Is it the beginning of the Chinese domination of the Globe?.. Mr Modi to take note

Posted on July 5, 2018 by Vijayashankar Na

It is known that China has made substantial progress in the field of Industry which is threatening other countries including India and US. Unfortunately, unlike Japan, scientific progress in China is discomforting to the rest of the world since China is not friendly with most of the countries in the world and wants to have a military domination over other countries. It is also too friendly with rogue nations like North Korea and Pakistan and makes other countries nervous. It is for this reason that both US and India is worried on the trade front about the Chinese domination.

Now reports are emanating on the Internet that  China has made some outstanding progress in the field of Quantum Computing. On the face of it, this is a matter on which the Chinese scientists are to be congratulated. But seen in the context of the Chinese desire to dominate the world on the political front, the development appears to be ominous.

Quantum Computing is set to re-define the global economy and who ever takes leadership in this sphere, is likely to rule the world in future. Hence the recent developments reported here needs to be taken note of by both the scientific community in India such as IISC, as well as the intelligence agencies in PMO and political pundits like Dr Subramanya Swamy.

The first report that comes to my concerned notice is the article “Chinese Scientists Set New Quantum Computing Record”.

The second report that comes to my notice is the article “China’s Quantum communication satellite achieves scientific goals”

Let’s briefly state in layman’s terms what these developments seem to indicate.

Quantum Computing differs from Classical Computing because of two specific properties of  atomic and sub atomic properties that have come to light under the domain of “Quantum Physics”. One is called “Super positioning” and the other is called “Entanglement”. These concepts make Quantum computing vastly powerful in terms of “Speed of Processing” as well as “Security to make or break the encryption systems”.

A leadership in Quantum computing is therefore a firm foot in leading the globe economically, politically and in military terms. Neither India nor US nor Japan will be able to stand upto China if it establishes firm leadership in Quantum Computing.

I therefore request Mr Narendra Modi to take the lead in calling for a summit with US and Japan only on the aspect of Quantum Computing and its implications on Global leadership and chart out a plan of action to ensure that China does not become a greater problem that what it already is for India today.

I will elaborate more on these developments within my limited understanding as a person who studied Quantum Physics when it was in its infancy and later turned to the field of Cyber Law and Cyber Security. I call upon other experts in Quantum Physics and Quantum Computing to put their heads together and deliberate on the concerns expressed in this series of articles.

PS: This is the first of the series of 3 articles which will be published here and I request readers to read all the three and give their comments.

Naavi

This is the first part of the series of three articles. 

Links to all three parts:

1. Is it the beginning of the Chinese domination of the Globe?.. Mr Modi to take note

2. China Working on achieving Quantum Supremacy

3. China may be developing its own unbreakable encryption system through Quantum Computing

Posted in Cyber Law | Tagged , , , , , , | 1 Comment

Interpreting “Personal Data” and “Business Contact Data” under GDPR

Posted on July 2, 2018 by Vijayashankar Na

Imagine you have constructed a house and let Mr X live there and use the address for his activities for which you have authorized him to.

Does the house belong to you or Mr X?

When Mr X’s authorization to use the house ends, can he keep the house to himself? Can he ask you to demolish the house?, Can he take away the things in the house… both what he himself had bought while he was in service and what you had given him for use? or what you and him together created?

This is precisely the status of a Business E Mail Address that an employer gives to its employee and he uses it for his employment related communication which is called the “Business Contacat Address”.

Now GDPR has a set of prescriptions that apply to Personal Information that is identifiable with a living person. It is interesting therefore to discuss if the “Business Contact Data” is “Personal Information” and is subject to GDPR compliance.

GDPR uses certain terms a bit carelessly creating confusion on the interpretation of some terms. The “PII or Personally Identified Information” is one such term which needs to be distinguished with “PI or Personal Information” but GDPR gives room to interpret the two words as not much different though they should be considered different.

There is no doubt that Business Contact data is “Personally Identifiable” and hence some interpret it as “Personal Information” to be subjected to the regulations.

