Recipe for corruption in Judiciary- Supreme Court judgement in Shafhi Mohammad V State of Himachal Pradesh

Posted on February 8, 2018 by Vijayashankar Na

Viewers would have observed several News paper reports in the last few days with headlines such as 

-“Courts can rely on Electronic Records without Certificate: SC” (Deccan herald), (Free Press Journal)

-“Party Not In Possession Of Device From Which Electronic Document Is Produced Need Not Produce Sec. 65B Certificate: SC …” (Livelaw.in), 

-“Supreme Court says certificate not mandatory for making electronic evidence judicially admissible” (Firstpost)

-“SC clears air on electronic records” (Telegraph)

…..etc., etc

The report originated from a PTI report and has been diligently carried by many publications. There is no doubt that this report has created a perception in certain circles that the Supreme Court has issued a judgement that in effect over rules the three member judgement in the case of P V Anvar Vs P.K Basheer.

The perception however is incorrect. It is false and incorrect to state that Section 65B certificate is no longer required for admissibility of electronic documents.

This order of the Supreme Court in a Special Leave Petition (CRL No 2302 of 2017) signed by a two member bench Adarsh Kumar Goel and Uday Umesh Lalit must be seen in the limited context of the SLP.

A two member SLP order cannot be accepted as an over ruling of a three member judgement as has been explained in our earlier article.

It is amusing to see the Court accepting the argument of the Senior advocate Jayant Bhushan who is stated to have said that section 65B of the Evidence Act was a “procedural provision” intended to “supplement the law” by declaring that any information in an electronic record, “is admissible in any proceedings without further proof of the original”.

We must state that Section 65B is part of the Indian Evidence Act in the main and not in any supplementary rule and hence has the same judicial value as any another section of Indian Evidence Act.

The Court itself quoted

“whether a person who wants to take a recourse of alibi in a criminal trial with the help of boarding pass of a flight, where there was no signature and was just a printout from a computer, can that document be not relied by the court for want of such certificate.”

but went ahead to state

“These are the questions, which we need to deliberate,” the bench said, and added that courts cannot afford to deny acceptance of such documents for want of certificate under section 65B.”

The senior counsel suggested that

” the evidence should be accepted by the court and later sent for verification to technical labs to see if it was tampered or not”.

This argument is fallacious and puts the defence in an untenable position as to justify an electronic evidence that might have been totally fabricated.

One report quotes that the bench of Justices A.K. Goel and U.U. Lalit said

“if this were not permitted, it would be denial of justice to the person who is in possession of authentic evidence/witness….Thus, requirement of a certificate under Section 65B(4) is not always mandatory,”

The order indicates that the honourable judges have not properly appreciated the need for Section 65B certificate in the case of Electronic evidences and the harm that it would create to the system of justice.

According to the report, the Court had considered the views of four senior advocates who had been appointed amicus curie to assist in the interpretation of the provision and the result is a disappointing reflection of the understanding of the requirements of Section 65B by the amicus curie.

Mr. Jayant Bhushan,  Ms. Meenakshi Arora,  Ms. Ananya Ghosh,  Mr. Yashank Adhyaru and Ms. Shirin Khajuria, learned counsel, appearing for Union of India have been quoted in the judgement as having assisted the Court.

The order is a recipe for corruption in judiciary where corrupt advocates can collude with fraudulent litigants and produce false evidence and the corrupt judges admitting the evidence and challenge the defense to prove that the electronic evidence is wrong.

The bench appears to have only tried to facilitate production of false evidence and change the onus of proving that it is in admissible on the defense. This is highly dangerous and bad in law.

The earlier provision where a Section 65B certificate was required introduced an intermediary to assist the Court who could be liable for false evidence if the certificate was “Not in good faith” and the content was fraudulently constructed. Now this thin layer of security has vanished. It appears that the Judges did not have the vision to look beyond the air line boarding ticket and thought that if necessary they can summon an airline official to corroborate the evidence.

But they seem to be unaware that electronic evidence may consist of e-mails and websites and in many cases the evidence could have been removed after they have been certified by a 65B certifier and in such cases the credibility of the Certifier was alone the trusted support for the Court. Now the Court seems to accept the electronic evidence as presented and let the adversary prove that it is wrong.

The Court has forgotten that there is no Section 79A certified Digital Evidence Examiner at present and there will never be sufficient number of such organizations in future to forensically examine the “Genuineness” of the document. The Basheer judgement had clearly segregated the “Admissibility” from the “Genuineness” and had indicated how the two should be handled by the Court. The current order has completely ignored this part of the Basheer judgement and has gone on its own line of thinking which is wrong.

