Corporate Governance and GDPR risk

Posted on January 30, 2018 by Vijayashankar Na

As the D-day  for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time  in the future and impose liabilities.

GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.

Article 3 of GDPR has created extra territorial jurisdiction as follows.

GDPR is applicable  “regardless of whether the processing takes place in the Union or Not” 

1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union

2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union

This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.

However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.

Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .

If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.

GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.

From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.

So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks.  If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence  the potential liability cannot be swept under the carpet.

Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.

We need to wait and see whether these companies will be compliant to this requirement or not.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

How Aadhaar security reaches a new dimension with Virtual Aadhaar ID

Posted on January 29, 2018 by Vijayashankar Na

Aadhaar has been the center of Privacy debate for quite some time in India and has even attracted international attention. Amidst the criticisms that Aadhaar system is not properly secured and therefore it may lead to loss of privacy of the citizens, Supreme Court took up a petition on whether Aadhaar infringes Indian Constitution and should be discontinued. Initially, the Aadhaar baiters scored a victory as Supreme Court under the previous CJI hurriedly constituted a 9 member bench and passed a judgement stating “Aadhaar is a Fundamental Right”. It appeared as if the judgement was a tool given to the smaller bench which was hearing the Aadhaar constitutionality issue to scrap Aadhaar.

However things have changed in the last few weeks. First the new CJI shuffled the bench and case allocation rules so that politician advocates who wanted to get the Aadhaar case heard by a bench of their choice were frustrated in their design.

The case is now being heard in a more neutral bench than what the politicians intended.

At the same time, UIDAI came up with its own master stroke introducing the “Virtual Aadhaar ID ID (VAID) proposition which has changed the scenario of security in such a manner that one of the key argument against Aadhaar that it leads to breach of privacy has been put to rest.

Naavi had been suggesting for a long time that the principle of “Regulated Anonymity” should be applied to secure Aadhaar and actually hoped that this would be a good commercial business proposition to be used by an enterprising private business entity. Now Aadhaar by introducing the system of VAID has come up with its own version of “Pseudonomization”   which would perhaps take the Privacy protection up by several notches.

The VAID system is expected to be in operation by March 2018 on trial basis and mandatorily by June 2018 unless some extension is given. Once the system comes into use, all KYC agencies will have to be prepared to use the VAID which may be a 12 digit randomly generated number which is mapped to the real Aadhar ID of an individual for all their KYC enquiries.

In other words, the KYC authority will not receive the real Aadhaar ID  for its KYC purpose but receive only a randomly generated, changeable VAID number. This may perhaps be forced  by UIDAI by mandating that the AUA/KUAs donot shall stop using the real Aadhaar ID for any KYC queries.

As for the users, they will have the option of generating a VAID against their real Aadhaar ID and ascribe it a date of expiry or designate a specific one time purpose. Such number would meet the requirement of SIM card verification or even Bank account verification.

How Virtual ID secures the system

The exact architecture that UIDAI may use for the purpose is not known and need not be made public. However, it may consider the following features.

(P.S: This diagram is only an illustrative representation of a suggested architecture. This is not what UIDAI may implement)

The first change could be that access to CIDR will be only through an internal system and access by AUA/KUA would be stopped at an intermediary server.

Public will access a Virtual ID generator (S-1) service as and when they want. They will provide the real Aadhaar ID to this server and obtain a Virtual ID. This ID will be randomly generated and will have an expiry tag and stored in another system. S-1 will then deposit the information to S-2 where a map of Real Aadhaar ID and Virtual Aadhaar ID is maintained and updated with a history of VAIDs associated with a given Real Aadhaar ID.

When a user requires a service, he will provide only his VAID to the AUA/KUA who will send their request to another exclusive server of UIDAI where the request will be processed (S-3). This server will push a request to S-2 which will re-identify the VAID and forward the KYC request to CIDR,(Central Identities Data Repository).  CIDR will push the required information back to S-3 for onward transmission to the AUA/KUA.

