Monday, August 28, 2017

GSTN Signatures successful

Working with some of our partners, Truecopy has in past few days been able to successfully demonstrate Digital Signing of GST returns in GSTN sandbox. Anyone who has dealt with the available documentation (or lack thereof) on GSTN signatures would be able to tell you that this definitely deserves a blog post!

Without getting into the details (because GSTN has not asked for our opinion), we want to state that we do not believe that the signature format that GSTN seems to accept is a suitable one. However, we will keep our disagreement aside and help all our partners get their returns accepted in their sandbox.

PS> We also hope there are no more changes to spec, and the same signature formats continue to be accepted tomorrow.

Tuesday, August 1, 2017

The Aadhaar / Privacy case in SC.

The SC is currently considering cases pertaining to Privacy issues surrounding Aadhaar. A few aspects that are relevant to this discussion, have not been brought up prominently so far:

1) Many countries have citizen databases, which include confidential information about citizens. Aadhaar is probably the ONLY example in the world where the Govt actually GIVES OUT information in its database to private parties. (I have not been able to find any other example of a country where the Govt shares information in its database with private entities). This is quite remarkable. Perhaps the Privacy arguments need to focus around whether the Govt can give out citizen data, instead of focusing on whether Govt can collect citizen data.

Some may point out (correctly) that data is given out only after user consent. However, we know that in most cases citizens barely read the consent fine print. Secondly, it is always possible to word the consent in a manner that is deliberately vague, and enables usage of the same data for other purposes.

Perhaps there is a reason why no other country actually GIVES OUT data from citizen databases.

2) The early implementations at UIDAI required the individual to furnish his/her information to the receiving entity, and the receiving entity could only verify that information with a YES / NO response from UIDAI. It was up to the individual to decide what pieces of personal information s/he wanted to share with a particular receiving entity. Today, a receiving entity can fetch ALL pieces of client information in the UIDAI database (except bio-metrics).

3) Collection of bio-metrics is being "normalized". Under the guise of eKYC, so many organizations have begun asking for bio-metrics, that we no longer find it unusual. Recently, there was news that air-travelers would be allowed to fly only after they had authenticated themselves at the airports with their fingerprints. It would be interesting to see how people react when this actually happens.

Sharing your bio-metrics is like sharing your password - except, this is a "password" that you can never change even if its compromised.

A recent news said that almost 93 cr (i.e. 930 million) people had done bio-metric eKYC during July 17, and presented this as a 'proof' that residents were OK with sharing their bio-metrics. The fact is that in most cases, residents are denied service if they decline. A poor person agreeing to provide bio-metrics to get his PDS ration hardly constitutes 'proof'.

4) A citizen has no way to easily ascertain whether a particular device recording his fingerprints is compliant with UIDAI guidelines. Because of 3) above, it is easy for fraudulent entities to trick people into giving their fingerprints on non-UIDAI devices. While Govt bears no direct responsibility for such fraudulent acts, surely its the Govt that is responsible for 3) above.

The Govt may want to consider reverting back to its earlier YES/NO verification system instead of sharing UIDAI data. It may also want to define the circumstances / purposes for which biometrics of citizens can be captured.