But if we look at the basic objective of GDPR as defined in Article 1, it is clear that the regulation is meant to protect the personal information of a EU data subject since it is considered important for Privacy Right protection.

But under Article 4(1), “Personal data” is defined as  “any information relating to an identified or identifiable natural person”.

If we look at the basic objective of GDPR along with the example of the rented premises given above, it is clear that GDPR should not interpret the Business Contact Data as “Personal Information” since it is a virtual property that belongs to the employer and not the employee. Being a property of a company, created and used for the use of the Company’s business, it does make sense in considering that Business Contact data such as the E-Mail of an employee as Personal Data.

I hope this would be acceptable to a majority of the companies though some consultants may have  hesitation in accepting this interpretation.

Perhaps over time, this concept will get some clarity in the minds of the users and it would be accepted that Business Contact Data used by B2B business entities remain outside the GDPR.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Virtual Aadhaar ID: More breathing time for laggards

Posted on July 1, 2018 by Vijayashankar Na

UIDAI announced the Virtual Aadhaar ID system in January and made it available from 1st March 2018 giving time upto 30th June 2018 for AUAs/KUAs to tweak their systems. Then it extended the time upto the end of June. (Refer: Is Private Sector ignoring Virtual Aadhaar ID ?)

Now we understand that UIDAI has provided further breathing time to the User agencies who have so far made no attempt to introduce the new system. According to the UIDAI plans, the current system of KYC where the eKYC provider collects the Real Aadhaar ID (RID), and makes a query through an API whereby all the demographic data attached to the ID is pulled down into a form at the eKUA’s end will be restricted to only those agencies which will be called “Global AUAs”. Others would be allowed “Limited KYC”.

The agencies who are presently AUAs and are not upgraded to Global AUAs would be called “Local AUAs” and would not be permitted to make queries based on RIDs. Instead, they need to implement a new API where a 16 digit input namely the “Virtual Aadhaar ID” (VID) would be taken from the Aadhaar user with or without biometric for KYC purpose. Before providing such a number, the user should have gone to the UIDAI website and generated this 16 digit VID by providing the RID and responding to the OTP.

The Local AUA would get the response from the UIDAI by referring to the CIDR on the back end and return a “Token number” for the authentication which would be stored by the Local AUA as a reference for the verification.

Implementation of this required that UIDAI had to reclassify the registered AUAs and AUAs to implement the new API. The front end of all agencies which used Aadhaar had to be modified to take the input of the 16 digit VID instead of the 12 digit RID. (Refer It is Y2K moment again in India, with Virtual Aadhaar ID).

However despite some prodding, no such change was visible in the industry. No warnings came forth from UIDAI and UIDAI did not even post noticeable warnings on its website.

Now according to the TOI report which  surfaced late yesterday night, a statement has been made by somebody in UIDAI which is not yet appearing in the press releases on UIDAI website even today morning, the deadline for implementation of VID has been extended upto August 31st 2018. The report mentions a “Release” and we can presume that UIDAI will post it on their website by tomorrow.

According to the report,

  1. Banks will be designated as Global AUAs but the telecom authorities and others including e-sign companies would be designated as Local AUAs.
  2. Time is provided upto August 31 for implementation. However from 1st July 2018, a charge of Rs 0.20 will be made on each authentication as a disincentive. This will be a provisional charge which may be waived if the migration is completed before August 1.
  3. If the VID system is not implemented by August 31, UIDAI will be free to terminate the AUA license or impose higher financial disincentives.

Let’s hope that for whatever it is worth, VID system would be in place after August 1, 2018. It will at least avoid further leakage of Aadhaar numbers along with the associated data from the user end as it has happened in the past.

UIDAI has also stated that there would be further improvements in the form of new authentication methods. The “Face Recognition” is also expected to be introduced by August 1, 2018 and could add more security to the system where Global AUAs undertake authentication based on RIDs.

The OTP insecurity will still remain but we need to think of alternatives to OTPs to overcome this problem.