In this structure, S-2 which holds the map of the real Aadhaar ID with the Virtual Aadhaar ID will be accessed only by internal servers one accessible to Aadhaar users and the other accessible to the AUA/KUAs.

S-1 will only generate VAID and does not store any data after the process is over. CIDR is accessible only from S-2. S-2 will not hold any data other than the mapping of the real ID and Virtual ID. S-3 will allow passing through of  Virtual ID and the KYC information but will never access the real ID.

S-1 and S-3 will be only transaction servers and need not store any data except in transit. Firewalls will manage the access to different servers and ensure that Aadhaar demographic or Biometric data is not accessed by any outsiders except through queries passed through S-2.

How Biometric Security Can be fortified

Presently, the Aadhaar has a record of 10 finger prints and iris scan for biometric identity purpose. To this multiple face parameters may get added with the new addition of the Face recognition feature. Face recognition in intended to be used as an alternative biometric in cases where finger print recognition fail so that false rejections can be reduced.

Additionally, we can consider that one or more Face parameters would be an add on to the many biometric identification parameters (10 finger prints+Iris scan). Totally therefore there may be around 11 plus biometric parameters which can be used for authentication.

Considering the possibility that as of now some biometric data might have been compromised, or biometric devices may be manipulated for a store and replay attack, UIDAI may consider a “Double/Multiple biometric authentication” on an “Adaptive Authentication Principle”.

Under this system, biometric of one finger is first obtained. When this is successful, the server may randomly chose another biometric feature to be provided with or without mobile OTP as well. With such a system there would be simultaneously three parameters that are verified for authentication and the second authentication would be a random variable and provide a defense against most of the normal attacks.

Assuming that UIDAI has other security features already installed for preventing the store and replay attack, the addition of a random additional biometric parameter based authentication will fortify the current system and make an enormous improvement in the system.

Since it is possible to get the biometric device ID and its location as a transaction input, the adaptive authentication can be configured with the known behavioural pattern of the user as is done in credit card transactions.

One issue that needs to be tackled in the suggested system is the latency of the transaction and connectivity. But this is a challenge that can be handled and should be handled in the interest of security.

(P.S: I presume that the current team of UIDAI consists of more accomplished information security experts than the author and hence what is discussed above may be steps which are already in place. They are however discussed here to inform  public  that security of aadhaar is feasible.)

Naavi

 

Posted in Cyber Law | Tagged , , | 3 Comments

We need to build a “Bridge of Trust” between UIDAI and Security specialists

Posted on January 28, 2018 by Vijayashankar Na

In the on-going petition in Supreme Court, Aadhaar faces a tough battle against multiple opponents.

The background under which the Aadhaar case has come up for hearing itself suggests that there are some undercurrents of opposition to Aadhaar even within the judiciary. The recent attack by a few Judges on the CJI citing “Threat to Democracy” also looked like having it’s roots in the Aadhaar controversy.

The main reason why Aadhaar is being opposed by a section of the society, is that the way it is being implemented by the Modi Government is choking the people who want to hold black money in benami bank accounts and properties and this is considered an existential threat for them. Such Black money holders are there in all walks of life.

Black Money out of Tax Evasion

There are professionals like doctors and others who have made money from their hard work but has for reasons of their own not accounted it for taxation purpose and therefore accumulated benami wealth. Many businessmen also accumulate black money from their hard work because they have not paid taxes properly. They all have a logic that taxation system is badly structured, it is a disincentive for honest hard work. Politicians applying most of the tax collections for bribing the voters for the next election makes it worse since citizens have no respect for tax and tax avoidance is considered not as bad as other crimes.

If tax compliance is to be ensured Government must lower the incidence of direct income tax or better abolish it all together though the communists will cry on the obsolete principle of “Taxing the Rich”.  Consumption Tax is the best form of taxation and Income Tax at least on individuals can be done away with.

Black Money out of Corruption

On the other hand there are another kind of Black money wealth owners who have accumulated their wealth out of corruption. This includes  corrupt individuals in different walks of life including bureaucrats and Politicians. Compared to the black money owners who have earned honestly but accumulated black money through tax evasion, the corrupt set of people actually generate black money and they should be treated with an iron hand.

