Don’t Ask Aadhaar Number. Ask Virtual ID. It is permitted

Posted on September 28, 2018 by 98410spice

After the 1448 page judgement on Aadhaar, it appears that some of the Private Sector companies are worried about the e-KYC process they were using for their business and whether they need to go back to the manual KYC process which is more expensive and as much prone to fraud if not more than the e-KYC.

The Judgement has held that Aadhaar is basically valid, its security systems are secure enough and it can be used by the Government for it Direct Benefit Transfer projects.

At the same time, it has held that Aadhaar number should not be used by the private sector under certain circumstances.

The Private sector has been worried about the part of the judgement that relates to the Section 57 of the Aadhaar Act which states as follows:

Section 57:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Section 8 of Aadhaar Act states as under:

8. (1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.

(2) A requesting entity shall—

(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and

(b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication

(3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely:—

(a) the nature of information that may be shared upon authentication;

(b) the uses to which the information received during authentication may be put by the requesting entity; and

(c) alternatives to submission of identity information to the requesting entity.

(4) The Authority shall respond to an authentication query with a positive, negative
or any other appropriate response sharing such identity information excluding any core biometric information.

Chapter VI of the Aadhaar Act relates to the “Protection of Information” and prescribes that the authority shall ensure the security of identity information and authentication records of the individuals etc.

According to the judgement of Justice Ashok Bhushan,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

According to the judgement of the three other Judges namely Justices Dipak Mishra, A.M.Khanwilkar and A.K.Sikri,

“Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities.

Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.”

There appears to be some confusion prevailing in the market about the impact of this judgement on the companies using e-KYC if we go by the following reports.

  1. Telcos State at long KYC process after Aadhaar is hit.: DNA

This report states

The road ahead for telecom players especially new player Reliance Jio for addition of new subscribers might become become tedious with the Supreme Court ruling that Aadhaar is not mandatory for new mobile connections….The Supreme Court on Wednesday struck down Section 57 of the Aadhaar Act, which allowed private entities to use Aadhaar number to verify new subscribers.”

It also states:

Aruna Sundarajan, secretary, department of telecommunications, on Thursday confirmed that e-KYC system to register mobile users using Aadhaar have been stopped…It is learnt that DoT plans to soon come out with alternative for digital verification e-KYC if it has not to done through Aadhaar”

2. DOT to consult UIDAI, law Ministry on road ahead post Aadhaar order-ET

This report states:

Mobile phone companies said the court verdict would lead to delays in getting phone connections and increase the cost of customer acquisition, in some cases by as much as 10 times. These operators had adopted the Aadhaar-based real-time electronic KYC (know your customer) process to issue mobile connections, compared with physical verification that used to take five to seven days. 

It appears that the above apprehensions are misplaced.

The Judgement clearly states that “Only a part of Section 57” is considered not constitutional and that part is that “Private Companies may use Aadhaar authentication on the basis of a contract and in the absence of a law”.

The judgement does not affect

a) If the authentication is not using Aadhaar number or demographic information on the basis of biometric

b) If the authentication is on the basis of a law and not contractual consent alone. (not backed by law)

It is therefore feasible for the private sector to use Aadhaar Virtual ID instead of the Aadhaar ID for authentication purpose without using the biometric but using the OTP system.

In fact the UIDAI had already mandated that use of Aadhaar number was restricted only for the “Global AUA users” and not “Local AUA users”. Only the Banks in the private sector were therefore able to use Aadhaar numbers and all others including the Telcos were required to use the Virtual ID (VID) and they also may have to now switch over to VID use.

VID is not Aadhaar

The VID is not Aadhaar number. It is one of the services offered by UIDAI where by the Aadhaar users at their request is provided an additional ID which is a 16 digit number which can be changed any number of times.

I repeat VID is not Aadhaar number but a separate ID not affected by the current judgement.

It is another aspect that the private sector including the Telcos and the Fintech companies ignored the repeated d of UIDAI and the compliance  suggestions of Naavi.org and refused to implement the 16 number identity as an alternative e-KYC process.

Even the Certifying Authorities licensed under the ITA 2000/8 by the Controller of Certifying Authorities  who are required to use e-KYC for e-Sign failed to adopt to the use the 16 digit number though in this case the fault lies with CCA more than the Certifying Authority for not amending the e-Sign regulations.

