Naavi.org

This move on Amazon and Flipkart is a regressive taxation policy and Anti Consumer

Posted on January 22, 2018 by Vijayashankar Na

A report in Economic Times today suggests that the IT Department of Bangalore has issued a notice to the E Commerce players Amazon and Flipkart that the customer discounts given by them should be considered as “Capital Expenditure” and not a revenue expenditure.

The move is highly disappointing and will affect Consumer interests adversely besides hitting on Start ups and innovation.

It is a common accounting practice to consider some expenditure as “Revenue Expenditure” and some as “Capital Expenditure” based on the accountant’s perspective of the period in which the benefit would accrue to an entity.

Accounting is always done on a “Going Concern Basis” where it is expected that any expenditure made today is an investment for the long term benefit of the company as an ongoing business. In a “Gone Concern” approach, expenditure is written off immediately since the company is not expected to survive over the long run. Even as a “Going Concern”, certain expenditure particularly of small value is always written off as a revenue expenditure.

In most other expenditure, it is the discretion of the accountant to consider whether the expenditure should be recognized immediately or deferred.

Similarly even an income may be recognized immediately or deferred. Conservative accountancy recognizes expenditures ahead of time and spreads out the income over a longer period.

Deferment of income reduces the current profit in the P&L account while deferment of expenditure increases the current profit.

Taxation authorities are not concerned about the survival of business in the long run and try to maximize their revenue collection by squeezing out as much tax as possible from an entity. In the process, they often “kill the Goose that lays Golden eggs.”. History of many business failures in India can be traced to such irrational action by the taxation authorities in the past.

While certain assesses escape tax liability when they should not, many innocent and honest businesses often end up paying tax when there is no income. (P.S: This is not related directly to either Flipkart of Amazon but is quoted only as a general observation).

The E Commerce Companies are now caught in this battle between the Taxation official’s need to maximize the tax collections and the needs of business to grow.

By asking the E Commerce companies to treat the “Customer Discounts” as a “Capital Expenditure”, the tax authorities are forcing the companies to reduce their write offs during the current year and spread it over 4-10 years. This will increase the profits for the current year and increased tax liabilities.

As a result, the E Commerce companies may reduce the discounts and this will increase the prices to the detriment of the consumers.

The “Discounts” are real reduction of cash profits of the E Commerce companies and not merely a matter of “Discretion”. Hence, the current move is a move to disallow cash expenses and collect tax on profits which are not there.

The argument that the “Discounts” build “Brand” is untenable since the value addition to the “Brand” is only notional and does not convert into revenue unless the business is valued on a “Gone Concern” basis.

In the “Going Concern” basis, the “Brand Value” is only a means of raising capital in the form of equity at higher levels from investors or for better negotiation during mergers and acquisitions.

If “Notional Brand Value” is taxed, then every other expenditure including salaries paid, advertisements etc can also be deferred and current profits inflated.

If the decision to defer is taken by the management to increase the current profits and declare it in their balance sheets, it would be appropriate for the tax authorities to collect tax. But Tax authorities should not become “Accountants” who determine whether an expenditure has to be written off in one year or in 10 years. This is a gross abuse of the powers available to the tax authorities.

By increasing the immediate profit for taxation purpose and penalizing the companies, the cash availability in business will be reduced and this will hurt many start ups and make their business unviable.

We need to remember that E Commerce is not like the old brick and mortar business where there is land and building which keep appreciating over a period though valued only at costs and keep adding secret reserves to the companies. The E Commerce business lasts only for a few years and hence it is not possible to write off expenditure over a long period. Most companies donot exist for 10 years since the business model would become redundant within 3 to 5 years.

The society has migrated in social values and replaced “life long marriage” commitments with “marriage until divorce” concept. Similarly, business has also re-defined its principles from building an “Institution” to “Creating innovative idea houses”. These idea houses do spend as much as possible now to acquire customers and make hay while the sun shines.

Government anyway earns indirect taxes by way of all the E Commerce sales and the GST ensures that all transactions are accounted and taxed. Hence the Government should not be mean in looking at direct taxation to further squeeze the industry.