Unfortunately our tax system does not distinguish between these two categories of black money holders.

Now, the proposal to link Aadhaar with the Bank accounts and other properties hurt both these categories of black money owners equally and both of them are now up against the Aadhaar.

Current Aadhaar Debate

The current debate in the Supreme Court is on the grounds that Aadhaar violates the Indian Constitution and creates a “Police State”.

The Anti Aadhaar lobby is on a fishing expedition to  find reasons to hold Aadhaar as “Anti Constitutional”. One route they are trying is to say that “Aadhaar violates Privacy” which the Supreme Court has recently held as a “Fundamental Right”. In fact the Puttaswamy judgement is the foundation under which the present Aadhaar trial is being conducted and there is a view that the Puttaswamy judgement was preparatory to scrapping of Aadhaar by the current bench. One explanation for the revolt of the 4 judges is that the CJI frustrated the conspiracy to scrap Aadhaar by changing the bench composition. This allegation cannot be dismissed easily since political parties, Anti Government Advocates and Modi haters were prominently associated with the revolting judges.

Aadhaar Security Critics

While this group of Anti Aadhaar advocates are motivated only by a desire to prevent Aadhaar being used to fight Black money, there are another set of Aadhaar critics who have been unhappy with the security aspects of Aadhaar. This lobby has been criticising Aadhaar because the lack of security could lead to security risks for the users including loss of money in the Banking transactions and loss of identity of biometric is compromised. It is this lobby which opposed the UIDAI contracts being given out to foreign agencies, UIDAI using a foreign Digital Certifying Agency to secure its server etc.  Part of this Security lobby also is concerned with the black money money fight both for or against it.

Some of the security arguments that have been held out by professionals like the undersigned to criticize Aadhaar has been now used by the Pro Black Money lobby to justify their arguments demanding scrapping of Aadhaar.

Just like the undersigned, there are many security professionals who are against Black Money but have been critical of Aadhaar from the security perspective. Some of them have been peeved by the arrogance of the UIDAI authorities in not listening to the security warnings and some times even initiating legal action against ethical reporters of security vulnerabilities. On the one hand UIDAI has been soft on agencies like Airtel who have misused the system and also those who were caught storing bio-metrics and reusing them, they went hard against other non malicious technology specialists who ignorantly violated law out of their “Technology Intoxication”. As a result today there are many security professionals who are in favour of the Government in its black money initiative but are angry against UIDAI authorities and are silently enjoying its predicament.

It is only a few of these people which includes the undersigned who have decided to keep our security differences aside for the time being and join hands for the cause of removing black money and corruption with the efficient use of Aadhaar.

Creating a Bridge of Trust

Unfortunately, UIDAI has no channel of communication with such supporters of Aadhaar. Had UIDAI introduced a “Bug Bounty” program as we had suggested some time back, a lot of security professionals who are critics today would have been friendly and come up with many useful suggestions. Today there is complete lack of trust between security professionals and UIDAI and they are not ready to share their security thoughts with UIDAI. Some of them are afraid that if they admit that they have found vulnerabilities, UIDAI may hoist cases against them and some of them are themselves as egoistic if not more than UIDAI and would not volunteer their suggestions.

The need of the hour for UIDAI is therefore to construct a bridge of trust between itself and the security specialists so that there is a flow of positive security ideas from the good intentioned critics to UIDAI.

Recently Justice B N Srikrishna conducted a series of public consultation programs through out India to gather public opinion on the proposed Data Protection Act. During these discussions he had to face lot of brickbats only because of Aadhaar. There were many citizens and security professionals who were commenting on the Data Protection law citing  Aadhaar related issues. It was heartening to note how Justice Srikrishna was humble and patient in listening to all critics and trying to take the essence of the suggestions made out during the interactions. He was not only able to extract valuable suggestions but also create a bridge of trust with the public that he is doing his best to come up with reasonable suggestions for the drafting of the complicated data protection law which people expect to protect “Privacy” which no body is willing to define.

