eSign Paused (14 Dec 2018)

Aadhaar-based ESign services have paused since 14 Dec 2018 because UIDAI has said that these would be used only for purposes of DBT / Subsidies or those permitted by law. Earlier, the Supreme Court had invalidated Section 57 of Aadhaar Act essentially preventing private companies from performing eKYC.

 In this regard:

1) A Gazette notification of Jan 28, 2015 documents a rule made by Department of Electronics and Information Technology mentioning eKYC-based eSignatures. But this is a rule and not a law (as required by SC judgement).

2) Neither UIDAI nor CCA has issued a statement saying general eSignatures are valid after Dec 14 2018 other than for DBT / Subsidy purposes.

3) At least one Certifying Authority has avoided answering questions regarding the legality of eSignatures issued by them (!). They have actually asked their subscribers to provide a declaration which indemnifies them.

This is an absurd scenario, where the service-provider himself is not ready to vouch for the validity of the service he provides, but wants his consumer to do so, and indemnify the service-provider.


4) The Govt has announced it will bring in suitable laws that will permit use of eKYC by private players. (This implies that such a law doesnt currently exist.)

Given all of the above, it is unwise to use eSignatures beyond Dec 14 2018 for agreements / contracts / forms / etc because their validity is uncertain.

It is hoped that the authorities will soon provide clarity and guidance so that there is no ambiguity.

Offline e-KYC API

The SC has in its judgement on the validity of Aadhaar. As a part of the judgement, it struck down Section 57, which allowed private companies to access the Aadhaar database. Subsequently, has been promoting "Offline eKYC".

Offline eKYC refers to uing either eAadhaar or QR code to authenticate an individual. The eAadhaar is a Digitally Signed PDF that has the individual's information as available in the Aadhaar database. This PDF also has a QR code that has the same information (and which can be scanned and verified by mobile apps developed by UIDAI). There is also an XML equivalent (instead of a PDF format), which allows faster processing by automated algorithms.

The eAadhaar PDF as well as the XML are downloadable by the individual from the UIDAI website.

Automated API for processing eAadhaar PDF or for processing the XML ("paperless offline eKYC" as UIDAI calls it) are now available from Truecopy. For more information, email sales@truecopy.in

SC decision on Article 57 of Aadhaar Act

The SC delivered its judgement few hours ago on the validity of Aadhaar. This is a landmark judgement because it sets right several aspects of the way UIDAI had permitted Aadhaar data to be used.

The most important part of of the judgement is the one pertaining to Article 57 of the Aadhaar Act.

About Section 57, the judgement says (Below excerpt from livelaw.in)

Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus,

this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

TOI reports that as per the judgement  Private companies can't ask for Aadhaar

IE reports:
Section 57 of the Aadhaar Act refers to the use of Aadhaar data by any “body corporate or person” to establish the identity of an individual. Justice Sikri, in his judgment, found this section to be unconstitutional. It was under this provision that private companies like Paytm and Airtel Payments Bank sought Aadhaar details from customers.

This would suggest that UIDAI should not be sharing any information from the Aadhaar database with any private entities (AUA / KUA). As we had said in an earlier post:

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. 

Hopefully, the SC order corrects this anomaly and perhaps UIDAI will stop giving information from its Database to private entities.

The other major takeaway from the judgement was that the Supreme Court upheld the validity of Aadhaar. Clearly, every country requires a unique identifier for its residents and so does India. Further more, the SC asked the Centre to bring a robust law for data protection as soon as possible. Again, this is absolutely needed, because there is no control on how entities treat confidential data of third parties.

PS>> Congress Party seems to have a view on section 57 as well, and they are in agreement with us!

Excerpts from CGST Guidelines on Invoices

Signing invoices is a matter of interest for a large number of users of Digital Signatures. It is therefore interesting to take a look at what CGST guidelines say about the use of Digital Signatures for signing invoices, and the Type of Signatures that can be used.

The Central GST Rules are available on the GST Council website. The latest guidelines as of today are available here:

http://gstcouncil.gov.in/sites/default/files/NOTIFICATION%20PDF/CGST-Rules-06072018.pdf

[Link moved. New link as of 10/07/2019:
https://cbic-gst.gov.in/pdf/23042019-CGST-Rules-2017-Part-A-Rules.pdf
]

Chapter VI deals with TAX INVOICE, CREDIT AND DEBIT NOTES.

Section 46 begins:

and continues...

specifically (Color added to draw attention to specific words):

"digital signature of the supplier or his authorised representative."