If this rule is honoured, falsification of electronic evidence will be a rule and judicial process can be easily frustrated and production of false evidence and false witnesses will proliferate. Honest persons will be left to fight the false evidence presented by dishonest advocates and accepted as admissible by corrupt judges and incur disproportionate cost of litigation.

It is possible to ignore this order since it cannot over rule the larger bench order. But the misperception created by this order and the ignorant media stating it many times over is likely to mislead many judges in lower courts to believe that this is an operative order.

This order is an open challenge by the two member bench on a larger bench decision and has the effect of disrupting the judicial process.

The media blitz is perhaps orchestrated by some vested interests with an intention to slip in some Electronic documents as evidence in their respective cases where Section 65B evidence is not available and cannot be produced now.

Courts have allowed the earlier presented evidence to be resubmitted with Section 65B certificate but in some cases the evidence may be no longer available for certification.

No doubt some genuine parties would have been affected by this. But if so, such cases are because they did not know the law and ignored the need for Section 65B certificate and submitted their evidence earlier.

If law is sought to be changed because these parties and their advocates were ignorant, we will be opening doors for a large scale fraud in presentation of false and manipulated electronic evidence. It should not be done.

I request the Chief Justice of India to take steps to limit the damage caused by this order.

Naavi

 

Posted in Cyber Law | 5 Comments

Two Member Bench of Supreme Court Vs Three member decision on Section 65B

Posted on February 3, 2018 by Vijayashankar Na

On September 18, 2014, the famous P.V.Anvar Vs P.K Basheer judgement was delivered by the three member Supreme Court bench consisting of the then CJI, Kurien Joseph along with Justices R.M. Lodha and Rohinton Fali Nariman in which it was unambiguously declared as follows:

“Any documentary evidence by way of an electronic record under the Evidence Act, in view of Sections 59 and 65A, can be proved only in accordance with the procedure prescribed under Section 65B.”

“The very admissibility of such a document, i.e., electronic record which is called as computer output, depends on the satisfaction of the four conditions under Section 65B(2). Following are the specified conditions under Section 65B(2) of the Evidence Act:”

“Only if the electronic record is duly produced in terms of Section 65B of the Evidence Act, the question would arise as to the genuineness thereof and in that situation, resort can be made to Section 45A – opinion of examiner of electronic evidence.”

“The very caption of Section 65A of the Evidence Act, read with Sections 59 and 65B is sufficient to hold that the special provisions on evidence relating to electronic record shall be governed by the procedure prescribed under Section 65B of the Evidence Act. That is a complete code in itself. Being a special law, the general law under Sections 63 and 65 has to yield.”

“the statement of law on admissibility of secondary evidence pertaining to electronic record, as stated by this court in Navjot Sandhu case (supra), does not lay down the correct legal position. It requires to be overruled and we do so.”

The judgement in the Basheer case clarified the law as it existed since 17th October 2000 and was not a new law. It was unfortunate that though Thiru D. Arul Raj a magistrate of the Chennai AMM court had correctly interpreted Section 65B way back in 2004, other judges of even higher Courts including in the case of Navjot Sandhu (alias Afsan Guru), were unable to understand and interpret the Section 65B of Indian Evidence Act properly. Basheer case judgement was therefore a milestone in the interpretation of Section 65B as it stands today.

It is therefore surprising that in the case Shafhi Mohammad vs State of Himachal Pradesh SLP (Crl) no 9431/2011 and SLP (crl) No (S) 9631-9634/2012, the Supreme Court bench of two judges namely Justices Adarsh Kumar Goel and Uday Umesh Lalit has passed an order date January 30, 2018 which apparently not in agreement with the Basheer Judgement.

Earlier there was another judgement Sonu@Amar Vs State of Haryana which was instantly interpreted as rejecting the Basheer judgement. But actually this was a very measured judgement in which the Judge had acknowledged that it was a special circumstance in which he was rejecting the appeal which sought relief on the ground that an earlier completed trial and conviction should be reviewed because the electronic evidence was not certified under Section 65B. He stated in no unclear terms that Basheer judgement is effective as on the date but it would not be practical to review all completed judgements and hence would not agree for the review.

Shahfi Mohammad order

The current case of Shahfi Mohammad should be also looked at in the context of how the two judge bench justifies a rejection of an earlier three member bench and whether there are any “Exceptional circumstances” for the same. Otherwise, it is difficult to see how a smaller bench is over ruling the larger bench.

Let’s however analyze what the Court has stated in this case.

Para 12 of the order states:

“Accordingly, we clarify the legal position on the subject on the admissibility of the electronic evidence, especially by a party who is not in possession of device from which the document is produced. Such party cannot be required to produce certificate under Section 65B(4) of the Evidence Act. The applicability of requirement of certificate being procedural can be relaxed by Court wherever interest of justice so justifies.”