UIDAI must take a leaf out of Justice Srikrishna and learn some PR lessons of how to bridge a friendly relationship with the community.

In this direction I suggest that Aadhaar authorities need to hold open house discussions in different cities of India on a regular basis and listen to the criticisms and suggestions from the community of academicians and security professionals. At the same time, they should open up a channel of communication with the public to hear out their grievances and suggest amicable resolution. This public interaction could be through the web and include a Bug Bounty program as well so that whistle blowers who have valid suggestions.

In the recent days, I have found many respectable security professionals express a view in private discussions that “Let the Government suffer, they will learn a lesson” and recommending that no vulnerability should be reported and Government will learn the lesson when hackers exploit them.

I feel that this indicates a dangerous turn of events when honest persons turn away from their duties to the nation to report vulnerabilities to the Government.

Today’s news report that  a hacker’s group in Kerala has generated a valuable counter terrorism cyber operation in which they have identified a number of “Sleeping Terrorist Cells” promoting terrorism in India. It is also reported that when these hackers (ethical hackers) tried to draw the attention of the security agencies, they did not get the response that they anticipated.

This is a very sad state of affairs where honest citizens who want to help the Government are left to feel that they are unwanted by the authorities.

This feeling is not new and most of us have experienced it in the past. Some journalists often complain about the Lutyen’s lobby operating in Delhi and often acting against the interests of the country. There is a similar lobby of Security experts in Delhi who are close to the decision makers in the current Government also who ensure that Government is not provided the right kind of advise on security matters.

Mr Modi needs to ensure that this “Lutyen’s Lobby of Cyber Security” is recognized and disbanded and in its place encourage development of a voluntary group of  “All India Cyber Security Advisory committee” whose suggestions reach the right ears in the Government. I suppose the Government would be intelligent to distinguish “Vested Interests” from “national Interests” and ensure that the right flow of valid Cyber security suggestions reach the Government.

This “All India Cyber Security Advisory Committee” which can operate as a virtual committee should be part of the Cyber Security Infrastructure of the Government. One off shoot of this suggestion that can be tried in this direction is for UIDAI to invite suggestions from the public on how to secure Aadhaar both through a virtual committee as well as through open houses.

Time is now ripe since UIDAI is now considering revamping the system with the introduction of

a) Virtual Aadhaar ID

b) Use of face recognition

as additional parameters of use. Both have important security implications and any system which is introduced now should be made as robust as possible. We consider that presently most of the Aadhaar data base has already been compromised and there is no way the compromise can be rectified. However, if some thing can be salvaged it is necessary that we use the two new parameters of Virtual ID and Face recognition in such a manner that at least in future compromises does not happen.

I am sure that UIDAI would not like to discuss the security issues in the public and it is not recommended also. But there is no problem in inviting suggestions from the public and use as much of it as possible so that the system would be secure.

It is for this reason that the “Bridge of Trust” has to be built between UIDAI and the information security community.

Will UIDAI authorities come down from their pedestal, take a cue from Justice Srikrishna and start talking to their critics?

Naavi

Posted in Cyber Law | Tagged , , | 1 Comment

Supreme Court has to hear the voice of Aadhaar supporters also

Posted on January 25, 2018 by Vijayashankar Na

It is reported that a group of Private Companies have indicated their desire to implead themselves in the Aadhaar suit in the Supreme Court and the Supreme Court is yet to approve their request.

Article in Economic times

According to the report, the petition has been filed by the Digital Lenders Association of India (DLAI), which includes startups such as CapitalFloat and Lenoding-Kart, is also backed by others such as early-stage investment firm Khosla Labs, bike-sharing startup Yulu Bikes, Transaction Analysts, which provides authentication services, and Handy Online Services which provides background verification of blue-collar workers.

It is clear that Aadhaar case is a fight between those who think Aadhaar is beneficial to the society and those who think it is a violation of their right to remain anonymous in financial and other transactions.

In this fight the honest citizens of the country have as much right as those who are opposing Aadhaar either for political reasons or for their vested interests of keeping their black wealth from being identified.

