Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

It appears as if the Anti Aadhaar lobby in India has just been outsmarted by the UIDAI with its proposition of the “Virtual Aadhaar ID” as a response to the many complaints about the leakage of Aadhaar information.

The Supreme Court is waiting to complete its hearing which potentially could hold that the linking of Aadhaar to Bank and Mobile accounts was in violation of the Constitutional Right to Privacy of an individual. In the process, the entire Aadhaar scheme’s future hangs in balance.

The ground had been well prepared for scrapping the Aadhaar with the hurriedly issued 9 member judgement in the Puttaswamy case declaring Privacy as a fundamental right giving a very strong weapon with which any action of the Modi Government related to Aadhaar could be struck down.

Since the Supreme Court cleverly avoided defining what is Privacy even while holding that it is a Fundamental right, it left the doors wide open to intervene on any thing that Aadhaar was supposed to be linked with. The recent sting operation of Tribune alleging that the entire Aadhaar data base access could be purchased for Rs 500/- in 10 minutes had primed up the argument for striking down the Aadhaar linkage. Aadhaar linkage appeared to be a lost cause after this Tribune revelation.

But suddenly the “Virtual ID” option floated by UIDAI has frustrated the anti Aadhaar lobby and given a strong argument for UIDAI that it is responding to the security vulnerabilities and taking mitigation steps.

The plight of the Anti Aadhaar lobby is  like the plight of a batsman in a Cricket game who has happily jumped forward to a flighted delivery hoping to hit a six,  only to find that he has  missed the ball and is now praying that the Wicket Keeper does not stump him out.

We hope that the Wicket Keeper completes his expected duty and the Umpire does not call a no-ball.

There is no doubt that the Aadhaar authorities have been in the past behaving with an air of arrogance that reminded me of the “Indira Gandhi of Emergency Days” . But the intention of the Government to use Aadhaar as a unique identifier to root out benami asset holding and black money cannot be faulted. All those who wanted to  protect their black money were using the “Privacy” argument to oppose Aadhaar. The UIDAI was playing into their hands so far by its own negligence, ignorance and arrogance.

Hence there is a need to address the security concerns and meet them adequately rather than blaming the system itself and fight for its scrapping.

The Virtual ID concept is some thing which should be appreciated as a step in the right direction. It is true that it has come late and should have been in place from the day Aadhaar was intended to be used for KYC purposes widely. We have repeatedly advocated what we have called  “Regulated Anonymity” and the Virtual Aadhaar ID is close in its concept to part this concept which is the principle of “De-Identification” or “Pseudonomization”.

Under the proposed system, UIDAI will stop allowing direct access to its core CIDR server system which houses the data of the citizens collected for issue of Aadhaar. Instead there will be a gateway server which faces the down stream service providers which is linked in the back end with the core CIDR server. Public will be able to obtain a “Virtual Aadhaar ID” which is a 16 digit temporary random number mapped to the Aadhaar number of the user, through the website. This 16 digit number may be used as an ID to be provided to service providers like Banks and Mobile companies. When these users want to check the Aadhaar identity against either the OTP or biometric of the Aadhaar holder, the query will be processed by the secondary server which in turn will query the Core CIDR server and process the request.

The exact architecture that UIDAI may use is not known. It is however clear that the Core CIDR server has to be kept insulated from the public including the agencies such as AUA/KUA with a strong Firewall that separates the Core CIDR system from any communication from outside. The mapping of the Virtual ID issued and the true ID has to be maintained some where and that becomes a critical component of the process. How this is secured determines the security of the system as a whole.

If UIDAI again makes mistakes in managing the security of this “Mapping Server”, then the problem will continue.

The architecture should therefore include a “Virtual ID issuing server”, “Virtual ID-True ID mapping Server” in addition to the current “Core CIDR Server”. In the Regulated Anonymity system that we had discussed in the past, a system was discussed for such requirements and hopefully some of those principles would be used and improved upon in the UIDAI new system. (The Regulated Anonymity system is discussed here). The concept was discussed in 2013 and could be considered as raw and amenable to many improvements.

If UIDAI does not secure access to the “Mapping Server”, the data will be only be marginally more secure as it introduces one additional step for the hackers to break.

If UIDAI sheds it’s “I Know Everything” attitude and is humble in listening to the experts in the field, it may perhaps be able to secure the system at least in future. Whether it is too late?… is difficult to answer.