Need for Awareness Creation

The CEO of UIDAI Mr Ajay Bhushan Pandey is quoted as stating that a number of AUAs have tested the new API in their usage environment though no migration has happened. However this could just be a gracious statement meant to boost the morale of the AUAs since it appeared that the industry just did not care and had no intention to adopt to the change. Most of them are perhaps waiting for Supreme Court to scrap the Aadhaar system and hence donot want to make changes at this stage.

I recently had an encounter with a Bank and the officials had no clue of either the biometric lock system or the proposed VID system. If the Bank had sent a circular, perhaps they would have known. This vindicates our observation that even Banks have so far taken no steps to keep their employees aware of the changes that are occurring in the Aadhaar system.

There is a serious concern in some sections of the experts that the VID system will not be used by the users since it is too cumbersome for the less educated users.

The need for education of the masses on the use of Aadhaar is therefore indicated more than ever before since we need to not only tell people why Aadhaar authentication is used but also how to generate VIDs and keep changing the VIDs from time to time.

mAadhaar needs to be upgraded

I suppose mAadhaar application should itself provide an option to generate VID, which it has not done so far. Alternatively mAadhaar download itself should be enabled on VID basis atleast as an option. UIDAI has to show the way for others by implementing the 16 digit input option of VID on mAadhaar immediately along with a provision to change it. The resulting VID can be shared by the users with the Local AUAs as and when necessary without going to the web.

Technical Glitches to be corrected

In one of my recent encounters, I found that UIDAI website could not complete biometric unlocking on chrome browser on my Android phone and I had to download the Mozilla mobile browser to complete it on the mobile at the Bank where the KYC was being done. The Bank’s system which was rejecting the finger prints did not provide a proper error statement indicating that the error was because of the biometric lock and it was only after repeated failures that I was able to figure out the cause and unlock it through the Mozilla browser.

These technical glitches need to be set right by UIDAI as otherwise there will be complaints on denial of basic rights of citizens due to denial of service at the Aadhaar end.

Looking forward to further developments and official information from UIDAI on the extension of time and other issues mentioned above

Naavi

Posted in Cyber Law | Tagged , , , | 2 Comments

California Consumer Privacy Act of 2018 …to be effective from January 2020

Posted on June 30, 2018 by Vijayashankar Na

After the EU GDPR followed by UK DPA and German DPA, we now have California Consumer Privacy Act of 2018 which has been passed to take effect from January 2020. (See the copy of the text here)

Under the new law, California consumers will have the right to:

know all the data collected by a business and be able to transfer it twice annually for free.

— to opt out of having their personal information sold (but companies will then be able to charge those consumers higher fees).

— to delete their data.

— to tell a business it can’t sell their data.

— to know why the data is being collected.

— to be informed of what categories of data will be collected before it’s collected and to be informed of any changes to that.

— to be told the categories of third parties with whom their data is shared and the categories of third parties from whom their data was acquired.

— to have businesses get permission before selling any information of children under the age of 16.

Remedies
According to the law,

Any consumer whose nonencrypted or nonredacted personal information,  is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
 Exceptions

(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:

(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.
For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.
This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(b) The obligations imposed on businesses  shall not apply
where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.
(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that act.
The Act will be explored in greater details in due course through this column.
Naavi
Posted in Cyber Law | Tagged , | Leave a comment

Is Private Sector ignoring Virtual Aadhaar ID ?

Posted on June 28, 2018 by Vijayashankar Na
circular

UIDAI Circular on Virtual Aadhaar ID

On 10th January 2018, UIDAI issued a circular outlining the details of its proposed Virtual Aadhaar ID system along with the introduction of the “Limited KYC” system that does not return the Aadhaar number and only provides an “agency specific” unique UID token to eliminate agencies storing Aadhaar number.

According to the system Aadhaar owners could go to UIDAI website and obtain a Virtual Aadhaar ID (VID) by providing the Real Aadhaar ID (RID) and responding to the OTP request. This would be a 16 digit random number which at the back end would be mapped to the real Aadhaar ID and its information. But this VID would be temporary and the user can use it once or for any limited time until he goes back to the UIDAI website and obtains a fresh VID. If the user wants to re-use the VID which he has earlier generated, he can “Retrieve” the VID.