We must first note that this is an observation on a SLP and does not constitute a law overturning the Basheer judgement. Hence the position as stated in the Basheer judgement remains as the precedent as of date.

Being an order on an SLP, the order should be considered as an observation applicable for the specific context and is not a precedent set.

In this case the question that arose was whether the videography of the scene of crime captured during investigation as a part of Standard operating Procedure could be used as evidence. In the process there was a misunderstanding about how the admissibility has to be proved and who has to issue a Section 65B certificate.

My views on “Who can provide a Section 65B Certificate” been explained earlier and going through the explanation given earlier, it is clear that  the reference in this case itself was misplaced and the order could have been disposed off differently if the Court had rightly recognized the essence of the section which it did not.

The Court has worked under the premise that it would be procedurally difficult if the person who did the videography, (which would be the law enforcement person in the case of body cameras) is to be considered as the person who has to provide the Section 65B certificate. If this view is taken, then there would certainly be operational issues. In order to avoid this, the Court went ahead and declared that the Basheer case judgement was to be ignored and Afsan Guru case judgement has to be recognized.

It went ahead to state

“If the electronic evidence is authentic and relevant the same can certainly be admitted subject to the Court being satisfied about its authenticity and procedure for its admissibility may depend on fact situation such as whether the person producing such evidence is in a position to furnish certificate under Section 65B(4). ” 

“Sections 65A and 65B of the Evidence Act, 1872 cannot be held to be a complete code on the subject. In Anvar P.V. (supra), this Court in para 24 clarified that primary evidence of electronic record was not covered under Sections 65A and 65B of the Evidence Act. Primary evidence is the document produced before Court and the expression “document” is defined in Section 3 of the Evidence Act to mean any matter expressed or described upon any substance by means of letters, figures or marks, or by more than one of those means, intended to be used, or which may be used, for the purpose of recording that matter. “

The applicability of procedural requirement under Section 65B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by a
person who is in a position to produce such certificate being in control of the said device and not of the opposite party.

In a case where electronic evidence is produced by a party who is not in possession of a device, applicability of Sections 63 and 65 of the Evidence Act cannot be held to be excluded.”

The reason given out by the bench that we should not make it difficult for law enforcement to produce the electronic evidence captured with the body cameras by procedurally putting them in a spot that only the person who is the lawful owner of the body camera should provide the certificate is acceptable.

But we disagree with the Court’s resolution of the problem by invoking Sections 63 and 65 and bringing in the discussion of the primary and secondary evidence.

This was not necessary since Section 65B does not place the restrictions which the Court believed that existed.

Section 65B clearly stats that it is not necessary to produce the “Original” electronic document that is the “Evidence”, to be admissible. It is sufficient to produce the “Computer Output” in its place.

The “Original” document is a “Stream of binary data” when it was first created in a device used for creating the “Original” electronic document that is the subject matter of admissibility as evidence.

It is always the “Secondary rendition” of an electronic document that is made available to the Court as evidence in the form of “Computer Output” as defined in Section 65B. The “Computer Output” is produced by the person who views the “Original Stream of Binary Data” and makes a copy either on another media or as a print out. (In the instant case since the document is a video, it is more appropriate to consider an electronic copy).

The person who makes this electronic copy as  a “Computer Output” is the person who has to provide a Section 65B certificate stating where he saw the original version of the document, what device he used to view it and how he converted it into a copy as produced.

This person could be the video operator back in the Police control room to whom the video recordings are deposited by the field personnel and not necessarily the field personnel himself.

If we accept this interpretation of Section 65B being a certification of the computer output and not certification of the original binary stream, the Court would have realized that the apparent issue referred to it was not a matter of concern at all in developing a standard operating procedure.

The field personnel may deposit the first container of the electronic document (which contains is the Original stream of data) like depositing any hardware or article collected from the crime scene with a certificate. At best each day when they submit the “Memory Card or  Tape”, they may record the “hash value” of the document.

The deposit letter may state, “I deposit herewith a tape marked ……. with hash value under SHA-256 alogorithm of ……” and carry his signature.

If the person who is depositing an electronic document does not want to deposit the whole container but only a document which is part of the data contained there in, then he has to make a copy of the document into another media device with a  hash which needs to carry a Sec 65B certificate. This process can be automated so that as soon as the field operative returns to the lab, he connects his equipment to a storage device which downloads the data, calculates the hash value and incorporates the Section 65B clauses and obtains the digital signature of the person before archiving the deposit.

Most disk cloning hardware has this facility of making a copy along with a hash and a certificate slip that can be signed.