Supreme Court cannot ignore the voice of those who support Aadhaar and there is no reason that they should delay the acceptance of the impleading suit from non Government companies or individuals.

I hope the Supreme Court will see reason and act in a fair and equitable manner.

Naavi

Posted in Cyber Law | Leave a comment

Aadhaar case is a fight between honest citizens of India and the Benami property and Black Money owners

Posted on January 24, 2018 by Vijayashankar Na

In the case of Justice Loya’s death due to heart attack, many senior advocates like Mr Dushyant Dave and Indira Jaisingh as well as politicians like Mr Rahul Gandhi are complaining that an enquiry needs to be ordered under the supervision of the Supreme Court. Common Citizens perceive that there is a political conspiracy in this complaint so that they can then hold their gun at the head of Mr Amit Shah and say that he is a suspect and therefore should not be MP etc.

Similarly the Aadhaar case is another case before the Supreme Court where there appears to be a conspiracy to some how derail the intention of the Government to use Aadhaar identity to prevent Black Money Transactions and benami Property holdings. It is very clear to common citizens that the intense opposition to Aadhaar linking to financial information is because it will make it difficult for Black Money holders to keep Benami Bank accounts and Properties.

To sustain their argument, people are complaining that “Aadhaar infringes the fundamental right of Privacy”, “Aadhaar creates a Sureveillance State” etc.

There is no doubt that the Privacy Judgement under the Puttaswamy judgement was expected to help the Anti Aadhaar lobby and hence there was a fight within the Judiciary to fix the bench. Now that the CJI has not allowed it to happen, the politicians are trying to impeach the CJI himself.

All these developments confirm my doubt that there is a serious conspiracy behind this “Aadhaar is un-constitutional” petition led by the Black Money supporters and this is a fight between the honest citizen of India and the Benami property holders. The Privacy arguments are only a cover for ensuring that the Benami property and Black Money owners can enjoy their ill gotten wealth as they were used to in the pre-Modi days.

There was a strange argument presented today as indicated in an affidavit now in the public domain.

According to the afidavit,

1.the  project poses a constitutionally impermissible danger to citizens’ basic civil liberties including their privacy”.

2. “this project is highly imprudent, as it throws open the clear possibility of compromising basic privacy by facilitating real-time and non-real-time surveillance of UID holders by the UID authority and other actors that may gain access to the authentication records held with the said authority or authentication data traffic as the case may be.”

3. it is quite easy to know the location and type of transaction every time such authentication takes place using a scanner for fingerprints or iris and the records of these in the UID / “Aadhaar” database.

4.  it is not dissimilar to knowing the place from where a person made a call using his / her mobile phone. Just as the mobile phone connects to a tower from where the phone signals are sent to other towers and the servers of the mobile phone companies, biometric scanners also have SIMs and IP Addresses to locate the place from the transaction took place and its nature. Any administrator of the UIDAI server or any employee or other person with access
to transaction data, with a little help from the servers (Authentication User Agents and Authentication Server Agents, as they are called in UIDAI literature), through which authentication request is sent to the UIDAI, will be able to track the transaction and the person carrying out the same.

5. that UIDAI recommends that each point of service device i.e. the device from which an authentication request emanates, register itself with the UIDAI and acquire for itself a unique device id, which shall then be passed to the UIDAI along with the request for every authentication transaction. I state herein that the said method of uniquely identifying every device and being able to map every authentication transaction to be emanating from a unique registered device, further makes the task of tracking down the exact location and place from which an authentication request emanates easier.

6. a centralized database has the problem that once hacked all data can be lost. Specifically, consider if the Army personnel use this as an authentication mechanism before getting their salaries. The location from which they authenticate can be found as it will be done via a scanner which has an IP address / is on a mobile internet. From the tower to which the scanner connects via its SIM card, its location can be found. This data will be available in the
logs of the Aadhaar system. Any compromise of the Aadhaar system means that the hackers can know the exact location of each army personnel of the country at the time when they take their salary. This can be a big risk to national security, and this is just one example as to why it is, in my opinion, imprudent to use such a system.