There is no doubt a pressure from Offline traders that E Commerce players are providing unreasonable discounts. These offline traders often conduct part of their business in cash and evade on the taxes. But the E Commerce players account every transactions since not only the sales but also the payments are all made through digital means and Government will get full revenue on the sales without any tax evasion.

Of course, because E Commerce cannot generate black money, they cannot also pay black money to get their liabilities reduced during assessments or bribe the politicians to get favourable policy formulations.

In the “Congress Culture” which Mr Modi wants to get rid off, the policy is to assist more dishonesty in the system because that generates money to the politicians. We suppose that the present Government wants a “Congress Mukta Bharath”. If that is so, the current move on the E Commerce players is considered regressive.

I request Mr ArunJaitely to look into the matter and set the priorities right.

Naavi

Posted in Cyber Law | Tagged amazon, congress mukt bharath, e commerce, flipkart, tax | Leave a comment

Misleading Article in Times of India on Mobile Pictures and CCTV footage as Evidence

Posted on January 20, 2018 by Vijayashankar Na

Today, there was a misleading article published in Times of India titled “Mobile pics, videos may be allowed as evidence”. By implication it meant that so far it is not accepted as evidence.

The article says that there is a proposal to amend Indian Evidence Act or Criminal Procedure code to enable Video Recording, CCTV Footages and images captured through Cellular phones as evidence as if the current provisions donot have such a provision.

I hope there is no ignorant Government official who would believe this and jump to get an amendment done.

The article was credited to one Mr Rohn Dual, quotes a UP Police officer and a criminal lawyer Mr Tanvir Mir.

From the body of the article it appears that the lawyer has given the correct opinion that such evidence is acceptable under Section 65B of Indian Evidence Act. But in his bid to make the headline attractive, an ignorant journalist and/or a sub editor has implied that currently such video evidence is not acceptable and a change of law is required to make it acceptable. Apart from the ignorance of the journalist, I am surprised that a UP Police officer who is quoted also may not have the proper appreciation of the current provisions unless he has been misquoted.

This could be a mischievous article planted by some body who wants such an impression to be gobbled up by some ignorant Judge.

It is therefore necessary to strongly refute the article and provide a clarification so that no Court is mislead into thinking that mobile data or CCTV footage is not currently acceptable as evidence.

It is sad that people write such articles without understanding that Information Technology Act 2000 was drafted as applicable to “Electronic Documents” in general and not with reference to any hardware called “Computer” so that it could be excluded for another device called “Mobile”.

It is possible that there could be some misunderstanding about mobile documents as to who should certify.

Without going into another detailed discussion, I would like to briefly state as follows:

1.Section 65B of Indian Evidence Act recognizes that a “Computer Output” as described in the section may be presented as “Also a document” representing the “Original” and is admissible as evidence without the production of the “Original” provided the certificate as required under the section is produced.

2. The “Computer Output” can be a print out or another soft copy.

3. The “Original” is the “first recording” of the “String of zeros and ones” which together constitute “evidence” which is sought to be produced as a statement under Section 17 of Indian Evidence Act and as per the special provision of Section 65A.

4. The “Original” “string of zeros and ones” does not have any meaning to a human being unless they are processed through a computing device which consists of an application riding on a software platform which itself runs on a hardware running on a “BIOS” like embedded software. The string of zeros and ones have meaning only to such a compatible computer system and not to a human being directly.

5. In view of this dependency of the “Original” on the computer systems before it is experienced as a Text” or “Audio” or a “Video” by a human being, Section 65B envisages that some human being should take the responsibility for first “Viewing” the “Original String of zeros and ones” and put it in a form in which the Judge can admit it as evidence. That certificate has to say that a certain process was used to view/experience the electronic data and that is the essence of Section 65B.

6. Current provisions of Section 65B is therefore essential and cannot be diluted. Mobile data whether it is an SMS or audio or video, can be therefore presented with an appropriate Sec 65B certificate.

7. The Certificate under Section 65B refers to the generation of the “Computer Output” and not to the generation of the “Original stream of zeros and ones” which constitute the “Original electronic record”.