Any subsequent retrieval of the deposit can be made by the back room person who can provide his Section 65B certificate starting from what he saw in the archival computer. (As suggested by the concept of contemporaneous certification by the  High Court of Madhya Pradesh at Jabalpur, S.Tiwari Vs Arjun Ajay Singh in an order dated 17th January 2017, regarding E.P. no 01/2014).

I therefore consider that the objective of the order on SLP was fine but the order itself was incorrect.

I am sure that many who think that the Court can do no wrong may object to my view and say irrespective of what is my opinion, it is the opinion of the Supreme Court which matters. I agree. But any order even from the Supreme Court is valid only until it is over turned by a superior court or the bench.

The subject order is an order on an SLP from a 2 member bench against an earlier judgement by a three member bench. Hence its validity is restricted to the specific context and I urge everybody including the Supreme Court to re consider the order because it is likely to be mis-interpreted by many other lower courts in future.

Further, when an electronic document is in the custody of either the respondent or with an intermediary, there is provision for demanding presentation of the document and hence the question of a required electronic evidence being contained in a device not under the control of the presenter does not arise unless the person who is in possession of the original recording refuses to cooperate with the Court.

Since the procedure for allowing the electronic document to be lead in evidence is simple and only requires an access to be provided to the document for certification to an independent trusted party, there should be no objection by the holder of the evidence to provide the evidence.

In some cases because the Police try to demand that the entire hard disk or the computer has to be seized instead of simply capturing the piece of document that is an evidence, the holder of the document may hesitate to deposit the device or participate in the process of providing the evidence.

If the Standard operating procedure recognizes that for provision of an electronic document (which is a stream of binary data), it is not necessary to seize and produce the entire hard disk, then the procedure for getting such documents from the person who is holding it would be easy.

If however the document does not exist as claimed one party, nothing can be done to produce it. In such cases, the presenter of the document cannot be allowed to present any copy that he claims to be the correct electronic copy to the Court and claim that he is not under an obligation to provide a section 65B certified copy as per the SLP order, it will enable fraudulent electronic documents to be produced in the Court.

The bench which has given this order has not recognised this risk and hence the order should be rescinded at the earliest.

P.S: 

My view above is contrary to what the head line of a corresponding article in livelaw.in suggests. The article is titled “Party Not In Possession Of Device From Which Electronic Document Is Produced Need Not Produce Sec. 65B Certificate: SC [Read Order]…”

I request the readers to consider the view point mentioned here before jumping into any conclusions.

I welcome comments and would be happy to elaborate further if required.

Naavi

Also Refer:

Special Leave Petition in Indian Judicial System

HCs can hear petition even after an SLP is dismissed

Posted in Cyber Law | Leave a comment

MHA advisory on Cyber Crime Prevention and Control

Posted on January 31, 2018 by Vijayashankar Na

The Ministry of Home Affairs released a circular on 13th January 2018 to all the State Governments and UT Administrators recommending some measures towards better Cyber Crime prevention in the respective Sstates and UTs.

Copy of the Advisory

The Circular took forward a couple of recommendations which the T. K. Vishwanathan Committee on amendment to ITA 2008  was supposed to have proposed.

In particular, it has now proposed that the States should act on the setting up of

a) State Cyber Crime Coordination Cell and

b) District Cyber Crime Cells

This was proposed as a suggested amendment to the Criminal Procedure Code. Instead of the Center attempting to make amendment to CrPc, it appears that the responsibility has now been cast on the respective State Governments.

We need to wait and watch which State Governments are more concerned about Cyber Crime prevention and take action.

In these suggestions, it is proposed that the State may set up a State level coordination cell headed by a senior police officer of the ADGP/IG rank and ensure a district level, station level facilitation of cyber crime prevention activities. This will ensure that a police officer with the right kind of orientation to Cyber issues can be assigned this responsibility and the legacy system which is burdened with physical security responsibilities is not burdened with Cyber Crime prevention management which is alien to their culture. It is a great opportunity for the Police system to bring about a seminal change in the way Cyber Crimes are presently handled in the States.

The second suggestion to form District level Cyber Crime cells is also a significant step in the direction of better Cyber Crime Prevention since it envisages a support system for the SPs in the districts in which at least three domain experts in Information Technology. Mobile Telephony, Digital Forensics and Cyber Laws hired from the market. This is an acknowledgement that it is not always possible to get the expertise from within the recruits to the Police system and there is a need for public-private partnership.

The procedure to be adopted for involving the external persons need to be properly conceived. It is preferable if these “Experts” are not on an employment contract. If so it will become another Government job and will be decided on the basis of money and influence. Instead the SP should be given powers to recruit the assistance of experts by creating an expert panel and pay consultancy fees on short term contract basis. Only then the services of real experts would be available. Otherwise the system would degrade over a system into yet another Government department and will not be of use.