The definition of supplier is found in the CGST Act 2017, as it appears in the Gazette of India, which is available from the GST Council website link below.

http://gstcouncil.gov.in/sites/default/files/CGST.pdf

The definition of supplier in section 2(105) is below:

The definition of person in Section 2 (84) of the CGST Act is below:

Lastly, we could not find any specific mention of whether Class 2 or Class 3 signatures have to be used for signing invoices. However, we know that for various tax filings, corporate filings, EPF and other Government filings, Class 2 signatures are used.

Certifying Authorities issue Class 3 Corporate Document Signing Certificates on an HSM only. However, for Class 2 Corporate Document Signing Certificates, HSM is not required, although security precautions are to be taken in their usage.

31 July 2018 - eSignatures will need VID (Virtual ID)

31 July 2018 is the date from which eSignatures will be done using Virtual ID and Aadhaar numbers will no longer be used. TRUECOPY has been supporting VID-based signing since June 30, and a large number of VID users have already signed documents using VID instead of Aadhaar.

Here is a re-cap of the process.

How to obtain your VID?

An individual can obtain his / her VID from the UIDAI website:

https://resident.uidai.gov.in/web/resident/vidgeneration

The individual enters his / her Aadhaar number and obtains and OTP on registered mobile. After entering the OTP, a VID is communicated to the individual.

A VID is also generated by downloading an eAadhaar document. (It appears under the Aadhaar number on the eAadhaar document)


How to use a VID for eSignatures?

During the eSign process the individual is directed to the ESP gateway, and the VID has to be entered on the ESP page. An OTP is received (as earlier) and the eSign process goes forward.

Will Aadhaar-based eSigning continue indefinitely?

UIDAI has just released a Circular ("Circular 9 of 2018") that extends the date for compulsory usage of VID for eSigning. This circular has generally been interpreted to mean that VID will be compulsory for eSign beyond 31 July 2018 (instead of 30 June 2018 - basically an extension of 1 month). One ESP has communicated "All ASPs are requested to migrate to new eSign API 2.1 on or before July 31, 2018."

A closer look at the wording of the circular seems to suggest that potentially, Aadhaar based eSigning can continue to be used later by making additional payment per transaction.


The relevant section is reproduced below:

The notification does not explicitly say that users should stop using Aadhaar for eSigning after July 31. If extra charges are going to be waived for those migrating by July 31, it means that extra charges would not be waived for those who continue to use Aadhaar for eSigning after July 31. It seems to suggest that UIDAI expects there to be people who would continue to use Aadhaar beyond July 31.

It would be good to have clarity on this matter. The question is:
Will VID be compulsory for eSignatures after July 31 2018 or can Aadhaar be used by paying an extra amount per transaction thereafter?

Of course, irrespective of what we think, the interpretation of ESPs / CCA / UIDAI would be final.

(Very) Preliminary Observations on eSign using VID

(These observations are based on a few hours of testing the UAT made available by one ESP provider yesterday - June 20. It is possible that some of the aspects mentioned below could change in the next few days)


UIDAI has mandated that OTP-based eSignatures can no longer use the Signer's Aadhaar number. They would have to use the VID (Virtual ID). This goes into effect after June 30, and one ESP has made available its Testing Environment yesterday. Here are some preliminary observations.


1) eSigners will need a VID (Aadhaar not permited)

The eSigner (the individual who will be signing) will need to generate his VID. This can be done from the UIDAI website. The VID is sent over SMS to the registered mobile phone of the individual, and is a 16-digit number. A person can only have 1 VID at a given time. A VID seems to expire after a certain duration. (Not sure exactly how many, but it is probably several days. Early reports seemed to suggest that there would be no expiry, but our tests have revealed that some of the older VIDs have expired.).


2) Freshly generated VID does not seem to be immediately usable for eSigning (!!!)

ESigners had observed in the past, that if you linked a mobile with your Aadhaar, it would not become available immediately for eSigning OTP. The UIDAI website would show that the mobile number was linked, but eSign Gateway would return an error saying it wasnt linked. It used to take several days for eSigning to be possible after the mobile was linked. The same seems to be the case with freshly generated VIDs.

In our testing, it was observed that freshly generated VIDs could not be used for signing for at least a day and maybe more. This can be a big impediment, because most eSigners are unlikely to have a VID prior to eSigning. If the Signer generates it on the spot just before signing, he would have to wait for a while (potentially a few days) before eSigning is possible with the new VID. This issue needs to be addressed by UIDAI / ESP if eSigning has to remain viable.


