for Crypto Currencies or for Sabarimala temple entry. But this “Ban on Aadhaar” is  sweet news for many of these freedom lovers.

Unfortunately, the Supreme Court often is swayed by the popular gallery opinion when such issues arise. Aadhaar judgement has tried to avoid it to the extent possible but still the pressures from the lobbies which control public opinion and trying to manipulate the Supreme Court judgement has ensured creation of so much confusion in the minds of the Judges that some parts of the judgement remain ambiguous and reflect the confusion of the judges.

Another aspect on which the Judgement is treading on a dangerous path is in diluting the Information Security aspect of transactions where Aadhaar is used by trying to make prescriptions on what elements of transaction data are to be collected and what period they should be retained etc.

It is our responsibility that the mistakes or ambiguities in the judgement have to brought into public debate. This matter is of such importance that the debate would go on for a long time. But we need to set the direction for the discussions and contribute some thoughts before the Government freezes on the public comments to the draft Personal Data Protection Act 2018 (PDPA 2018) which will close by 10th of October 2018.

Within the short time available, a few thoughts of the undersigned would be shared through these columns so that they may be considered when the draft of PDPA 2018 is discussed in the Parliament.

It is possible that some may feel that these views are spectacularly wrong and have to be rejected outright. Nevertheless, it is essential that if Supreme Court has unfairly brought obstructions to the legitimate business, it has to be pointed out.

At the same time, the industry has to be also faulted for not understanding the direction in which the wind was blowing and remained adamant despite an attempt to make them realize that some changes were required in their current practices of using Aadhaar.

But we are not keen on telling the indusry players “I told you so…you ignored…and now you suffer..”. Nor  are we interested in criticising the Judiciary that they did not understand the technology issues and were swayed by the anti Aadhaar sentiments in the eco system. What we are interested is in suggesting that we interpret the judgement in such a manner that the concerns of the Judiciary are addressed but at the same time concerns of the industry are not brushed aside.

I hope that in the next few articles, we shall throw up some thoughts which the larger audience may start debating. I wish we had more time to have a series of public interactions explaining some of these thoughts and eliciting an informed response from experts. But the time available before October 10th is too short. Hence I am placing my views here and leaving it to the experts to debate elsewhere.

Let us go ahead in trying to drill through the 1448 page judgement and how it is likely to affect the industry.

…..To be Continued

Naavi

Reference: The Copy of the Judgement

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | Tagged | 1 Comment

Facebook data breach, punctures the argument against Data Localization

Posted on October 2, 2018 by 98410spice

Leading upto to the discussion on PDPA 2018 in the Parliament, there is an orchestrated opposition to the Data localisation aspect recommended in the PDPA 2018. However, the Face Book data breach which has reportedly compromised over 50 million accounts including about 5.6 lakh accounts of Indian customers of Face book has  punctured the argument placed by those who are opposing the Data localization.

One of the strong arguments that was placed against Data localization was that Indian Data Centers are not secure enough and it will increase the attack vector etc.

Now it is proved that Data Centers in US could be as much vulnerable if not more if they were in India. The truth is whether the data center is in India or in US, the security threats are same. The security devices used, strategies used and even the hardware used are all same whether the data center is in India or in USA.

What is different is the service aspect such as continuity of service, the power cost etc which needs to be addressed. But this is not presently considered as an issue. The Manpower costs as well as the Land cost in India can be much lower than setting up of a Data Center in US or other foreign centers. Hence the cost factor is in favour of India.

What is critical for Data Security is however the “Manpower” . From the skill levels, Indians are on par with the rest of the world. Where the Indians may score over the rest is that Indian culture still respects “Ethics” much more than in the west.

Though there are elements in India which continue to corrupt the individuals, the inherent nature of Indians make it possible for Indians to raise above corruption rather than in the west where there may be a rationalization of corruption as a legitimate business practice. We have perhaps seen how in the last 4 years, Government of India has  taken steps to curb corruption in India and slowly, a generation of young persons are coming up with a commitment to the national ideals which include honesty and integrity. If this is nursed properly, then the quality of Data Security Professionals in India would improve.

Thus the argument that if Data Localization is imposed through law, we will hurt the interests of the Industry is incorrect and has to be rejected outright.

We also need to recognize that what the PDPA 2018 wants is that “Sensitive Personal Data” collected in India need to be kept in India and in the case of other Personal data, only one active serving copy need to be maintained in India.

If we want the Government of India to protect our personal data, it is necessary for us to entrust it with the ability to put fences around it and this would be possible only if the law enforcement in India has an access when needed to conduct investigations when breaches occur.

On the occurrence of a data breach, a large part of the data repository becomes a “Potential Evidence” and is required to be retained. We cannot allow such data to be outside the control of the law enforcement and we cannot allow the Data Fiduciaries to remove them from access.

Now taking the Face Book incident,

a) We donot know how many Indian citizens have been affected adversely since we need to depend on Face Book for this purpose.

b) We believe as per the statement of Face Book that what has been breached is only “Access Token” related data and not other data.

c) Such data which could be normally expected to be in hashed form. But we are not sure if any plain text data has been lost.

d) We also need to know if the Access tokens lost included those which can be used in a “Store and Replay attack” on a “Face Book Banking Account” or similar critical use case scenario.