The Advisory of the MHA highlights the need for inter-state cooperation in Cyber Crime investigations which should be facilitated to a large extent if the State level Coordination cell becomes operational in most of the State. Naavi.org had tried to convince TN and Karnataka Cyber Crime Police Stations to take an initiative in this direction more than a decade back to bring together all the four southern states into a monthly meeting. But the idea was not taken up formally to higher levels by the then officers though I had received a positive response from both TN and Karnataka officers.

The idea of “Mobile” Cyber Forensic labs proposed is also a recommendation that had been made to Karnataka Police long time back and it is good to see the idea being revived now. The Mobile units would assist in “Quick Response” to Cyber Crime complaints so that evidence should be secured at the earliest. It is needless to say that the evidence gathering team should be fully aware of the legal issues involved in maintaining the Chain of Custody and the Section 65B evidentiary certification requirements so that they donot accidentally render evidence un-usable.

The Advisory also suggests use of BPR&D resources for capacity building and release of funds for training of Police on Cyber Crime related skills. Hopefully it would be put to good use by the States.

Another important suggestion made by the advisory is to set up a “Cyber Intelligence” system to monitor the Internet including the “Deep Web”. This brings us back to another ancient suggestion made by Naavi to set up a “Friends of Cyber Police” system where voluntary members from the public would assist the Cyber Crime Police with information and assistance to track crimes.

We must however recall the recent incident where a hacking group had stated that when they had penetrated several sleeping terror cells and wanted to pass on the information to the Government, there was lack of interest . This was perhaps in Kerala where the State Government is known to be supportive of some communal forces and hence might not have shown interest. But I hope MHA must have by this time taken up the matter under their investigation and the Central Government should take steps to see that such complaints should not arise in future.

As regards “Online Complaints”, it appeared that the website mentioned in the advisory is still not functioning. I had recently put out a detailed article How Do We Improve Cyber Crime Management System in India?.. and also suggested a procedure  to Relieve Cyber Police in India of needless burden and make them more focused.I wish the suggestion is taken up for immediate implementation at least by some of the States.

This suggestion was based on an actual experience where it was found that Mumbai Cyber Crime Cell was reluctant to initiate an investigation of a complaint by issuing an IP resolution request and the delay will ensure that the tracking trails vanish. The Mumbai Cyber Crime Police were therefore guilty of deliberately allowing the potential accused to get away and the top management of the Mumbai Police were unable to take preventive action. This will remain an example of how corruption in the Cyber Crime policing system affect the success of Cyber Crime investigations and Naavi.org will continue to talk about this though it may not be palatable to MHA both in the center and Maharashtra state.

The suggestion of the online complaint receiving system along with the suggested “Friends of Cyber Police” and “Raising of IP resolution request by designated NGOs” would go a long way in addressing the issues raised by Naavi in the Mumbai Cyber Crime investigation fiasco.

I hope the MHA takes up follow up action on the Advisory and push at least the BJP ruled states to start implementing the suggestions.

Naavi

Reference Articles

How Long Will Google take to resolve an IP Address?… Make all intermediaries pay for the delay
I was on 16 and Going on 17….I need everyone….to know me and comply…says ITA 2000/8 Proposed Amendments to ITA 2000 and Privacy Protection
Redefining the scope of ITA 2008.. in the amendments..
Suggestions on Modification of ITA 2008
Domain Name Regulation in ITA 2000..to be amended
Police, Prosecutors and Judiciary: Please Don’t Create Fake Laws out of your misinterpretation
How to Relieve Cyber Police in India of needless burden and make them more focused

Posted in Cyber Law | Tagged , , , , | Leave a comment

Corporate Governance and GDPR risk

Posted on January 30, 2018 by Vijayashankar Na

As the D-day  for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time  in the future and impose liabilities.

GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.

Article 3 of GDPR has created extra territorial jurisdiction as follows.

GDPR is applicable  “regardless of whether the processing takes place in the Union or Not” 

1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union

2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union

This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.

However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.

Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .

If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.

GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.

From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.

So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks.  If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence  the potential liability cannot be swept under the carpet.

Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.

We need to wait and see whether these companies will be compliant to this requirement or not.

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

How Aadhaar security reaches a new dimension with Virtual Aadhaar ID

Posted on January 29, 2018 by Vijayashankar Na

Aadhaar has been the center of Privacy debate for quite some time in India and has even attracted international attention. Amidst the criticisms that Aadhaar system is not properly secured and therefore it may lead to loss of privacy of the citizens, Supreme Court took up a petition on whether Aadhaar infringes Indian Constitution and should be discontinued. Initially, the Aadhaar baiters scored a victory as Supreme Court under the previous CJI hurriedly constituted a 9 member bench and passed a judgement stating “Aadhaar is a Fundamental Right”. It appeared as if the judgement was a tool given to the smaller bench which was hearing the Aadhaar constitutionality issue to scrap Aadhaar.