8. It is not necessary for the mobile operator such as Jio or Airtel or Vodofone or Idea to provide the certificate. Any other contractually capable person who understands how to convert the electronic document residing inside the mobile (earlier referred to as the string of zeros and ones) to a print out or another softcopy can provide the certified copy.

9. If the person providing the certificate is a “Trusted Third Party”, it is better. But this is not a pre-condition. But the credibility and reliability of the Certifier is an important consideration for the Court to admit the evidence without further confirmation from another expert on which the Court has confidence.

10. Section 65B is for “Admissibility” of the document and it does not bar the defense to question the “Genuinity” of the evidence. Genuinity of the “Original” is whether such a document ever came into being or not in the first place. The Section 65B certification is simply that the document as is present in electronic form in its original state is now available in the form of a certified Computer output.

CCTV footages

The above clarifications also apply for CCTV footages.

In the CCTV, there is a continuous stream of video which is stored in the form of a media file. Just as a hard disk contains thousands of documents of which one or two is picked up as relevant evidence, in the CCTV footage also only relevant portions can be picked up and presented as separate electronic documents.

The defence however may question the “selection” from the point of view of whether it was meant to suppress information or mislead as to the meaning of the entire evidence. For example, in a recording of CCTV footage in say a shop where 100 customers have transacted, picking up the portion indicating the 45th customer walking in , transacting and going out and excluding everything else in the evidentiary copy is acceptable. But within a conversation which consists of 10 sentences, picking some sentences and deleting the rest should be avoided.

If however there is a conversation for 1 hour and some body would like to present only 5 minutes of the same, it can be admitted with the proviso that the defence may demand the presentation of the entire conversation and allege that some thing contrary to what is presented happened earlier or subsequently.

CCTV owners must remember that as soon as they come to know that a particular piece of information captured is a “Potential Evidence”, whatever is reasonably suspected to be associated with it such as the immediate earlier and immediate later recording with reference to an incident should be considered as plausible evidence and the entire stream/s should be securely archived. If they are deleted with the knowledge that they are “evidence” then the CCTV owner may be liable to be charged with Section 65 of ITA 2000/8 or other IPC.204.

If any of the readers have any further doubt as to the above, I request them to contact me for further clarification.

Naavi

Posted in Cyber Law | Tagged 65B, CCTV, mobile, Times of India | 1 Comment

Section 65B and its relation to the Theory of Soul and Body, rebirth and past life memory

Posted on January 19, 2018 by Vijayashankar Na

I recently received a query about whether there is any case law which supports my view that even when a original memory card or CD is presented to the Court, a section 65B certificate is required.

I would like to elaborate on this query and submit my views.

Case Law and its limitations in an emerging area of technology

I understand that most practicing advocates consider that “Law Becomes a Law only when a Judge says so”. Hence the arguments in most cases except when it reaches the higher courts, is always on the case laws and not on interpretation of the law.

The Judicial interpretations are important in assigning meaning to the words contained in the written law but it can always be re-interpreted. A lower court’s interpretation can be re-interpreted by a higher court and a smaller bench interpretation can be re-interpreted by a larger bench.

Hence when we base our legal view only on the strength of some case law, we are on a temporary time period when a particular judgement is considered as a precedent.

True Experts on the other hand will/should ignore interpretations based solely on case law and will/should always argue with a fundamental interpretation with relation to the legislative intent and what is necessary to meet the objectives of the legislation.

Yes, this would be an “opinion” of a ” Deemed Expert” who may be not anybody who is “Certified by any government or judicial authority” or by passing an “Examination” in a University. But nevertheless, it cannot be ignored as our experience in the past under Sec 65B interpretation has proved.

It takes years for the Courts at higher levels to consider a legal issue, mull it over under different circumstances and contexts, hearing arguments of all hue and description and arrive at a near consensus view on a matter of legal interpretation of a law text, when it can be considered as a “Case Law”. In the meantime we should not curb our creative interpretation of the law and fail to challenge the decisions of the Court even if it comes from the highest Court.

In the domain of Information Technology Act 2000 as amended to the current date, which includes the Section 65B of Indian Evidence Act , I have always followed this principle that we need to dig up the truth from the current law until it is changed and all of us including the Courts at the highest level are in the process of understanding the law and interpreting them.