The road ahead for the private sector now is

Switch over to the use of VID immediately. If the customers donot know what is VID and how to use it, educate them as part of the authentication process and guide them how to generate a VID and how to use it.

In the mean time, it would be necessary for the CCA to issue additional guidelines to the CAs and also tweak its own API for e-Sign to be able to receive e-Sign related e-KYC requests with the VID as the input.

Retention of Aadhaar Authentication Data

There is one issue which remains to be sorted out and that relates to the “Retention of Aadhaar authentication data” and whether such data cannot be retained for more than 6 months .

Since the private party using authentication based on VID, only retains the VID number and VID authentication data, there will be no restrictions on its retention of the VID authentication data beyond the period of 6 months.

At the back end, UIDAI has records of VID issue and also the VID authentication data. The VID authentication data sent to the authentication requester can be retained as the replica of what is retained by the requesting party.

The VID issue data is a server log record that maps the issue of VID with an Aadhaar ID. It includes the request received from the customer for generation of VID and the meta data associated with it. The question now is whether UIDAI can retain this VID generation data beyond 6 months.

It is to be noted that there  would be a conflict with the law of evidence  under IPC and ITA 2000/8 if the meta data associated with the VID issue is indiscriminately deleted.

Normally this data is transaction data and there may not be any dispute associated with it. In such instance it is not an “Evidentiary Data”.  However, the authentication data becomes an evidence when the authentication is part of a suspected offence.

In other words when there is a suspected misuse, then the authentication data becomes “evidence” and has to be retained as long as required. This is similar to the retention needs of CCTV footages.

If there is no suspected offence,  the authentication data may not be deleted after a reasonable period. At present according to the judgement this reasonable period is 6 months. But where there is a suspected offence associated with the data, it has to be treated as “Evidence” and needs to be retained as long as required.

It is open for the Government to use a notification under Section 67C of Information Technology Act 2000/8 to prescribe that the e-Sign authentication information available with the CA or the UIDAI shall be retained for at least 5 years even when the data is not identified as a “potential evidence”.

In my opinion this is required to be done by the MEITY immediately or atleast before the next 6 months.

It is clear that the petitioners of this case did not bring the requirements related to VID  to the attention of the Court may be because they felt that  it would be detrimental to their interests. (Refer this article for more details).The  advocates on behalf of the respondents also failed to bring it to the notice of the Court.

It would have been prudent if the Court had on its own commented on the VID and clarified that it is not Aadhaar but there was technically no reason for it to do so and therefore did not make any reference to it.

The concern of the Court that runs through the current judgement was mainly to the use of “Biometric” by the Private sector companies and also “Exploitation” of the demographic data by the private sector.

Use of OTP eliminates the concern on Biometric and use of VID  for e-KYC and e-Sign can hardly be called “Exploitation”.

Hence use of VID with OTP for e-Sign and other authentication purpose by private sector companies is not affected by this judgement.

Naavi has always held that UIDAI should stick to yes or No answers to each of the fields queried under an authentication request and has not been in favour of an API that populates the user end form with the demographic data drawn from the UIDAI. The judgement corroborates this view.

The CCA should therefore take a re-look at the API used for e-Sign and ensure that the details of each field is filled up by the applicant of an e-Sign and the UIDAI only ticks each field queried with an “Yes” for completing the authentication. We have no reason to believe that this is not done now and if not can be done immediately.

Naavi

Also Refer:

It is Y2K Momeent again in India with Virtual Aadhaar ID

How Aadhaar Security reaches a new dimesion with Virtual Aadhaar ID

Three days to go for mandatory use of Virtual Aadhaar ID Who is ready?

Is Private Sector ignoring Virtual Aadhaar ID?

Virtual Aadhaar ID; More breathing time for laggards

Supreme Court cannot ignore the Virtual ID development regarding Aadhaar

Posted in Cyber Law | Tagged , | 1 Comment

Aadhaar Judgement is welcome

Posted on September 26, 2018 by 98410spice

The much awaited Aadhaar judgement has finally been delivered.  It was feared that there was a genuine possibility of Aadhaar being declared unconstitutional. Going by the way the Court reacted to the Section 66A of ITA 2008, and the harsh views which Justice Chandrachud has been expressing in other cases, it was not unthinkable that the Court could have come to the drastic decision of scrapping the Aadhaar Act instead of “Reading Down” portions that needed modification.