3) ASP does not pass the VID to ESP

Earlier, the Aadhaar number used to be passed by the ASP to the ESP. Now it appears that the VID has to be entered on the ESP page by the eSigner. The earlier API allowed an ASP to specify a-priori which Aadhaar number had to be used for signing a particular document. This no longer seems to be the case. In other words, a document may end up being signed by someone who was not intended to sign it. Any confirmation of who the actual signer was will have to be done post-facto.


4) eMandates

eMandates will probably be disrupted for a while for a couple of reasons.

a) Banks may have a person's Aadhaar (which does not change), but they may not have his VID (which keeps changing). So these Banks would probably have no way to perform verification of the eMandate unless they happen to have the VID which that person used at the time of eSigning.

b) The X509 does not seem to contain the SHA256 of the VID (as was earlier the case with Aadhaar). Thus Banks will not be able to perform verification even if they did have the VID. This is probably a technical issue that ESPs would need to resolve.


PS> Clarification to commonly asked questions:

a) No, it is not possible to obtain the Aadhaar number from the VID.

b) Only the holder of an Aadhaar number can generate a VID for himself. There is no "API" to automate this on behalf of others.

Aadhaar Data Vault - who needs it?

UIDAI had made it mandatory for AUAs/KUAs/Sub-AUAs to implement a Aadhaar Data Vault. However, the Aadhaar eKYC landscape has undergone significant changes in the past few weeks.

1) UIDAI stopped sub-AUAs from availing the eKYC services. This is a step in the right direction, because "becoming a sub-AUA" was essentially a way to avail of eKYC data without having to satisfy the audit and other registration / financial requirements imposed by UIDAI on KUAs. Clearly, there was very little control that KUAs could exercise on their sub-AUAs. Now the choice is to either become a KUA (and be audited) or not avail of eKYC.

2) UIDAI has issued an FAQ on Aadhaar Data Vault, which essentially states that any entity (not just AUA/KUA/sub-AUA) that stores Aadhaar numbers needs to implement an Aadhaar Data Vault. (For example, this would cover Schools and Colleges that ask students for their Aadhaar numbers.)

3) In its circular dated May 1 2018, UIDAI states that only Global AUA / KUAs will be allowed to store Aadhaar numbers. Local AUA/KUAs, would not be permitted to store Aadhaar numbers, but could only store UID tokens. If there are no Aadhaar numbers to store, why would they need Aadhaar Data Vaults?

4) At present time therefore it appears that Global KUAs would need to implement Aadhaar Data Vaults. Because these would be audited, ensuring compliance.

As things stand, Local AUAs will not be able to store Aadhaar numbers, but other entities such as Educational Institutes, Employers, etc can. It is not clear how UIDAI would ensure compliance with the Aadhaar Data Vault requirement by schools, colleges, employers and various other agencies that take people's Aadhaar numbers & who don't undergo any sort of an audit at all.

Why does Adobe Acrobat Reader take a few seconds to verify Digital Signatures?

When a document is opened in Adobe Acrobat Reader, it needs a few seconds to verify the signatures in the document. It needs the internet to perform the verification.

1) What are the verifications performed?

The reader verifies that the digital signature has been issued by a trusted authority (more precisely, that the signer's digital certificate in its hierarchy tree has at least one certificate that is already trusted by the Adobe Reader.

Secondly, it verifies that the Signer's certificate has not been revoked. This usually requires the internet. The list of revoked certificates (Called Certificate Revocation List - CRL) is available at a URL embedded within the Digital Signature, and the Reader tries to access that URL to ensure that the Signer's certificate is not in the CRL. Acrobat Readers often store these CRLs in their cache, in which case a connection to the URL may not be made.


2) What are the URLs that need to be accessible to the Acrobat Reader so that the Green tick appears?

These URLs are found in the Signer Certificate Details under the three headings shown below.

and

and

The above details have to be checked for URLs for each of the certificates in the tree.

What is the VID and what problem will it solve?

(At the time of writing this, I have not been able to locate the official VID circular either under the Circulars menu or Notifications menu on the UIDAI website, so I rely on detailed news reports such as [1], [2], [3] for this article.)

UIDAI has recently announced that it would start issuing 16-digit Virtual IDs (VIDs) to individuals on demand, who will then provide these in place of the Aadhaar number if they so choose. Individuals can then keep their Aadhaar number secret.