Some may consider it as not respecting the tradition where the arguments of practicing advocates start and end with

” In so and so vs so and so, the honourable Supreme Court said so and so and there rests my case, my lord”.

Fortunately, not being a practicing advocate gives me the creative freedom to think differently and let the Judges accept my view if they can hear me out fully and with an open mind. No disrespect is meant here for any judicial authority nor any arrogance is intended.

It is a belief that “God sees the Truth but waits”.

I consider that Cyber Jurisprudence in Information Technology Law and Section 65B is still developing and hence what I say is an input which needs to be considered as a “School of Thought”. I may differ in certain respects with other seemingly logical views of other practicing advocates more vocal than me and more active in the Judicial Academies or Legal seminars. But I would not budge from my considered view.

My Considered view in respect of

“whether a Section 65B certification is required for an electronic document when a original memory card or hard disk is presented before the Court”

is an emphatic yes.

In such cases, the Court has to invite a person of its choice and ask him to view the electronic document and produce a Section 65B copy for the Court to appreciate.

Indian Philosophy shows us the way

The key to appreciate the above point is that an “Electronic Document that is a piece of evidence is not the memory card per se but the stream of binary data, the zeros and ones that are some where inside the memory card in the form of electric charge positive or negative”.

The memory card is the container or a box that contains the zeros and ones that when viewed in a special looking glass called a computer with appropriate hardware and software, provides some human experience such as a text, a sound or a video.

The process of conversion of the stream of zeros and ones which is the “Original” evidence into a readable document or a hearable sound or a viewable video is dependent on a hardware-software combination such as a card reader, computer, operating system, monitor, speaker, audio processor, video processor, besides the header information that precedes the binary representation of the evidentiary content.

Only when all these function properly in tandem the stream of zeros and ones become a humanly appreciable electronic document which the Judge considers as “Evidence”.

Therefore, while the original evidence such as a memory card can be presented as a physical artefact that is an “evidence” and also admitted as an artefact, the question of who will view the binary content contained there in and say that it contains a letter written by X to Y or a photograph or an audio etc., remains to be sorted out.

If the Judge himself views the electronic document which is dependent on the system used, software used etc, then he becomes the person responsible under Section 65B to state that the computer which rendered the binary stream contained in the memory card rendered in a particular manner and will do so in future also in similar circumstances.

We can then say that the onus of providing the Section 65B certificate shifts from the person producing the memory card to the Court itself.

The fact that an electronic document residing in Yahoo Group server could be accepted as evidence based on a certificate produced locally by a private person like me was established in the Suhas Katti case in 2004 itself. There was no need for the “hard disk of yahoo group” to be produced in the Court. I suppose this is a universally accepted fact as of now that where there is a Section 65B certificate of a computer output, there is no need for the production of the original electronic document.

In the Basheer case one part that I did not agree with was a reference to the CD in which the offending speech or song was contained as a “Original”. This term has to be correctly defined.

The terminology that should have been used here was the “First Container of the stream of electronic data elements that constitute the evidence in question” instead of the “Original CD”.

We should refrain from confusing between the “Stream of zeros and ones” which are “Binary impulses recorded for future reference and interpretation” in some form, and the container in which these are held together for the time being.

Imagine the situation where a laser computer screen is created in front of your eyes in free space where you see the information that you normally see on a computer monitor. The words are now floating in the air and there is no surface on which they seem to reside. But no such surface actually exists. This clearly establishes the fact that “binary stream” can exist and actually does exist independent of the “Container”.

Another easy way to understand this is in the concept of the “Soul” and the “Body” in Indian philosophy. Does soul exist independent of the body?.. Indian philosophy agrees that Soul exists independent of the body and that when a person dies, the soul leaves the body and ultimately finds another body in which its past life memories are in tact and if there is a right environment, the erased and reformatted memory of the soul in the past life can be rendered in the new body. (Hypnotic age regression). The soul perhaps exists in this transitory state until it merges itself with the “Paramatma” which we call “Attaining Moksha” in some forms of philosophy.