It is welcome that the Court has tried to work along with the Government in addressing the concerns of the Privacy activists by providing its suggestions through reading down of specific provisions which should be the way the Court has to work in all cases rather than taking a confrontonist attitude. I therefore welcome the judgement.

The Privacy activists should be disappointed that they were not able to get the Aadhaar struck down though the political opponents and others are now taking a face saving position that they are happy that private companies cannot use the Aadhaar  number.

The Government has already brought in regulation by which use of Aadhaar had already been blocked by most of the Private sector by introducing what is called the “Virtual Aadhaar ID” which is not technically the Aadhaar ID but works for most of the requirements of the Private sector. May be to avoid the confusion, this Virtual Aadhaar ID can be called by a different name from now on such as “Temporary Identification Card”.

On the other hand, Government should be happy that PAN cards of at least at the time of filing of tax returns will have a link to the Aadhaar. Government is also happy that it can use the Aadhaar ID for its social benefit schemes ( perhaps with a rider that the scheme should be funded from the Consolidated Fund of India).

More on this can be commented only when the detailed judgement is available.

Naavi

The Aadhaar judgement (1448 pages) is here

Posted in Cyber Law | Tagged | 1 Comment

Cyber Security & Privacy – Technical and Legal Compliance.. Seminar at Mysore on 27th Sept

Posted on September 24, 2018 by 98410spice

CII Mysore has organized a one day seminar on “Cyber Security & Privacy – Technical and Legal Compliance”.

Venue: ILI Building, at the Infosys Campus (Entry through Gate 2)

Sri Shailendra Kumar Tyagi, Director, STPI, Dr Subramanyewara Rao, IPS, Commissioner of Police and several prominent industrialists from Mysore are expected to participate.

Naavi will be speaking on the “Indian Privacy Law” in the event.

Contact Mr T.U. Augistine, CII Mysore for more information.

Naavi

Posted in Cyber Law | Leave a comment

Privacy laws forcing “Blind Advertising” instead of Targeted advertising

Posted on September 23, 2018 by 98410spice

The Privacy laws as they are emerging led by GDPR are conspicuous by the huge penalties that may be imposed as “Administrative Fines” even when the data subjects have not suffered measurable financial losses.

These laws in general prescribe that personal data of target subjects should be collected only on the basis of an informed consent where the data collector has disclosed all the purposes for which the data may be used along with other information which may include the details of downstream processing that may occur.

One of the uses of personal data collected is for the purpose of marketing products online. Since Advertising whether online or offline is a communication exercise in which the Advertiser uses his communication skills to design creative messages that will have the maximum impact, market segmentation based on the likely profile of the audience is a age old practice.

Advertising industry cannot do an effective job if it does not know the audience. If Chocolate advertisement is directed at an audience which are senior citizens and diabetics, the advertiser would be wasting his client’s advertising spend. If a Banker tries to advertise his products meant for high networth individuals  to audience which may consist of  farmers and villagers obviously he would be considered a fool.

But the Privacy laws are driving the advertisers to resort to “Blind Advertising” rather than “Targeted Advertising”.

The law makers will immediately say that if you want to collect personal data and use it for advertising, then say so in the consent form then it will be fine with law. This would mean that every time any “Personal Data” is collected, the collector should be aware of all situations in which the data could be used in future and take an omnibus consent. Such consent has to also have a legal validity as a “Written Consent” and in countries where “Click Wrap” contracts is nothing more than an “Implied and Standard Form of Contract”, the consent will always be deficient.

The recent news report that the first notice under the UK Data Protection Law has been issued on a Canadian Analytics firm named Aggregate IQ (AIQ) that worked for “Vote Leave” campaign has brought to focus the plight of the advertising industry in this regard.

It is reported that the UK’s Information Commissioner, though the firm had collected the data before 25th May 2018 when the GDPR came into existence, it was concerned with the continued retention and processing of the data after the said date.