The Y2K Moment again

Keeping the arguments of how the security of the Virtual ID would be implemented, we can now address the industry issue that the proposed system has introduced. UIDAI has announced that the UIDAI will start accepting VID from March 1, 2018. From June 1, 2018 it will be compulsory for all agencies that undertake authentication to accept Virtual ID from their users.

This means that all the agencies who are using Aadhaar now, (Should be thousands of companies) will all have to tweak their codes to accommodate a 16 number system in the place of a 12 number system for its services. For some time, they need to maintain both systems working and later remove the earlier 12 digit number acceptance.

Additionally it may be necessary for them to covert all existing storage of True Aadhaar Id with a Pseudo Aadhaar Id or atleast remove the True Aadhaar Id from their system.

This will be like implementing the “Right to Forget” which is a tough task since most of these companies will not know where all they have stored the Aadhaar numbers in their systems. It could be on web servers, on cloud storage systems, on e-mail servers etc and all of these have to be erased. (If such a requirement is made).

It is possible that the Supreme Court may impose the above condition for allowing the use of Virtual ID in future and not scrap the system. But it is not known when they will give their view on it. The user companies have to therefore keep their fingers crossed and wait if the 16 number field has to be used in future or they should keep both options in place for some time.

The software developers therefore have their hands full only to implement the changes as the Supreme Court may decide. In this respect we will be re-living the days of Y2K implementation when globally codes were changed to accommodate a four digit field for the year component of a date instead of the 2 fields which were provided.

Good for many… but costs for the companies….Perhaps it is the price to be paid for the development amidst a hostile political environment.

Waiting to see what the Supreme Court will do now….

Naavi

Related Articles:

Aadhaar Authentication: How To Use Virtual ID (VID)

Virtual ID is Aadhaar 2.0, It Can be Changed Any Number of Times: UIDAI Chairman

Aadhaar Virtual ID “Unworkable”, Will Oppose Tooth-And-Nail: Petitioners

There’s no consensus over Aadhaar number or 16-digit virtual ID

Old Articles of naavi

Reasonable Security Practices For UID Project..in India..A Draft for Debate

The Unique ID Project.. What should be Unique?

The National ID Card Challenge for Nandan Nilekani.. Part I

The National ID Card Challenge for Nandan Nilekani.. Part II

At a time when India is debating a new law on Data Protection, an interesting question has been raised  before the Supreme Court about the “Right of Privacy” and whether it extends beyond death. The recent judgement of a 9 member bench of Supreme Court referred to as “Puttaswamy Judgement” was hailed as a “Land mark” judgement because it held that “Privacy is a Fundamental Right”.

At Naavi.org, we have discussed the Privacy Judgement in detail. In conclusion, we discussed the need for a proper definition of Privacy before we worry about how to protect privacy. (Refer: “The Privacy Judgement… Conclusion.. Need for Definition of Privacy” )

According to us, it was a failure of the Puttaswamy judgement that it did not define Privacy as a Right and only went about beating around the bush on the “Protection of the unknown and undefined right called Privacy”.

How can we protect a Right without defining the Right itself?

It is not prudent to make a law for protecting a concept which itself is not properly understood and defined. If we attempt to do it, then it will provide endless scope for litigation and will not help honest citizens.

Criminals will however take full advantage of such ambiguous law and ensure that they thrive at the cost of honest citizens.

The mistake committed by the 9 member bench to declare Privacy as a Fundamental Right without a definition of Privacy has now opened the question as to whether the “Right of Privacy” extends after the death of a person.

I hope this lacuna will be corrected in the Data Protection Law that the Government is trying to develop.

Background

It must be recognized that the current issue, namely “Whether the Right of Privacy extends beyond death” has arisen because there is a need to access and verify finger print data of late J.Jayalalitha,  available with UIDAI as well as the Jail authorities in Karnataka to decide on an allegation that her finger print was affixed on a document when she was in a state of health where she was either already dead or was unconscious.

There was a reasonable ground to believe foul play since during the entire period of her hospitalization, access to her was not permitted to any body other than a small group of people. Even prominent political leaders including Mr Rahul Gandhi and Venkiah Naidu came to the hospital and returned without even looking at the patient.