Without going deeper into philosophy, we should conclude that

a) “Electronic Document means a stream of binary data arranged in such a manner that under appropriate rendition of the stream through a computer device, it produces the human experience of a readable document or an audio or a video.”

b) A memory card or a hard disk is a device which holds the stream of binary data and makes it available to be used as a hardware which becomes part of the larger computer system that renders the human experience of a stream of binary data.

In an earlier article, I have referred to the Trisha Defamation Case in Chennai AMM Court where I was invited by the Magistrate in a similar circumstance when the CD was already in his hands and there was no need for an external party to certify it in ordinary prudence.

I appreciate the vision of the magistrate D. Arul Raj who correctly interpreted the law that he should not take the responsibility of writing in the judgement,

“I viewed the contents of the CD which contained so and so information… which contravenes such and such law…etc”.

He decided that he requires a third party to certify it and provide him a Section 65B certificate. In this case, I was the person called upon to do so.

Unfortunately This did not go into a judgement (as I understand) since the complainant later withdrew the complaint.

In my opinion, Cyber Jurisprudence does develop not only from the Judgements, but also from the views that emanate from the experts.

Remember that after Afsan Guru judgement in 2005, many were quoting that I was not correct in maintaining that Section 65B certificate was mandatory for admissibility. But it took 9 more years of erroneous reading of the law to be upturned by the Basheer judgement in 2014.

In between I continued to hold my view and also argued with experts particularly in the National Police Academy who were listening to me on the one hand and also looking at the Afsan Guru judgement and spotted the discrepancy. Most other experts had not even observed this discrepancy and hence not raised the issue in any forum for a larger debate until the Basheer judgement reflected what I was saying all along.

Similarly, any of the views that I have expressed here may not be today the popular view or a view that is necessarily supported by a judgement. But I am confident that judgements will eventually follow what I have stated here.

May be there will be occasions when I will revise my view or the law itself may change. But presently my view is that

“Even when the original binary stream is presented in the container to the Court, the container has to be opened and the binary stream has to be interpreted with the assistance of hardware and software and hence it is necessary for the Judge to take the assistance of a Section 65B Certifier reliable to it. Such a certifier can be a Section 79A certified agency if available or other persons on whom the Court reposes confidence.”

Naavi

Posted in Cyber Law | Tagged 65B, afsan Guru, basheer, body, memory, naavi, rebirth past life, soul, theory | Leave a comment

Uphold the “Right to Know” against “Right to Privacy” in the new Data Protection Law

Posted on January 17, 2018 by Vijayashankar Na

As we enter the final stages of public consultation on the drafting of the new Data Protection Act of India following the release of the White Paper by the Justice Srikrishna Committee, one aspect of the law that needs attention is the “Right to Know” of an individual which often conflicts with the” Right to Privacy” of another individual.

Right To Know is a different concept

“Right to Know” is a concept that GDPR also has ignored and there is an opportunity for India to introduce this concept into the discussions of Privacy.

Let me explain with an example why this concept is different from other known concepts including “Right to Information”.

When some body calls us on a phone, the first question we would like to know is “Who is calling?”. If the other person says, sorry, I value my privacy and would not like to reveal my identity or I would like to talk under a pseudonomous name, the question arises as to whether this is a valid Privacy argument or not.

Similarly, when I receive an e-mail from some body who says he is Jignesh420@gmail.com, I have the right to know whether he is really somebody I know or not. I donot trust the display name since I know that Google does not do a KYC before allocating the user name. I therefore donot know if the e-mail is a “Spam”, is an attempt to “Impersonate” or is an attempt to commit a fraud on me. If I want to know more about the person, I need to know his IP address.

However, Google in its misdirected concept of Privacy hides the IP address with a proxy address from Google which cannot be deciphered without the intervention of law and takes too much of time and effort and often bribing of the law enforcement personnel just to send a notice to Gmail administration.

I therefore ask a question to the law makers,

Do I not have a right to know the true IP address of the person who has sent me an e-mail?

If Privacy activists want the IP address to be hidden in the email while it is in transit, I demand that Google should introduce a procedure by which every recipient of an e-mail should be able to raise a one click query to know the IP address from which an E-Mail has been sent to him and Google should automatically provide the information.