The firm was used for a “Pro Brexit” campaign successfully and therefore the political reasons behind the complaint is clearly visible.

Leaving the technicalities aside, there is a need for the public to debate whether the Privacy laws are being used unfairly to target genuine business needs and this has to be stopped forthwith for the industry to survive.

If Advertising industry is not allowed to be creative with  creative and targeted advertising campaigns, the damage is for the “marketing” activity and indirectly on the productivity of the industry.

It is time for the Marketing and Advertising industry to justify their existence and relevance if the Privacy Laws are not to destroy each of the marketing and advertising firms one by one with litigation by all and sundry.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Admissions open for Cyber Law Course from National Law School, Bangalore

Posted on September 22, 2018 by 98410spice

National Law School University of India (NLSUI) has released the admission notice for admission to the PG Diploma Course in Cyber Law and Cyber Law and Cyber Forensics (PGDCLCF).

This is a distance learning course with contact classes which will be held in Bangalore.

Details are available  here: 

The last date for admission is September 30, 2018. Extended date with late fee of Rs 500/- is October 15, 2018.

As a premier law education entity in the country, the course attracts senior IT professionals, Lawyers, Administrators and Law Enforcement persons each year.

Persons interested may avail the opportunity.

Naavi

Posted in Cyber Law | Leave a comment

Data is the New Oil, Attempt to create Economic Colonies using Data Mining is a reality

Posted on September 22, 2018 by 98410spice

I draw the attention of readers to an interesting article titled “American Data Miners are modern avatars of British East India Company”   . 

This article also has relevance to the lobbying that many International companies are presently attempting to change some of the provisions of the PDPA 2018 (Proposed Personal Data Protection Act).  Many vested interests have been even organizing seminars with the ulterior intention of mobilizing public opinion against the move of the Government which only says “One Serving Copy of personal data collected from India should be held in India”.

It is however noted that there are many  experts  who are vocally opposing the moves of these companies and we see heated debates in the seminar halls and WhatsApp group supporting the Government’s move.

Naavi.org considers that the provisions of PDPA 2018 has taken into consideration the views of the industry and accommodated the international players sufficiently. It has at the same time tried to safeguard the Indian interests both from the national security perspective as well as a need to give a boost to the Indian data storage eco system.

Just as the Y2K gave a boost to the Indian IT industry, the move of the Government has substantial economic significance and hence has to be pursued. It has the potential to create more data centers in India with associated activities including development of the professional work force with specialization in Data Protection.

Referring to the “East India Company” reference made in the article in mynation.com, we need to highlight that Naavi.org has several times in the past during discussions on Copyright and IPR indicated that the IPR regulatory regime is being used to create economic powers to ride over India. Now we see a similar attempt through the International Data Protection Regulations.

In our earlier article “Data Processors in India should avoid entering into unenforceable contracts which may be termed “Fraudulent” we had highighted how the “Standard Contractual Clauses” used in EU recommendations is an attempt to over ride Indian law. Sensing such attempts, we had recommended during the deliberations of the Srikrishna Committee that Indian Companies should be protected from international assault through data protection laws by creating an “Umbrella of Protection” so that no penal action be launched against Indian Companies under GDPR or similar laws except through the Indian Data Protection Authority. (Refer: “Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights“).

It is unfortunate that even during the East India Company days, India has been exploited by foreign agencies through obliging locals who could be bribed by various means to support the long term exploitation goals of the foreign interests ignoring the interests of the nation.

Even today, the same threat continues to haunt us and is also reflecting in the commercial aspects related to data localization or data protection in general.

Recognizing the need for Indian Data Protection Professionals to keep the interests of the nation on top of their minds, the Foundation of Data Protection Professionals in India (FDPPI) has adopted as its objective, of building  an empowered community of  Data Protection Professionals who contribute to the development of a Secure Information Society in India taking the national interests into consideration.

I hope the long term benefit of having an organization that focuses on Data Protection without neglecting the national interests would be appreciated by the community and translates into an active participation in the activities of the Foundation.

Naavi

Also refer:

India: The Debate – Data Localization And Its Efficacy

How localization of data will affect firms, consumers

 

Posted in Cyber Law | Tagged , | Leave a comment