The mobile number is of course the key to the security of the VID since the control is only through the OTP.

While we can debate the security of the OTP, there is also a concern that the real risk in Aadhaar usage is when the biometric is given for authentication. There is no doubt that OTP is less safe than biometric for authentication purpose but from the point of the user, loss of biometric is a permanent loss while loss of OTP is a temporary loss. Loss of money due to fraudulent use of OTP may perhaps be recovered but the loss of biometric would permanently disable a person from many other services where he can be impersonated with the stolen biometric. At this point of time, it is not clear if UIDAI has any security measures for loss of biometric but let us now stick to our discussion on the OTP based VID  system.

It was directed by UIDAI that all agencies using Aadhaar authentication and e-KYC servies shall ensure that users can provide the 16 digit VID instead of the 12 digit real aadhaar ID.

For the Limited KYC system, all AUAs were categorized into two categories namely “Global AUAs” and “Local AUAs”. Once the VID system was introduced, only Global AUAs would have access to e-KYC and all others would have access only to limited KYC.

Global AUAs will alone be eligible to access Real Aadhaar IDs and Local AUAs will work only with VIDs. During the VID authentication process, UIDAI will return a unique number or “Token” which can be stored by the agency for its reference of the customer and his Aadhaar authentication. This token will be agency specific and will be the same for a given agency and a given aahdaar number. This will be a 72 character alphanumeric string meant only for system usage.

Subsequent authenitcation would be allowed for the agency using the token and hence without storing the Real Aadhaar ID, the agency can store the token number and use it for authentication whenever required.

Only Global AUAs are allowed to securely store the Aadhaar number and may be subjected to greater information security oversight by UIDAI.

In this circular, it was stated that the new system would come into force from 1st June 2018. However in subsequent reports, on the UIDAI website- RBI instructs Banks to tweak their systems by June 30 and UIDAI extends deadline to deploy virtual ID system  the deadline for implementation was extended by one month and this expires on June 30, 2018.

It would therefore be compulsory for all Aadhaar User agencies to be ready to use the VID system by 1st July 2018. It is reasonable to expect that UIDAI may stop authentication of Real Aadhaar IDs for “Local AUAs” from 1st July 2018.

To an independent observer like the undersigned, it appears that the private sector is not keen on introducing the system any time in the next few days or weeks probably because they donot think UIDAI is serious in its efforts. Even Banks may not be ready and may ignore the RBI directions in this regard by giving some excuse or other.

UIDAI has also not yet updated list of Global AUAs nor given any public information on what is the criteria under which the existing AUAs will be reclassified. It can be presumed that all existing AUAs will be considered as Local AUAs unless they are reclassified as Global AUAs for which they may have to enter into a fresh contract with UIDAI.

At present it is not clear if UIDAI has moved in the direction of this documentation for re-classification. Also it is not clear if Banks are ready for the new system by 1st July 2018. Hence we need to wait and see if UIDAI will again extend the deadline or show some seriousness in the introduction of the scheme.

It may be reiterated that if UIDAI does not show seriousness in implementing the new system, Government’s case in Supreme Court to retain Aadhaar linking to vital services would become weaker.

Unless UIDAI itself wants to sabotage Mr Modi’s drive against black money and benami property, UIDAI should force user agencies to switch over to the VID system promptly by 1st of July 2018 or within a short term extension of say another 7 days.

Will UIDAI clarify?

Naavi

Related Articles:

Three days to go for mandatory use of Virtual Aadhaar ID… Who is ready?

How Aadhaar security reaches a new dimension with Virtual Aadhaar ID

It is Y2K moment again in India, with Virtual Aadhaar ID

Aadhaar Authentication: How To Use Virtual ID (VID)

Virtual ID is Aadhaar 2.0, It Can be Changed Any Number of Times: UIDAI Chairman

Aadhaar Virtual ID “Unworkable”, Will Oppose Tooth-And-Nail: Petitioners

There’s no consensus over Aadhaar number or 16-digit virtual ID

Old Articles of naavi

Reasonable Security Practices For UID Project..in India..A Draft for Debate

The Unique ID Project.. What should be Unique?