Similarly, any ISP should also provide the last mile resolution of the IP address to any person who can prove that he has been in receipt of a communication from such IP address.

This is what I consider as the “Right to Know” and it extends to the Facebook and Twitter accounts as well as social media such as the Whats App.

If “Right to Know” is upheld as a Right of an individual, it does not conflict with the right to privacy of an individual except that such right stops at the door steps of the rights of the receiver of a communication. On the other hand it provides a new right to the recipient of an electronic communication just like the “Right to Speech” co-exists with the Right of Privacy in law.

This “Right to Know the IP address” extends to other instances such as

a) Right to Know the identity of a Domain Name Registrant

b) Right to know the identity of the owner of a Telephone number or Mobile Number from which the recipient has received at least one call or is reasonably suspected to have been used for the commission of an offence.

…. and may be for other instances as well to be defined just like the multiple parameters we may use for classifying “Sensitive Personal Information” under the law.

Aadhaar has recently introduced a link on its site to provide information on Aadhaar usage history of a person which is a great measure towards transparency. But the information provided is on the basis of a transaction code that cannot make any sense to the Aadhaar user. It has to provide the name of the entity that made the query either directly on the website itself or through a link for which there can be a second OTP authentication. This falls under the “Right to Know”.

The procedure for extracting the information in the above cases must be simple and nothing more than

a) Identification of the person who is making the request with something like the digital signature or Aadhaar

b) Statement of the suspected contravention of law or proof of being a recipient of an attempted communication

c) A commitment not to misuse the information for any purpose other than the stated purpose with an undertaking to be liable for consequences of misuse

I request Justice Srikrishna Committee to consider this suggestion and incorporate it into its recommendations.

(Comments Invited)

Naavi

Posted in Cyber Law | Tagged data protection, naavi, privacy, right to know, srikrishna | 3 Comments

Is Aadhaar controversy behind the Judicial uprising?

Posted on January 16, 2018 by Vijayashankar Na

The 4 judges who held an unprecedented press conference which many agreed has tarnished the image of Judiciary in India stated that their “Irreconcilable disagreement with the CJI” was based on the allocation of cases to different benches which was arbitrary and overlooked the “Seniority” of the judges. Since the judges have appealed to the nation to “Protect Democracy”, I as a citizen need to make out some points.

The Justice Loya death case appears to be the most disturbing case as far as the advocates such as Indira Jaisingh and Dushyant Dave are concerned and since Justice Gogoi seems to agree, we can accept that the four judges want this case to be heard before them and not under some other “Junior” judge.

It is another issue why these judges want this case only before them and donot trust the other judge. One interpretation of this is that by admitting the case, they could have embarrassed Mr Amit Shah to say that there is potentially a “Murder” charge being investigated by the Court which could consider him as a “Suspect” and when the CJI frustrated this plan, they lost their cool and held the press conference.

Additionally, it appears that the other most sensitive case now before the Supreme Court is the Aadhaar case where the “Constitutional Validity” of the system is in question. The intention of the Supreme Court was some what evident when during an earlier hearing, the Government brought an argument that “Privacy is not a fundamental right”, it jumped to constitute a 9 member bench under the previous CJI Justice Kehar and quickly brought out a 547 page judgement for a single line order “Privacy is a fundamental right under article 21 of the Indian constitution”. This defeated the argument of the Government and strengthened the argument for scrapping aadhaar. if done, the opposition can use it for embarrassing the Government much more than the GST issue.

Besides the opposition wanted to preserve their “Benami” properties which Modi was threatening to identify by making it mandatory to link property registration with Aadhaar. I feel this was more critical than the Justice Loya’s case.

The opposition felt that if the bench hearing Aadhaar can be managed by pliable jduges, they could get Aadhaar scrapped and it would be the biggest coup before 2019 elections.
Unfortunately, it appears that Justice Dipak Mishra is again frustrating them by denying an opportunity for these judges to be on the bench which can scrap Aadhaar. CJI perhaps feels that these judges may have a conflict of interest with their relationship with Mr D Raja, Mrs Indira Jaisingh, Mr Dushyant Dave etc., as regards the Aadhaar case and hence cannot be on the bench hearing any case in which there would be a strong anti-Government sentiment.