However things have changed in the last few weeks. First the new CJI shuffled the bench and case allocation rules so that politician advocates who wanted to get the Aadhaar case heard by a bench of their choice were frustrated in their design.

The case is now being heard in a more neutral bench than what the politicians intended.

At the same time, UIDAI came up with its own master stroke introducing the “Virtual Aadhaar ID ID (VAID) proposition which has changed the scenario of security in such a manner that one of the key argument against Aadhaar that it leads to breach of privacy has been put to rest.

Naavi had been suggesting for a long time that the principle of “Regulated Anonymity” should be applied to secure Aadhaar and actually hoped that this would be a good commercial business proposition to be used by an enterprising private business entity. Now Aadhaar by introducing the system of VAID has come up with its own version of “Pseudonomization”   which would perhaps take the Privacy protection up by several notches.

The VAID system is expected to be in operation by March 2018 on trial basis and mandatorily by June 2018 unless some extension is given. Once the system comes into use, all KYC agencies will have to be prepared to use the VAID which may be a 12 digit randomly generated number which is mapped to the real Aadhar ID of an individual for all their KYC enquiries.

In other words, the KYC authority will not receive the real Aadhaar ID  for its KYC purpose but receive only a randomly generated, changeable VAID number. This may perhaps be forced  by UIDAI by mandating that the AUA/KUAs donot shall stop using the real Aadhaar ID for any KYC queries.

As for the users, they will have the option of generating a VAID against their real Aadhaar ID and ascribe it a date of expiry or designate a specific one time purpose. Such number would meet the requirement of SIM card verification or even Bank account verification.

How Virtual ID secures the system

The exact architecture that UIDAI may use for the purpose is not known and need not be made public. However, it may consider the following features.

(P.S: This diagram is only an illustrative representation of a suggested architecture. This is not what UIDAI may implement)

The first change could be that access to CIDR will be only through an internal system and access by AUA/KUA would be stopped at an intermediary server.

Public will access a Virtual ID generator (S-1) service as and when they want. They will provide the real Aadhaar ID to this server and obtain a Virtual ID. This ID will be randomly generated and will have an expiry tag and stored in another system. S-1 will then deposit the information to S-2 where a map of Real Aadhaar ID and Virtual Aadhaar ID is maintained and updated with a history of VAIDs associated with a given Real Aadhaar ID.

When a user requires a service, he will provide only his VAID to the AUA/KUA who will send their request to another exclusive server of UIDAI where the request will be processed (S-3). This server will push a request to S-2 which will re-identify the VAID and forward the KYC request to CIDR,(Central Identities Data Repository).  CIDR will push the required information back to S-3 for onward transmission to the AUA/KUA.

In this structure, S-2 which holds the map of the real Aadhaar ID with the Virtual Aadhaar ID will be accessed only by internal servers one accessible to Aadhaar users and the other accessible to the AUA/KUAs.

S-1 will only generate VAID and does not store any data after the process is over. CIDR is accessible only from S-2. S-2 will not hold any data other than the mapping of the real ID and Virtual ID. S-3 will allow passing through of  Virtual ID and the KYC information but will never access the real ID.

S-1 and S-3 will be only transaction servers and need not store any data except in transit. Firewalls will manage the access to different servers and ensure that Aadhaar demographic or Biometric data is not accessed by any outsiders except through queries passed through S-2.

How Biometric Security Can be fortified

Presently, the Aadhaar has a record of 10 finger prints and iris scan for biometric identity purpose. To this multiple face parameters may get added with the new addition of the Face recognition feature. Face recognition in intended to be used as an alternative biometric in cases where finger print recognition fail so that false rejections can be reduced.

Additionally, we can consider that one or more Face parameters would be an add on to the many biometric identification parameters (10 finger prints+Iris scan). Totally therefore there may be around 11 plus biometric parameters which can be used for authentication.

Considering the possibility that as of now some biometric data might have been compromised, or biometric devices may be manipulated for a store and replay attack, UIDAI may consider a “Double/Multiple biometric authentication” on an “Adaptive Authentication Principle”.

Under this system, biometric of one finger is first obtained. When this is successful, the server may randomly chose another biometric feature to be provided with or without mobile OTP as well. With such a system there would be simultaneously three parameters that are verified for authentication and the second authentication would be a random variable and provide a defense against most of the normal attacks.

Assuming that UIDAI has other security features already installed for preventing the store and replay attack, the addition of a random additional biometric parameter based authentication will fortify the current system and make an enormous improvement in the system.