The National ID Card Challenge for Nandan Nilekani.. Part I

The National ID Card Challenge for Nandan Nilekani.. Part II

Posted in Cyber Law | Tagged , , | Leave a comment

Three days to go for mandatory use of Virtual Aadhaar ID… Who is ready?

Posted on June 27, 2018 by Vijayashankar Na

In January this year, UIDAI had announced the introduction of the “Virtual Aadhaar ID” scheme to increase the security of the Aadhaar usage eco system.

The introduction stumped the Anti-Aadhaar lobby who were roaring before the Supreme Court when the hearing against Adhaar’s linking to Bank accounts commenced. In our article “It is Y2K moment again in India, with Virtual Aadhaar ID” and “How Aadhaar security reaches a new dimension with Virtual Aadhaar ID” we had highlighted the expected features of the system and why it was a master stroke of UIDAI which frustrated all the arguments against Aadhaar Security mounted under the “Privacy” considerations.

Now the Aadhaar hearing is over but the judgement is reserved. Also the Indian Privacy/Data Protection Act is yet to be finalized.

The UIDAI move of using Virtual ID as a means of authentication where by the Aadhaar user need to reveal only the virtual ID to a service provider for KYC and not the original aadhaar ID ensured that there could be no leakage of an Aadhaar linked information from the user side. At best the demographic data attached to a Virtual ID could be leaked. But since the aadhaar user can change the Virtual ID any time, the demographic data linked to Virtual Aadhaar Id is delinked from the real Aadhaar ID.

UIDAI had in its January circular indicated that service providers should make arrangements for incorporating the use of 16 digit Virtual Aadhaar Id in place of the 12 digit real Aadhaar Id whenever a service request for authentication is sent by them to the CIDR. This was supposed to be tried out between the period March to June period. UIDAI promptly started the issue of Virtual Aadhaar IDs on its website.

The trial period for testing the Virtual Aadhaar ID is coming to an end on June 30, 2018 and according to the UIDAI’s original announcement, they should stop authentication on the basis of real Aadhaar Ids from 1st July 2018.

However, if we look around, I have not yet come  across a single user institution that has implemented the acceptance of Virtual Aadhaar ID instead of the real Aadhaar ID. When I broached this subject amongst many experts in a recent seminar and also checked with one of the Banks, I found that many of the experts were also unaware of the Virtual Aadhaar system and completely blind to the possibility that the Aahaar KYC can come to a grinding halt from 1st July 2018 if they are not ready with the changed authentication API.

It is unfortunate that UIDAI also has not made any efforts to remind the public or the service providers that from 1st July 2018, the AUA/KUAs and their sub agents should be asking only the Virtual Aadhaar ID from the public and not the real Aadhaar ID.

UIDAI has not even put up a prominent “What is New” or a Blurb on “Virtual Aadhaar ID” on its website. It is an effort to search for the link if any body is interested.

As a result of this complete apathy shown by UIDAI, it is doubtful if any of the users are actually ready to switch over from the current 12 digit data filed of the real Aadhaar ID to the 16 digit data field of the Virtual Aadhaar ID.

Even if in the next two days some can push in the new API into their websites and mobile Apps, it is not clear if they would have done enough testing to avoid glitches in the authentication.

We need to watch out how UIDAI reacts to the industry completely ignoring its fiat. Will it take it lying down? or extend the time and try to push the users  until they introduce the new system?

It appears that UIDAI has no alternative but to extend the data of mandatory implementation of the Virtual ID system. But if they donot show seriousness, Supreme Court may consider that the system is only an eyewash and UIDAI is not serious. At least for this sake, UIDAI in the next 24 hours should come up with a warning that the authentication system may stop accepting the real Aadhaar ID from 1st July 2018.

As a via media, UIDAI may extend the time by charging a penal fees for the service user organizations (not the public) for every authentication based on real ID after 1st July 2018.

Looking forward to a response from UIDAI.

Naavi

Also view: moneycontrol.com

Posted in Cyber Law | Tagged , , | 1 Comment