We must appreciate the vision of the CJI in this regard.

If these judges with conflict are not involved in the Aadhaar case, it would be better since the case can be decided purely on merits and not on preconceived notions of the senior judges.

Aadhaar is therefore the key to what appears to be an unprecedented move of the 4 senior judges to take on the CJI to the extent that media already started talking of his possible impeachment. They are now disappointed that the coup attempt has failed at least for the time being.

In one of the online surveys 69% respondents held them wrong and in a way “Impeached them in public perception”. This is the people’s verdict they wanted during the press conference and they should respect it.

I anticipate that out of the four at least one of them may decide to resign to uphold the principles that he wanted to demonstrate by the uprising to protect democracy. Will it be Mr Chelameshwar? or some body else?… we need to wait and observe.

Naavi

Posted in Cyber Law | Tagged Aadhaar, chelameshwar, naavi, supreme court | Leave a comment

Aadhaar Adds another security layer to frustrate “Benami” s.

Posted on January 15, 2018 by Vijayashankar Na

It appears that UIDAI is in race with the Supreme Court to ensure that the Court does not take any decision to question the use of Aadhaar as it is presently planned.

Aadhar has evoked a mixed response from the public. All those who consider that we need to root out corruption are happy with the Government linking Aadhaar as a unique ID to many of the services which involves payment out of the Government funds. They are of course worried about the security of their money in the Bank if Aadhaar can be misused. Their objection will continue on the AEPS systems where biometric of the Aadhaar gets collected by thousands of merchant establishments and can be misused.

But those who had a stake in benami accounts and corruption have been perturbed with the linking of Aadhaar to PAN and Bank accounts. Government is now talking of linking Aadhaar to property registrations and this is the last straw that will break the back of corrupt people who had grown stronger and stronger during the UPA regime and were slipping away from the clutches of law. There is no doubt there are many Government servants also in this group as well as the businessmen and politicians. I will not be surprised if there are some Judges also in this group.

Along with these people there are another set of people who are not corrupt and may not have any black money but are naturally opposed to any negligent IT implementation where there are security loopholes. So far UIDAI has been fighting these security specialists out of its own ego and created a lot of enemies. Some of these are advocates of “Anonymity” who have a false sense of pride in hiding themselves from regulators and work in the darkweb in the Bitcoin economy and for them any “Identity” is an anathema. They therefore oppose Aadhaar as a matter of principle as it represents the height of “Identified online transactions”.

On the other hand, there are a large number of illegal migrants and beneficiaries of Government schemes, in fake employment with the Government, holding fake ration cards, fake SIM cards etc who obviously want their anonymous life to be protected so that they can continue their illegal activities and terrorist pursuits. The politicians who are opposed to Mr Modi and all the pseudo intellectuals including those advocates who are fuelling the Judges revolt in the country and supporting the “Bharat Tukde Karo Brigade” use all disgruntled persons with anti Aadhaar agenda with the help of Journalists who have their own axe to grind.

Some of the political opponents had hoped that Supreme Court may scrap Aadhaar under Privacy violation charges and had been preparing for the same in the last several months. They thought that with the assistance of some technical experts, they can show case the security weaknesses of Aadhaar and get it scrapped.

The Prashant Bhushans, Dushyant Daves, Kamini Jaiswals, Indira Jaisighs, D.Rajas, Rahul Gandhis etc are all there to ensure that the Supreme Court can be influenced by managing friendly benches in the Court. They were first frustrated by the CJI who is not playing ball in distributing cases as per the wishes of the political opponents of BJP.

Now, UIDAI itself seems to have wken up from its slumber and making some vital moves on improving the security of the system.

First such move of UIDAI was to harden the security with the Virtual Aadhaar ID. Leaving aside the argument that this should have come earlier, the security specialists have lost an important battle because of this change that UIDAI has proposed. Now they have to wait for implementation failures before the next round of security related vulnerabilities can be raised.