For all these questions to be answered today we are dependent on Face Book and cannot conduct an independent investigation, though CERT IN may have necessary powers under law.

There is definitely the Indian law which makes Face Book an intermediary and imposes due diligence and reasonable security obligations on Face Book and the remedies under Sections 43, 43A, 66, 72A etc of ITA 2000/8 which can be read with Section 79 and Section 85 to elicit cooperation from Face Book.

But in practice, Indian agencies will not be able to force Face Book except through a prolonged judicial grind through the High Courts and Supreme Court where the balance of favour is always with the Privacy Activists who will ensure that the Law Enforcement does not get access even to legitimate crime related evidence.

The reason  that Data is not so easily accessible for the Law Enforcement since it lies else where. This makes a strong case for “Data Localization” so that if there is a data breach event, the local law enforcement authorities which in future includes the Data Protection Authority will be able to do its duty.

Now there is an opportunity for Face Book to prove that the apprehensions of the ideal situation where “Data Access” is sufficient and “Data Localization is irrelevant” does exist here, by providing access to the CERT IN to the Face book servers to conduct whatever investigations are needed to be done.

I believe that CERT IN should demand such access and ensure that the interests of the 5.6 lakh users who are reported to have been affected in the incident are protected. I also believe that the details of who all were affected and by how much is a “Potential Evidence” which may surface at some point of time in future and CERT IN may be called in to submit such evidence to Courts in India.

Already, Face Book has temporarily de-activated the “View-As” service and would perhaps delete evidence that may be present in their systems about the damage that has occurred. CERT IN has to take steps to secure the evidence in the form of what all Access Tokens were lost and what they contained etc.

We look forward to further developments in this regard.

Naavi

Posted in Cyber Law | Tagged | 1 Comment

Corporation Bank net Banking System goes for a toss?

Posted on October 1, 2018 by 98410spice

 

It is not clear what is happening at Corporation Bank and its online Banking system. Earlier the Internet Banking system was borrowed from the old ICICI Bank and it was working in the SB environment though not in the Current account environment.

In between the Bank made changes in the account numbering system which itself caused problems for the customers who had to keep reminding the Bank the old number and the new number when NEFT payments were requested from their clients from elsewhere.

Now Corporation Bank is migrating to the Finacle System and has disabled the old system completely. The Bank requires every one of the earlier customers to re-activate their accounts in the new system instead of migrating the accounts automatically into the new system.

Additionally the migration is not working since if the old credentials are used, the system is still throwing an error.

Attempt to contact the help lines over 1800 as well as the land lines have failed. The website does not give e-mails of the corporate departments and the landlines are unattended.

There is therefore a concern if Corporation Bank is presently under some sort of an IT freeze arising out of the change in the CBS system. This is actually a “Denial of Access” to the customers arising out of bad management of IT.

We can recall that once in the past the Bank had a similar problem which required an automatic Internet holiday because of system problems.

I have called for clarification from the Bank and when received will share with the public. In the meantime if other customers of the Bank have similar problems, please do write to me over e-mail in the contact page.

Naavi

Posted in Cyber Law | 11 Comments

Data Protection Professionals in India… here is your organization..for you to build…

Posted on September 29, 2018 by 98410spice

Data Protection as an activity is in the news. Ever since GDPR opened the flood gates of discussion on the role of Data Protection, the entire IT industry has been continually discussing the pros and cons of the emerging laws.

The recent Aadhaar judgement has placed a question mark on the business processes of many companies including the whole group of Fintech Start ups who are wondering what is the future for them.

The PDPA 2018 draft is still open for public comments for 12 more days upto 10th October 2018, so that public comments including how the Aadhaar related issues can be accommodated in the draft bill. With the Aadhaar judgement heavily dependent on the passage of this bill, the Government is likely to push it for advanced discussion in the Parliament during the winter session and probably its passage before the change of this Government.

At this momentous time, India needs a body that should empower the Data Protection Professionals to ensure that they are empowered with the necessary knowledge and skills and apply it with an ethical mindset.

With this objective in mind, a new Section 8 Company, has been established by Naavi along with some of his associates in Bengaluru, by the name of “Foundation of Data Protection Professionals in India”. (FDPPI).

Full details of this organization is available at www.fdppi.in

FDPPI also has as its objective bringing together different organizations both formal and informal working on similar objectives and emerge as a “Federation of Data Protection Organizations”. 

FDPPI will also develop appropriate Codes and Practices for different organizations on Data Protections and also develop the “Trust Scores” for Data Protection Practices. It will also provide support in the form of Data Audits as envisaged under PDPA 2018.

FDPPI will also offer  several other services relevant to the industry.

FDPPI envisages that under its banner, all stake holders in Data Protection starting from Data Processors, Software Developers, Information Security, Compliance and Privacy professionals, Advocates in related areas, Law Enforcement agencies, Academic Institutions and Government bodies will work together to build a Data Secure Nation.

An informal meeting of the provisional members of the organization is scheduled to take place in Bengaluru at 4.00 pm today in which the membership registers will also be open.

We invite interested persons to join either physically or through remote log in to the conferencing room. (Please see details at www.fdppi.in)

FDPPI will be an organization of the people who have direct stake in Data Protection and I invite all to join in this movement.

Naavi

Posted in Cyber Law | 1 Comment