Since it is possible to get the biometric device ID and its location as a transaction input, the adaptive authentication can be configured with the known behavioural pattern of the user as is done in credit card transactions.

One issue that needs to be tackled in the suggested system is the latency of the transaction and connectivity. But this is a challenge that can be handled and should be handled in the interest of security.

(P.S: I presume that the current team of UIDAI consists of more accomplished information security experts than the author and hence what is discussed above may be steps which are already in place. They are however discussed here to inform  public  that security of aadhaar is feasible.)

Naavi

 

Posted in Cyber Law | Tagged , , | 3 Comments

We need to build a “Bridge of Trust” between UIDAI and Security specialists

Posted on January 28, 2018 by Vijayashankar Na

In the on-going petition in Supreme Court, Aadhaar faces a tough battle against multiple opponents.

The background under which the Aadhaar case has come up for hearing itself suggests that there are some undercurrents of opposition to Aadhaar even within the judiciary. The recent attack by a few Judges on the CJI citing “Threat to Democracy” also looked like having it’s roots in the Aadhaar controversy.

The main reason why Aadhaar is being opposed by a section of the society, is that the way it is being implemented by the Modi Government is choking the people who want to hold black money in benami bank accounts and properties and this is considered an existential threat for them. Such Black money holders are there in all walks of life.

Black Money out of Tax Evasion

There are professionals like doctors and others who have made money from their hard work but has for reasons of their own not accounted it for taxation purpose and therefore accumulated benami wealth. Many businessmen also accumulate black money from their hard work because they have not paid taxes properly. They all have a logic that taxation system is badly structured, it is a disincentive for honest hard work. Politicians applying most of the tax collections for bribing the voters for the next election makes it worse since citizens have no respect for tax and tax avoidance is considered not as bad as other crimes.

If tax compliance is to be ensured Government must lower the incidence of direct income tax or better abolish it all together though the communists will cry on the obsolete principle of “Taxing the Rich”.  Consumption Tax is the best form of taxation and Income Tax at least on individuals can be done away with.

Black Money out of Corruption

On the other hand there are another kind of Black money wealth owners who have accumulated their wealth out of corruption. This includes  corrupt individuals in different walks of life including bureaucrats and Politicians. Compared to the black money owners who have earned honestly but accumulated black money through tax evasion, the corrupt set of people actually generate black money and they should be treated with an iron hand.

Unfortunately our tax system does not distinguish between these two categories of black money holders.

Now, the proposal to link Aadhaar with the Bank accounts and other properties hurt both these categories of black money owners equally and both of them are now up against the Aadhaar.

Current Aadhaar Debate

The current debate in the Supreme Court is on the grounds that Aadhaar violates the Indian Constitution and creates a “Police State”.

The Anti Aadhaar lobby is on a fishing expedition to  find reasons to hold Aadhaar as “Anti Constitutional”. One route they are trying is to say that “Aadhaar violates Privacy” which the Supreme Court has recently held as a “Fundamental Right”. In fact the Puttaswamy judgement is the foundation under which the present Aadhaar trial is being conducted and there is a view that the Puttaswamy judgement was preparatory to scrapping of Aadhaar by the current bench. One explanation for the revolt of the 4 judges is that the CJI frustrated the conspiracy to scrap Aadhaar by changing the bench composition. This allegation cannot be dismissed easily since political parties, Anti Government Advocates and Modi haters were prominently associated with the revolting judges.

Aadhaar Security Critics

While this group of Anti Aadhaar advocates are motivated only by a desire to prevent Aadhaar being used to fight Black money, there are another set of Aadhaar critics who have been unhappy with the security aspects of Aadhaar. This lobby has been criticising Aadhaar because the lack of security could lead to security risks for the users including loss of money in the Banking transactions and loss of identity of biometric is compromised. It is this lobby which opposed the UIDAI contracts being given out to foreign agencies, UIDAI using a foreign Digital Certifying Agency to secure its server etc.  Part of this Security lobby also is concerned with the black money money fight both for or against it.

Some of the security arguments that have been held out by professionals like the undersigned to criticize Aadhaar has been now used by the Pro Black Money lobby to justify their arguments demanding scrapping of Aadhaar.

Just like the undersigned, there are many security professionals who are against Black Money but have been critical of Aadhaar from the security perspective. Some of them have been peeved by the arrogance of the UIDAI authorities in not listening to the security warnings and some times even initiating legal action against ethical reporters of security vulnerabilities. On the one hand UIDAI has been soft on agencies like Airtel who have misused the system and also those who were caught storing bio-metrics and reusing them, they went hard against other non malicious technology specialists who ignorantly violated law out of their “Technology Intoxication”. As a result today there are many security professionals who are in favour of the Government in its black money initiative but are angry against UIDAI authorities and are silently enjoying its predicament.