I am sorry to say that the above arguments are contrived and cannot be considered as valid arguments to oppose Aadhaar.

My doubts arise from the following.

  1. “Privacy” is a loosely used fig leaf to cover the need for “Secrecy” by the anti-Aadhaar lobby. Just as we say “Your freedom to extend arms ends at the tip if the nose of the neighbor”, the “Right to Privacy” of one person ends with the “Right to Security” of the other person. Though the Supreme Court says that Right to Privacy is a “Fundamental Right”, it can only be a right with a lower priority to “Right to Security”.

If Security is not available to a nation, it cannot sustain democracy and protect the Right to Privacy where it is required. Aadhaar is only an identity that holds certain information of the citizens so that the State can know who its citizens are and whether they pose any threat to the security of the nation. (which includes prevention of looting of public money with duplicate employment records or ration card records). National security is therefore paramount and even the “Right of Privacy” has to voluntarily yield to the “Right to Security”.

It is therefore wrong to call Aadhaar as posing a “Constitutionally impermissible danger” to citizens”. As a citizen of India I abhor those who hide their identity and hold benami properties, black money, Bitcoins etc. The Supreme Court has to uphold my “Right to Know exercised through the Government” as much as the “Right to remain secret” which others want the Court to protect.

It would be a challenge for the Supreme Court to demonstrate if it is with the honest citizens of India or it sides with the dishonest citizens of India under some technicalities of protecting the Right to Privacy.

2. The charge that “Other actors” may gain access to the authentication records or data traffic to facilitate “Surveillance” is a speculation. In fact this is true of any activity of a Citizen. If some body is reading this article on the web, it is possible for the ISP to track the activity along with the location from which the person is accessing the web. What is special therefore to blame Aadhaar except to mislead the Court because the petitioner may think the Judge does not know technology so that any claim even if false can be pressed.

3.  If the records of the  finger print scanners can be accessed, it is possible to trace the location of the transaction is no rocket science.

4. As the petitioner himself agrees, this is not dissimilar to the Tower data of a mobile call which if properly analyzed, can trace a person within say 3-5 meters. This does not require Aadhaar at all.

Google earth can have a high resolution image which can identify a person moving around on the street from far above the sky. A person with a google glass can scan the credentials of a passer by instantly. An RFID scanner can scan your credit card even when it is inside your pocket.

While all these are acceptable to the Anti Aadhaar lobby, Aadhaar alone seems to be unacceptable because it is the Modi Government which can take the data if it wants.

This is a purely political opposition to the current Government and not based on any logical consideration. If one is concerned about privacy, we need to stop using mobile and live in a cocoon.

Why do such persons want any benefits of being a Citizen?. Let them not have a Bank account. Let them not have ration cards. Let them live as a hermit lives.

It is dishonest of these persons to ask for all the privileges of being a citizen of India including being protected from a terrorist attack or a Cyber crime attack but they themselves should be out of gaze of any law enforcement authority.

Supreme Court should recognize the inherent dishonesty of these anti-Aadhaar lobby and call the bluff.

5. The registration of the Access devices involved in Aadhaar authentication is a critical security requirement and I donot know how security specialists can oppose this feature. In fact, I am of the opinion that these devices should be made in India by an authority like BEL which manufactures EVMs and made as a tamper proof hardware that will self destruct if any attempt to tamper them is made.  Registration per-se is not some thing that can be objected to.

The petitioner repeatedly qualifies that the security can be compromised with “little help” from insiders. Yes every system can be compromised if an insider provides the “little help”.  What we need is to design the security systems with the knowledge of this possibility.

6. The reference to the army personnel being at risk because he draws his salary with aadhaar authentication is funny. Will the enemy target a specific soldier who is in the administrative office drawing salary?. If he has to be tracked, is it not better to intercept the radio messages or personal mobiles than looking for Aadhaar data?

Overall the petition and the affidavit to my mind appear a weak attempt to mislead the Supreme Court. If we follow the questions made by the judges during the proceedings, it appears that they are more aware than what the petitioners think about the ulterior motive of Aadhaar baiters and would not fall for their tricks.