The prima facie perception which the citizens carried at that time was that the hospital and the Sasikala faction of AIADMK were in collusion and did not declare the true condition of her health. Even the current dispensation of the TN Government did not know her true state of health.

During such a state of doubtful health, she was supposed to have affixed her thumb impression on one of the documents which has now been questioned.  It was a reasonable doubt in the minds of the public that the thumb impression was not willingly placed by a person in understanding of the document on which it was placed and hence it was a “Forgery” and a “Fraud”. The fraud is on the citizens of India both those who like/d or dislike/d Ms Jayalalitha.

Now the honourable Supreme Court has intervened on a petition before the High Court and stayed a request for verification of the genuineness of the thumb impression.

Unfortunately, by granting a stay, The Supreme Court has intervened in a case where Criminal Conspiracy has to be investigated and the only persons who could benefit from this stay are people who want to hide the actual events that surrounded the mysterious death.

Even the UIDAI has wrongly taken a view that it cannot submit the copy of the thumb impression to help in the judicial process and in the process supporting an attempt to protect the secrecy of the doubtful death rather than bringing out the truth.

By trying to protect this questionable request not to grant access to the finger print and proceed with the investigation whether it was genuine or not under the garbs of a discussion of Privacy the Supreme Court will be further muddying the waters to an extent that people will question the integrity of the Supreme Court. Let us not forget that some of the Judges who will sit in judgement in this case may be persons who could have acted as Jayalalitha’s advocates in her days in power.

What is Right to Privacy

It is necessary for us to first define the “Right of Privacy”. As a fundamental right, Privacy can only be a Right that a Citizen can exercise against the democratic state committed to a constitution. If one “Fundamental Right” is considered the “Right that extends beyond death”, every other Fundamental Right can also extend beyond death.

If we define Privacy as a “Right to Life and Liberty” there is no logic in extending it to a dead person who does not have life or liberty.

Privacy cannot be equated to “Right of Secrecy”.

In a situation where the person has died, “The right to privacy of the dead person” cannot be extended as “Right to secrecy of the people around not to provide truthful information” or “Right to protect the deceased from loss of reputation”.

There is no doubt that the Supreme Court has powers to give any judgement and no body can  question their wisdom if they say Privacy extends beyond death. They may even quote some international practices and justify whatever they decide.

But if they do, it cannot be seen as anything other than an attempt to protect the secrets surrounding the death of Ms Jayalalitha and to protect those who could be implicated for causing her wrongful death and compounding it with fabrication of documents with her alleged finger print. Hence whatever judgement they come to will be seen with a sense of suspicion and distrust.

The feeling that ” I have a sense of Privacy” is a “State of Mind” and not a “State of Physical location”.

Let’s think……

When a person is in the Mumbai local, does he have a sense of loss of privacy because of the proximity of the next person? When a person is all alone in a deserted street in the night, does he enjoy our right of privacy?….

If a human desires to have other people around him in certain circumstances and does not mind them being too close physically, Privacy cannot be a matter that is determined by the physical proximity of the person or Right to access his body or private physical space.

Right to “Peaceful state of mind” is a creation of the person himself and not that of the environment. Hence Privacy cannot be equated to anything physical but can only be a state of mind of a person. If a person feels that he is alone, he will have a sense of privacy even in a crowd. If not, he will not feel “Privacy” even if he is in a graveyard.

Being a “Mental State”, Privacy can only be an experience of a “Living Person” and not a dead person. The Right to protect the information about a dead person can only be a “Right to be protected against defamation after death” and not a “Right to protect Privacy”. Right to be protected against defamation is fine but in the current case, it is not the reputation of Jayalalitha at stake and it is the reputation of the people who were around her at that time which is at stake. This cannot and should not be linked to the Right to Privacy of Jayalalitha living or dead.

It would therefore be appropriate if the stay is vacated forthwith and the UIDAI also directed to assist the judicial process.

I would like to point out that if the Supreme Court makes an exception to this case because they may consider that Ms Jayalalitha dead or alive is a special person, then in every other property case where a dead person’s finger print has been affixed on a document after his death, the perpetrators of the crime will claim protection under “Privacy”. There are many past cases where forensics have proved that such property documents were fraudulent and in future there will be no scope for preventing such frauds.

I hope  Supreme Court will be intelligent and honest enough to understand the consequences of holding the Right of Privacy as subsisting after the death of a person and come to the right decision.

Naavi