For a long time now, UIDAI has taken the position that the Aadhaar number is not a secret. (Most recently in a press-note which was issued 4 days before the VID announcement). Given the reality that Aadhaar is being asked virtually everywhere, Aadhaar number cannot be expected to remain a secret. Introducing the VID idea seems like a rethink, in light of the data breach reported in the Tribune.

The other problem that UIDAI is trying to solve with the VID, is to avoid "profiling" of residents. In an article on NDTV it was claimed "the Virtual ID that had been in the works for 18 months was introduced to block any attempt at profiling the crores of people who had enrolled for the unique identification number." (end quote) In other words, it is to guard against the possibility, that a malicious attacker, with knowledge of an Aadhaar number will be able to search across multiple financial, telecom, educational, and other databases and obtain a detailed picture or profile of the individual.

This is a problem that UIDAI is not expected to solve. World over, the security and confidentiality of various databases is the responsibility and duty of the organizations that maintain the databases - banks, telecom companies, etc. The profiling problem arises when the databases of these organizations are compromised.

Issuing a VID will NOT solve the profiling issue for the simple reason that if these databases are compromised, the malicious attacker will easily perform the profiling on the basis of the name or even better, the cell number. [I cannot think of a single instance when I have had to share my Aadhaar but not my cell number. I can think of many places where I have had to give my cell number but not Aadhaar, so the cell number seems like a richer profiling key for any malicious attacker. Oh, and I have always had to give my name everywhere!].

This brings us back to the question - why does UIDAI need to add "layers of security" to something we have been told is "fully secure"? Why is UIDAI still unsure whether the Aadhaar number is to remain secret or not? There is no other country where there are so many questions about the National Identity Database. The Passport authority in India or the IT Dept (that issues PAN cards) have never been questioned on the security of their databases. Why do such questions arise about Aadhaar?

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. Even the Passport Authority and the IT Dept DO NOT GIVE OUT citizen information to anyone, except investigative agencies in case of some evidence of crime.

It is worth asking, why does UIDAI even need to give out eKYC data unless there is a crime or other over-riding reason? Sure, it may help a telecom company scale up its user base much faster than its competitors, or it may cut down the time and effort required to populate databases of other private companies. But making life easier for private companies was NOT the purpose of Aadhaar Act to begin with and can never be the purpose of any National Identity Database.

Furthermore, none of the Govt savings that are claimed, such as those from eliminating ghost teachers, fake ration card holders or fake students would be compromised if eKYC is stopped and replaced purely with verification or authentication.

Interestingly, UIDAI only did YES/NO verification and biometric authentication until couple of years ago or so. That was the right approach. UIDAI needs to switch back to it immediately. Further, it should restrict biometric authentication only to government agencies. UIDAI should not be an enabler in the replication of its data in private databases in India and abroad. Then it won't have to worry about profiling based on Aadhaar.

The SC bench hearing the Aadhaar case should focus on this insidious eKYC provision of the Aadhaar act. Surely, as Mr Chidambaram said, this is a bit like locking the door after the horses have bolted. Perhaps we can seek satisfaction in the fact that it will protect the privacy of babies who are born today!

Tribune report on Data breach

The Tribune carried a news of UIDAI data breach:

http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html

This was followed by a clarification from UIDAI:

http://www.tribuneindia.com/news/nation/uidai-denies-any-breach-of-aadhaar-data/523469.html

More information about the Aadhaar breach has come into the public domain subsequently. There are some clear facts that have emerged from everything that is known.

1) The UIDAI essentially admits that resident data (demographic and personal information, probably including photo, and not including fingerprint and iris data) has been accessed in an unauthorized manner. It is said that perhaps 1 lakh un-authorized users had accessed Aadhaar data. It also seems that the authorities had no idea this was happening until the reporter broke the story.

2) The breach of demographic information is a serious matter. Consider for a moment - if intelligence agencies of  foreign countries have access to this information, they can look up the residential address of any officer in Indian security forces. Less ominously, mischief-makers and marketeers can create targeted databases of individuals with particular characteristics within a PIN code.

3) Had the Aadhaar system restricted itself to YES / NO verification (as it correctly did when it was conceived), none of this would have happened. Unfortunately, after the NDA Govt took office, private entities were permitted to access and obtain Aadhaar information (via what is called eKYC). eKYC has permitted many private entities to essentially replicate large sections of Aadhaar database in private databases over which no one can exercise control.

4) Any corrective action at this time is akin to bolting the door after the horses have fled. While the SC continues to debate and hear "privacy" related cases, the reality of the situation is that much of the information has already been compromised and the genie cannot be put back in the bottle.

(This post was modified in light of information available after the initial Tribune story.)