The above argument does not mean that we are not advocating better security for Aadhaar. Yes better security is required. There has to be checks and balances for preventing misuse. But the security specialists are not helping the Government to fortify the security and at the same time UIDAI is not able to win over a large part of security professionals so that they provide positive suggestions.

There could be many reasons why security professionals are not on the side of UIDAI and we have highlighted it several times in this site. But now it is like war time.

All good intentioned citizens need to fight the anti-Aadhaar lobby which is trying to get Aadhaar being rendered impotent. We can forget the arrogance of UIDAI and defeat the nefarious designs of the Black Market community of India. We can then continue to argue with UIDAI about how the security can be improved.

Naavi

 

Posted in Cyber Law | Tagged , , , | Leave a comment

Aadhaar must be preserved with safeguards…. The root cause for Privacy breach is elsewhere

Posted on January 23, 2018 by Vijayashankar Na

An interesting debate is happening in the Supreme Court on whether “Aadhaar is Constitutional” and whether it should be scrapped. We are informed that the Anti Aadhaar advocates have started putting through their view points to convince the Court that Aadhaar is a violation of “Privacy” and it creates a “Surveillance State” and hence it should be scrapped.

I donot see the same commitment of these advocates when it comes to issues like banning Crypto Coins but on Aadhaar they feel that a great injustice is being done to the Indian citizens.

The essence of the anti Aadhaar arguments can be two fold.

First objection to Aadhaar could be that it is being linked to many activities and becoming a universal ID and therefore it will enable creation of a “Surveillance State”.

The second objection to Aadhaar is that the UIDAI has failed to secure the system and hence the system poses a Cyber Crime risk.

The two aspects may have some common link since “Lack of Security” leads to “Leakage of Information relevant for Privacy”.

But the objection so far presented is not because of the security risks but mostly on the ground that it enables the Modi Government to exercise a tight control on information flow particularly related to the financial activities of an individual. So far Black money owners had a field day in having “Benami” holdings of assets and the proposal to link Bank accounts and PAN to Aadhaar as a first step and now to link immovable properties to Aadhaar has really sent shivers down the spine of all the Benamis in India. The opposition to Aadhaar today is vocal because this population of Benamis of India is huge and encompasses politicians, bureaucrats and businessmen.

It is precisely for this reason, I support Aadhaar at present though I have serious reservations on the security aspects of Aadhaar. I believe that security aspects can be addressed if UIDAI is humble enough to admit the security challenges and seek help from appropriate experts, which UIDAI is at present avoiding.

The opposition to Aadhaar from the angle of the recent Supreme Court judgement in which Privacy is held as a “Fundamental Right” is not sustainable if properly countered. Mr Shyam Divan who presented the initial arguments seem to have heavily relied upon this angle and quoted extensively from the Justice Puttaswamy judgement to impress the bench.

We must remember that the Justice Puttaswamy judgement was a one page judgement and just held Privacy as a fundamental Right. It also contained hundreds of pages of reminiscences which did not form part of the order and hence has little value in defining how Aadhaar hurts the Privacy Right of an Indian citizen.

The essence of the Puttaswamy judgment was that “Privacy” cannot be defined and therefore there cannot be a direction on protecting Privacy. However, “Information Privacy” is one aspect of Privacy which can be protected and the Government should work on this.

“Information Privacy Protection” is nothing different from “Data Protection” related to “Personally identifiable information” and more particularly some of the “personally identifiable information” which can be classified as “Sensitive”.

Aadhaar system collects and stores “Individually identifiable Personal Information” and it also collects “Biometrics” which is a sensitive personal information. Aadhaar however does not collect and retain information which is “Health related”, Finance Related” or information related to sexual orientation, racial view points etc. Even before  Aadhaar, Banks have been collecting personal information and generating sensitive personal information. Similarly, health care operators have been collecting sensitive health information and storing them. The Privacy concerns can therefore be expressed even if Aadhaar link is not there to such information.