The other category of complaints were from politicians and NGOs who were complaining that people are dying because of Aadhaar authentication failures. There were many such complaints brought out in the Bangalore consultation of the Data Protection Bill. Here the complaint has been that many poor people have been denied of the rations because their Aadhaar was not available. Some of these instances may be real but the problems are not because of Aadhaar. It is because of other factors including lack of awareness and lack of effort on the part of the subjects. NGO s who are now complaining should devote time in assisting these poor people rather than creating statistics of who dies because of non availability of ration.

The Face Identity now introduced by Aadhaar would address this issue and say that those who could not get their finger prints accepted, can now provide face recognition.

The concept is having potential and we should see how the implementation goes.

It is possible that teething troubles may come up for both the schemes namely the Virtual Aadhaar ID and the Face recognition and they will again be highlighted by Aadhaar baiters as reasons why Aadhaar should be discontinued. But the problem for them is that in the immediate proceedings before Supreme Court, the Government will be able to put up a strong defense which may be enough to atleast prevent any catastrophic decision from the Court.

I would however like UIDAI to consider this as a reprieve for the time being and ensure that in the breathing time now available, they try to address other problems before any major disaster occurs.

I suggest some of the following specific things to be done in this regard.

Introduce a good Bug Bounty Program that rewards security professionals who can spot vulnerabilities and reward them handsomely. This will create an army of friendly security professionals who will be on the side of the UIDAI rather than on the other side.
The Bug bounty program should be extended for disclosing the vulnerabilities even at the AUA/KUA and Merchant level so that the entire Aadhaar ecosystem is part of the Bug bounty program and not only the CIDR. This will also be good to protect the ego of UIDAI since they may otherwise find it difficult to admit that there could be vulnerabilities even in the systems under their control.
The face recognition system which becomes available can be also used with other innovative systems of integration with the Virtual Aadhaar ID, multiple biometric records and OTP to develop a combined security algorithm that not only is difficult to break in the future but also creates a cover for the data already lost. UIDAI needs to shed its complacency and work towards improving the security to ensure the survival of the system for their own good and for the good of the society. How this can be done is outside the scope of this discussion.

The net impact of the recent measures of UIDAI is that Supreme Court cannot blindly take the argument of the of the anti-aadhaar lobby and jump to conclusions. They will have to atleast make an attempt to consult other experts to find a credible argument to oppose the new system. This will take time and hence there is a new lease of life for Aadhaar for the time being.

Beyond this, we need a bench where four out of five judges would be friends of left parties and activist advocates to convince them that Aahdaar should be scrapped. Hopefully such an opportunity will not arise.

I am not also convinced that the opposition to Aadhaar is firmly grounded in the “Privacy Debate”.

The argument is that linking of “Aadhaar” to PAN or other activities on a “mandatory” basis is a violation of the fundamental right under Article 21 of the constitution. The linking of Aadhaar to another identity such as PAN by itself cannot be considered as “Disclosure of Privacy Information” which is also “Unatuthorized”.

The IT authorities may in their IT returns take a “Consent” (If they are not doing so far, they can do so now) to make the information available to Government agencies for purposes of Governance and efficient tax collection.

No Citizen should be considered as having a “fundamental right to hide” and refuse to allow the Unique and Universal ID called Aadhaar to be used for tracking other activities that are directly or indirectly relevant to the proper Governance of the nation.

All arguments now are that “Government is incapable of information security and therefore the linking of Aadhaar is indirectly a failure of the Privacy protection”. This argument has been substantially weakened after the current moves.

At best, more assurances from the Government may be called for to provide confidence to the public. There can be better checks and balances at the intermediary Aadhaar end to check misuse and make the intermediaries solely liable for security failures.

This liability of the intermediaries is already available since they provide services to the public under a contractual consent and if these are not fulfilled, they are answerable under ITA 2000/8 and/or the proposed new Data Protection Act besides the penalties under UIDAI act.

In view of the above, Aadhaar may get over the crisis for the time being.

Just as Hardik Pandya in future will not forget to ground his bat while running, UIDAI should not forget to ground the bat within the information security precincts.

Naavi

Posted in Cyber Law | Leave a comment