It is only a few of these people which includes the undersigned who have decided to keep our security differences aside for the time being and join hands for the cause of removing black money and corruption with the efficient use of Aadhaar.

Creating a Bridge of Trust

Unfortunately, UIDAI has no channel of communication with such supporters of Aadhaar. Had UIDAI introduced a “Bug Bounty” program as we had suggested some time back, a lot of security professionals who are critics today would have been friendly and come up with many useful suggestions. Today there is complete lack of trust between security professionals and UIDAI and they are not ready to share their security thoughts with UIDAI. Some of them are afraid that if they admit that they have found vulnerabilities, UIDAI may hoist cases against them and some of them are themselves as egoistic if not more than UIDAI and would not volunteer their suggestions.

The need of the hour for UIDAI is therefore to construct a bridge of trust between itself and the security specialists so that there is a flow of positive security ideas from the good intentioned critics to UIDAI.

Recently Justice B N Srikrishna conducted a series of public consultation programs through out India to gather public opinion on the proposed Data Protection Act. During these discussions he had to face lot of brickbats only because of Aadhaar. There were many citizens and security professionals who were commenting on the Data Protection law citing  Aadhaar related issues. It was heartening to note how Justice Srikrishna was humble and patient in listening to all critics and trying to take the essence of the suggestions made out during the interactions. He was not only able to extract valuable suggestions but also create a bridge of trust with the public that he is doing his best to come up with reasonable suggestions for the drafting of the complicated data protection law which people expect to protect “Privacy” which no body is willing to define.

UIDAI must take a leaf out of Justice Srikrishna and learn some PR lessons of how to bridge a friendly relationship with the community.

In this direction I suggest that Aadhaar authorities need to hold open house discussions in different cities of India on a regular basis and listen to the criticisms and suggestions from the community of academicians and security professionals. At the same time, they should open up a channel of communication with the public to hear out their grievances and suggest amicable resolution. This public interaction could be through the web and include a Bug Bounty program as well so that whistle blowers who have valid suggestions.

In the recent days, I have found many respectable security professionals express a view in private discussions that “Let the Government suffer, they will learn a lesson” and recommending that no vulnerability should be reported and Government will learn the lesson when hackers exploit them.

I feel that this indicates a dangerous turn of events when honest persons turn away from their duties to the nation to report vulnerabilities to the Government.

Today’s news report that  a hacker’s group in Kerala has generated a valuable counter terrorism cyber operation in which they have identified a number of “Sleeping Terrorist Cells” promoting terrorism in India. It is also reported that when these hackers (ethical hackers) tried to draw the attention of the security agencies, they did not get the response that they anticipated.

This is a very sad state of affairs where honest citizens who want to help the Government are left to feel that they are unwanted by the authorities.

This feeling is not new and most of us have experienced it in the past. Some journalists often complain about the Lutyen’s lobby operating in Delhi and often acting against the interests of the country. There is a similar lobby of Security experts in Delhi who are close to the decision makers in the current Government also who ensure that Government is not provided the right kind of advise on security matters.

Mr Modi needs to ensure that this “Lutyen’s Lobby of Cyber Security” is recognized and disbanded and in its place encourage development of a voluntary group of  “All India Cyber Security Advisory committee” whose suggestions reach the right ears in the Government. I suppose the Government would be intelligent to distinguish “Vested Interests” from “national Interests” and ensure that the right flow of valid Cyber security suggestions reach the Government.

This “All India Cyber Security Advisory Committee” which can operate as a virtual committee should be part of the Cyber Security Infrastructure of the Government. One off shoot of this suggestion that can be tried in this direction is for UIDAI to invite suggestions from the public on how to secure Aadhaar both through a virtual committee as well as through open houses.

Time is now ripe since UIDAI is now considering revamping the system with the introduction of

a) Virtual Aadhaar ID

b) Use of face recognition

as additional parameters of use. Both have important security implications and any system which is introduced now should be made as robust as possible. We consider that presently most of the Aadhaar data base has already been compromised and there is no way the compromise can be rectified. However, if some thing can be salvaged it is necessary that we use the two new parameters of Virtual ID and Face recognition in such a manner that at least in future compromises does not happen.

I am sure that UIDAI would not like to discuss the security issues in the public and it is not recommended also. But there is no problem in inviting suggestions from the public and use as much of it as possible so that the system would be secure.

It is for this reason that the “Bridge of Trust” has to be built between UIDAI and the information security community.

Will UIDAI authorities come down from their pedestal, take a cue from Justice Srikrishna and start talking to their critics?

Naavi

Posted in Cyber Law | Tagged , , | 1 Comment