The only reason why Aadhaar is being discussed is that instead of blaming the Bank account number Privacy for data leakage in Banks and some other IDs for other data leakages, we have a new whipping boy called Aadhaar which is now a common factor for all data breach possibilities.

There is no doubt that convergence of risks do occur when multiple types of data are linked to one central identity parameter like Aadhaar. But it is important to note that leakages occur not because there is a link between the sensitive data and a common number but because the data managers fail to de-identify the data or secure the access to data while in their custody.  If the access to data in Banks or Hospitals can be secured and properly de-identified (or pseudonomized), then even if data is leaked, it will be “Information not identifiable with a living individual” and therefore becomes “Non Sensitive and Non Personal”.

If therefore the security of Aadhaar usage at the intermediary usage points is fortified, then Aadhaar per-se does not pose threat to Privacy of individuals. It is for this reason that the recent measures introduced/suggested by UIDAI to use “Virtual Aadhaar IDs” and to “Fortify the finger prints with a face identity parameter” assumes importance. If these measures are properly implemented, one can argue that the “Privacy Risk arising from the Aadhaar data base” becomes minimal.

The real risk areas are the network links through which the authorized aadhaar users (AUA/KUA agents) access the CIDR and the use of Aadhaar in the AEPS (Aadhaar enabled payment systems), besides the stored data at the user end. Currently, ITA 2000/8 considers these intermediaries as liable for any loss to the citizens arising out of their lack of due diligence or lack of reasonable security practice. This will continue and needs to be made more robust in implementation so that any member of public who loses his data due to the negligence of the Aadhaar intermediaries would be adequately compensated.

The grievance redressal mechanism under ITA 2000/8 will be improved upon when the new data protection act becomes effective and this has to be taken into account by the Supreme Court now.

Blaming Aadhaar system for the negligence of  Aadhaar User agencies which leaks out Aadhaar number of different persons is not fair.

We can blame UIDAI for not having adequate monitoring mechanism to make these intermediaries implement strong security measures and push them for better implementation of security along with deterrance which should be effective. We can also question them for not suspending defaulters for a long time and impose heavy fines, (all of which will be now possible through the new Data protection Act).

But we cannot jump to the conclusion that Aadhaar must be scrapped because of the risks of data leakage.

Some time back the honourable Supreme Court made a huge mistake in scrapping Section 66A of ITA instead of reading down the section and removing the deemed conflict with the “Freedom of Expression”. They should not repeat the same mistake now and end up scrapping Aadhaar.

Scrapping of Section 66A of ITA 2000/8 gave a “License to Defame” and diluted the Act for offences such as Cyber Stalking, Spam, Cyber Extortion, Phishing etc. The Court in a bid to dish out a populist judgement ignored the beneficial aspects of Section 66A.

Similarly, the beneficial aspects of Aadhaar needs to be kept in mind by the Court now before being tempted to give out another populist judgement. If Aadhaar is scrapped, there will no doubt a huge sensation created in the country and the opposition political parties would rejoice. It would also make the judges well known. But it would also immediately assist all Benamis who want to hide their financial transactions from being monitored by the State.

What the Court needs to focus is in asking questions on what checks and balances are planned by the Government to prevent misuse of Aadhaar infrastructure. So far no body seems to have urged the Government in this direction nor this has been a point of debate in the Aadhaar discussions amongst NGOs and other Privacy Activists.

I invite the Privacy activists therefore to start suggesting the infrastructure required to prevent misuse of Aadhaar and in the event of misuse providing proper grievance redressal to the Citizens as also the checks and balances to punish those Government officials who may misuse the system for harassing honest citizens rather than pursue the sole objective of getting Aadhaar scrapped.

If Supreme Court proceeds to take another Sec 66A kind of populist decision, then we will be removing an effective instrument of Governance, defeating the fight against Black money and corruption.

Supreme Court may not be responsible for Governance and hence it may not be their problem if Black Money in India grows and Benamis thrive.

But the progeny may blame the Court for missing an opportunity to drive India on a path to a good economic future and blame them that under the cover of providing Privacy Protection, they provided a Cover of secrecy for criminals to exploit.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment