Why the SC ruling on ‘Private Players’ use of Aadhaar doesn’t say what you think it does

On behalf of iSPIRT, Sanjay Jain recently published an opinion piece regarding the recent supreme court judgement on the validity of Aadhaar. In there, we stated that section 57 had been struck down, but that should still allow some usage of Aadhaar by the private sector. iSPIRT received feedback that this reading may have been incorrect and that private sector usage would not be allowed, even on a voluntary basis. So, we dug deeper, and analyzed the judgement once again, this time trying to disprove Sanjay’s earlier statement. So, here is an update:

Section 57 of the Aadhaar act has NOT been struck down!

Given the length of the judgement, our first reading – much like everyone else’s was driven by the judge’s statement and confirmed by quickly parsing the lengthy judgement. But in this careful reanalysis, we reread the majority judgement at leisure and drilled down into the language of the operative parts around Section 57. Where ambiguities still remain, we relied on the discussions leading up to the operative conclusions. Further, to recheck our conclusions, we look at some of the other operative clauses not related to Section 57. We tested our inference against everything else that has been said and we looked for inconsistencies in our reasoning.

Having done this, we are confident in our assertion that the judges did not mean to completely blockade the use of Aadhaar by private parties, but merely enforce better guardrails for the protection of user privacy. Let’s begin!

Revisiting Section 57

Here is the original text of section 57 of the Aadhaar Act

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Now, let us simply read through the operating part of the order with reference to Section 57, ie. on page 560. This is a part of paragraph 447 (4) (h). The judges broke this into 3 sections, and mandated changes:

  1. ‘for any purpose’ to be read down to a purpose backed by law.
  2. ‘any contract’ is not permissible.
  3. ‘any body corporate or person’ – this part is struck down.

Applying these changes to the section, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose a purpose backed by law, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Cleaning this up, we get:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual pursuant to any law, for the time being in force:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It is our opinion that this judgement does not completely invalidate the use of Aadhaar by private players, but rather, specifically strikes down the use for “any purpose [..] by any body corporate or person [..] (under force of) any contract”. That is, it requires the use of Aadhaar be purpose-limited, legally-backed (to give user rights & protections over their data) and privacy-protecting.

As an exercise, we took the most conservative interpretation – “all private use is struck down in any form whatsoever” – and reread the entire judgement to look for clues that support this conservative view.

Instead, we found that such an extreme view is inconsistent with multiple other statements made by the judges. As an example, earlier discussions of Section 57 in the order (paragraphs 355 to 367). The conclusion there – paragraph 367 states:

The respondents may be right in their explanation that it is only an enabling provision which entitles Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.

Some pointed out that this is simply a discussion and not an operative clause of the judgement. But even in the operative clauses where the linking of Aadhaar numbers with bank accounts and telecom companies is discussed, no reference was made to Section 57 and the use of Aadhaar by private banks and telcos.

The court could have simply struck down the linking specifically because most banks and telcos are private companies. Instead, they applied their mind to the orders which directed the linking as mandatory. This further points to the idea that the court does not rule out the use of Aadhaar by private players, it simply provides stricter specifications on when and how to use it.

What private players should do today

In our previous post, we had advised private companies to relook at their use of Aadhaar, and ensure that they provide choice to all users, so that they can use an appropriate identity, and also build in better exception handling procedures for all kinds of failures (including biometric failures).

Now, in addition to our previous advice, we would like to expand the advice to ask that each company look at how their specific use case draws from the respective acts, rules, regulations and procedural guidelines to ensure that these meet the tests used by this judgement. That is, they contain adequate justification and sufficient protections for the privacy of their users.

For instance, banks have been using Aadhaar eKyc to open a bank account, Aadhaar authentication to allow operation of the bank accounts, and using the Aadhaar number as a payment address to receive DBT benefits. Each of these will have to be looked at how they derive from the RBI Act and the regulations that enable these use cases.

These reviews will benefit from the following paragraphs in the judgement.

The judgement confirmed that the data collected by Aadhaar is minimal and is required to establish one’s identity.

Paragraph 193 (and repeated in other paras):

Demographic information, both mandatory and optional, and photographs does not raise a reasonable expectation of privacy under Article 21 unless under special circumstances such as juveniles in conflict of law or a rape victim’s identity. Today, all global ID cards contain photographs for identification alongwith address, date of birth, gender etc. The demographic information is readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions …

The judgement has a lot to say in terms of what the privacy tests should be, but we would like to highlight two of those paragraphs here.

Paragraph 260:

Before we proceed to analyse the respective submissions, it has also to be kept in mind that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21…

Paragraph 289:

‘Reasonable Expectation’ involves two aspects. First, the individual or individuals claiming a right to privacy must establish that their claim involves a concern about some harm likely to be inflicted upon them on account of the alleged act. This concern ‘should be real and not imaginary or speculative’. Secondly, ‘the concern should not be flimsy or trivial’. It should be a reasonable concern…

Hence, the privacy risk in these use cases must be evaluated in terms of the data in the use case itself, as well as in relation to biometrics, and the Aadhaar number in the context of the user’s expectations, and real risks. Businesses must evaluate their products, and services – particularly those which use Aadhaar for privacy risks. It is helpful that the UIDAI has provided multiple means of mitigating risks, in the form of Registered Devices, Virtual Ids, Tokenization, QR Codes on eAadhaar, etc. which must be used for this purpose.

What private players should do tomorrow

In the future, the data protection bill will require a data protection impact assessment before deploying large scale systems. It is useful for businesses to bring in privacy and data protection assessments early in their development processes since it will help them better protect their users, and reduce potential liability.

This is a useful model, and we would hope that, in light of the Supreme Court judgement, the Government will introduce a similar privacy impact review, and provide a mechanism to regulate the use of Aadhaar for those use cases, where there are adequate controls to protect the privacy of the users and to prevent privacy harms. Use cases, and an audit/enforcement mechanism matter more than whether the entity is the state, a public sector organization, or a private sector organization.

Note: This is in continuation of Sanjay Jain’s previous op-ed in the Economic Times which is available here and same version on the iSPIRT blog here.

The writer is currently Partner, Bharat Innovation Fund, and Chief Innovation Officer at the Centre for Innovation, Incubation and Entrepreneurship, IIM Ahmedabad. As a volunteer at iSPIRT, he helped define many of the APIs of the India Stack.  He was the Chief Product Manager of UIDAI till 2012

(Disclaimer: This is not legal advice)

What it’ll take to make ‘Smart Cities’ ‘smart’ in the truest spirit

What the BJP is touting proudly as its Smart City development of hundred shortlisted cities across the country, the Congress had initiated during its rule by the name Urban Clusters. The ultimate objective was to judiciously use technology for intelligent planning and efficient running of urban centers in India.

This subject has been discussed by various eminent people in the field ranging from town planners to architects to civic authorities. Most are of the view that injecting technology in a contrived manner was not desirable and the need was for sustainable cities rather than ‘smart’ one’s, where the approach is more outcome based. Infrastructure by itself is of little value unless it is complemented by systems, which are efficient. The approach has to be holistic and should be in tandem with other related programs such as AMRUT and Swacch Bharat.

All such mega ventures with huge capital outlays come with their own set of impediments. To begin with, there are three bureaucratic layers to contend with, the Central Government, that holds the purse strings, the State Government where the Chief Minister could be the gateway to fund distribution and the Civic body where the implementation will be finally done. As things stand today, the CM of the state will be the overriding authority in decision making, but then political equations and differences could at times influence decisions. Also, politicians have short tenures, whereas planning and execution could be a slow laborious process.

For most major cities in the world, the city mayor is a powerful and influential authority as far as the planning and systems are concerned. Some of them have managed their cities so well that they have gone on to become national leaders. In India, mayors are but figure heads with minimal powers, at least as far spending is concerned. Should we then think of a separate body or authority to decide on city matters, especially for the metro cities of India? For instance, like the NCR region around Delhi, can we have a State Capital Authority for all the capital cities of our states?

Then, there is the tricky issue of procurement and purchase. With the proposed top down approach where the Centre releases the funds, this issue could hit road blocks. Who would decide on what and from where to procure the material? For instance, if a city needs 100 CCTV cameras for security, does one go for wired ones to stay within budget or go for wireless ones? Should purchases be made from local sources?

It will become desirable to make it a more democratized process with active citizen participation, where smart cities are run BY the citizens rather than FOR them. More involvement of citizens in varying degrees at the various stages of decision making would become a norm for the future. For this to happen, data which is under layers of bureaucratic stops is freed for the general public. The use of active API’s as envisaged by iSpirt could be put to good use. For specific problems of certain spots within a large city, accessing such data could enable residents to come up with solutions. The India Stack is a good example to follow for smart cities.

All major towns have authorities assigned with the task of systematic planning and infrastructure layout with the of 1917 serving almost as a bible; a 100 year old but meticulous document. Cities today are in disarray because vested interests, together with the collusion of authorities at times, have got away with violations in spite of a firm legislation. Smart cities could help curb such acts to a great extent since all planning has to be based on metrics and accountability and as we move to a ‘presence-less approach’ with the use of technology, the roles of these vested interests could diminish greatly.

So yes, a lot is possible with the use of technology towards the making and running of our cities, but for that a lot needs to be done other than earmarking funds and selecting cities to me made ‘smart’. From the dissolving of ward boundaries to accessing of geospatial data to free use of active API’s smart city development needs a concerted effort from more than one source.

Guest Post by Ranga Raj, Thinxtream Technologies

India Stack takes the Digital India campaign to a whole new level

India is the third largest smartphone and mobile internet user market in the world with over 200 million internet users in 2013. The figures are expected to touch a staggering 500 million users by 2017, including 314 million mobile internet users according to a report by IAMAI and KPMG. Clearly, mobile phones are the ‘computing device of choice’ for the country. To keep up the momentum, the Government of India is keen on developing the digital infrastructure of the country under the Digital India program.

Digital India is a revolutionary program that will empower the masses and leapfrog India into the next generation of government services. Fortunately, the lower level of investment in earlier generation technology means India has skipped the legacy era and waited for the right technology to arrive at its doorstep. To kick-start and empower the Digital India program in a very democratized form and involve the great innovation talent of the nation, the Government of India has launched an open API policy. An open API, often referred to as a public API, is a publicly available Application Programming Interface (API) that provides programmers with programmatic access to a propriety software application. This set of open API is known as the India Stack and these would enable the ease in integration of mobile applications with the data securely stored and provided by the government to authenticated Apps.

India Stack is a complete set of API for developers and includes the Aadhaar for Authentication (Aadhaar already covers over 940 million people and will quickly cover the population of the entire nation), e-KYC documents (safe deposit locker for issue, storage and use of documents), e-Sign (digital signature acceptable under the laws), unified payment interface (for financial transactions) and privacy-protected data sharing within the stack of API. Together, the India Stack enables Apps that could open up many opportunities in financial services, healthcare and education sectors of the Indian economy. What this essentially means is that developers and tech startups can now build software and create businesses around the readily available infrastructure offered through India Stack, thus opening a huge potential to tap into the booming smartphone market in the country. Since the consumer market in India is very large, such startups could also hope for institutional funding and gain from the early mover advantage.

Through the digitized elements like e-KYC, e-Sign, digitized Aadhaar information and digital locker, the entire ecosystem has now become a presence less, paperless and cashless based system. A Digital Locker enables users to have all their legal documents in a digitized format that is stored online and can be accessed from any part of the country. The e-Sign makes it simple for people to sign deals, contracts and legal documents through their phones and the Unified Payment Interface lets people make payments with ease through their smartphones from anywhere.

India Stack makes a user base of over a billion people readily available through its API. This means that startups and tech companies can build over this to be able to integrate various functions for their businesses or for larger enterprises. Every bank or telecom operator scans through tons of paperwork every day to be able to verify customers and generate KYC documents. Now imagine the impact if this entire process could be digitized by building an application which would integrate India Stack and the user base of over a billion Indians!

With the technology, documentation and sample code available, entrepreneurs and startups can get started with innovating, prototyping as well as building India Stack enabled applications. The commercial applications are endless with multiple opportunities, as the large user base opened up by India Stack is nascent, solution-hungry and largely untouched by technology. Now even a local vegetable trader can take an intra-day loan almost instantly through his mobile phone and pay it back the very same or next day without even physically visiting the bank or wasting any time (time is money when earnings are proportional to time spent)! With their e-KYC documents and digital signatures, a loan can be processed almost instantly and the money transferred through the Unified Payment Interface. Long queues at banks, telecom offices and all other government and non-governmental processes should be the thing of the past, through proper integration of India Stack.

The nation is looking for “a transition from technology-poor to innovation-rich society” and entrepreneurs have a good role to play. The problems (read opportunities) in financial services, healthcare and education are all so large that only the right technology can cost-effectively solve them. Solving these scale problems would mean great business sense too.

iSPIRT, the non-profit software product industry think tank powered by industry veterans, has been actively involved in the development of India Stack and is helping entrepreneurs make the best use of business opportunities provided by India Stack, while building their startups. iSPIRT believes that India Stack creates a whole new generation of business opportunities around the mobile phone and early movers would have tremendous market advantages.

On a recent visit to India, Bill Gates commented on India Stack saying, “India is on the cusp of leapfrogging!” And it truly is; considering it is the only country in the world offering such an open and secure API, India is certainly looking at taking the Digital India campaign to a whole new level.

The future is here and now is the time to act.

 

Should experts be limited to an organization?

Expert01

 I am a great fan of analogy, and one of the things I have been pondering for past year or so is comparing our software industry with that of medical and film industry.

In this post, I plan to share some thoughts on how our software industry can consider the evolution of medical and film industry, and probably evolve in that direction.

Expert0 Expert2

In Medical industry, the ecosystem contains Doctors, Surgeons, Physicians, Specialists, Hospitals, Clinics, Life Science companies, research labs and further other associated entities to serve the patients.

In film industry, the ecosystem is made up of producers, directors, actors, cameraman, music director, editor, choreographer, stunt master,other specialized technicians.

Similarly in our software industry, the ecosystem is made up of VCs, founders, techies, designers, product managers, and sales/marketing folks.

Specialization

Expert3

One of the striking aspects of the whole evolution is the Specialization part, where medical industry has evolved and recognized the need for deep specialization, and doctors and the ecosystem surrounding have focused on specialization. While you still see some general physicians, we all know who are in more demand – the specialist.

In the film industry, specialization has become very key. Whether you are a screen play writer of dramas, you are specializing in romantic comedies, you are an action director etc. Offcourse there are few folks who are versatile especially in acting, but every film needs a bunch of specialist.

Similarly in our industry, specialization has taken off and it’s a great sign of the industry maturing. We see specialists in design, Ux vs backend techies, architects, B2B vs B2C product managers, industry experts such banking, government, healthcare who bridge industry knowledge with technology, we see further more big data, cloud, database, IoT, mobile etc experts.

 

Should Specialist be limited to an organization or department?

With the above background, the key thought I had for writing this post is how our industry can evolve to leverage the specialist expertise, to go beyond just one organization.

Take the case of medical industry, an important attribute is that the specialist are usually not associated to one hospital but consult in multiple different places. There also exists several communities where specialist come together to discuss the challenges, problems, solutions and experiences in their area of specialization. We have seen several doctors consult with others to get second opinions. The ecosystem is well setup in such a way that its not just honorary service, but it’s a win win for everyone, and takes care of “what’s in it for me ?” very well

In case of film industry, most of the people work independently and come together for a specific film. Over the period of time, many work together in multiple such film projects over several years. There are specialist and actors (not the main heros) who work on multiple projects. Its left to the potential, interest and capability of individual on how much he or she can leverage their time, how they want to pace their career, and how they really are on the toes to differentiate or find their winning formula, as individual or as a team. One of the nice talk you should watch to understand it is when our versatile actor Kamal Hassan spoke at NASSCHOM event, sharing some of the interesting aspects of film industry.

The above 2 industry are a great example for us to consider as we evolve our industry. We have several experts and specialist out there in our industry, but their talents are often not leveraged to full potential for lack of the right setup – they are bound by their employment contracts, or merely don’t have avenues to share, engage, contribute and gain. Most of the folks in our industry land up into mundane jobs, standard career path, leading to becoming some people managers or stop reinventing ourselves.

The boundary laid out for experts is not just being able to do with multiple projects outside, but even within the company many of the experts do not have an opportunity to showcase their potential as they are bound by their departments and hierarchies.

Here are my thoughts on how our industry can evolve around better leveraging specialist:

  • Expert clubs that can bring together specialist by different areas of specialization e.g. by specific functional areas, deployment expertise, industry expertise, cultural expertise, skills – product management /design/architecture, GTM expertise etc.
  • Answering the ‘whats in it for me ?’ question – not to expect specialist to come and engage always for free
  • Employment contracts have clauses that allows experts to do other pursuits beyond their employment e.g. like a doctor who can consult beyond the hospital he is assigned to, experts should be able to consult for other products /projects
  • Creating an environment where its safe for experts to be sharing and working independently to take risks
  • Entrepreneurs to recognize the need for experts /specialization for rolling out products that excel, instead of relying on do it all jack of all – this will drive towards the products that excel
  • An environment or community that facilitates experts to be easily accessible and able to work on a product/project for a given time, including possibility for them to engage in multiple projects based on their appetite …think of the movie analogy here
  • Crowd sourcing for expert skills would be a great way to enable experts to be fully engaged, leverage potential and create more products
  • Mentor programs are a stepping stone in this direction for many experts, we see lot of mentor programs already run…but this needs to get to the next level where these experts contribute more rigorously

 

List of Experts that we would like to see in our product industry being part of expert club, not exhaustive:

  • Ux Designers – Interation /visual design
  • Mobile designers
  • Internet Security experts
  • Product Managers for B2C
  • Product Managers for B2B
  • Product marketers
  • Industry Specialist
  • SaaS Pricing experts
  • Growth Hacking experts
  • Technical writers /Product Documentation writers
  • Intellectual Property Experts
  • Social Media Marketers
  • Solution Architects
  • Performance Optimization Experts
  • Scalability Experts

What are your views on this… can our software industry switch gears to enable experts to contribute more…and get awesome products that excel  …working beyond organization boundaries like a doctor or cinema artiste ?

Software Patents: Evil, Necessary or an Evil Necessity? iSPIRT OEQ Hangout

iSPIRT organized a OEQ(Open Ecosystem Hangout) on 20th April, 2015, to understand the role of software patents within the software ecosystem.Software patents are a much debated subject in the technology world today. In some jurisdictions like India, software is not part of patentable subject matter, while in other jurisdictions like the US, software patents are rampant. Do Indian startups need software patents? In a globalizing world, what strategies can they adapt to navigate through the software patents conundrum?

I moderated the session and asked the software entrepreneurs in the discussion to share their cost-benefit analysis of software patents.

Rushabh Mehta of ERPnext responded by saying that as a young startup, they find the cost of software patenting (estimated at around $ 15,000-$20,000 or between Rs 9.3 lakh to Rs 12.4 lakh) to be too high.

Srivibhavan Balaram of Vocera Communications, an entrepreneur, who has worked with open source and closed source software companies, said that patenting makes sense only if there is something unique that is worth patenting. However, he also added that the market for enterprise software was tilting more to open source now because companies were more inclined to go with time tested open source software, which find much faster acceptance. He added that companies are wary of proprietary software from startups.

Subramaniam Vutha, a veteran IP Lawyer and founder of the Technology Law Forum, said that India should actively encourage open source software, while accumulating as many patents as possible in jurisdictions that allowed it. He called this strategy, “Running with the hares and hunting with the hounds.”

Samuel Mani, Partner at Mani Chengappa & Mathur, said that defensibility is the only reason to file software patents. In a study that his organization did, he found that most areas that could be patented were already staked out. He pointed out that the cost of patenting is between $15,000-$20,000 which is the cost of hiring one employee for two years. He suggested that companies that aim to create a defense against software patents could join a defensive patent pool like the Open Invention Network (OIN).

Mishi Choudhary of the Software Freedom Law Center agreed with Mani on defensive patent pools like OIN. She added that most Free and Open Source Software are copyright licenses, but some also contain patent grants. She suggested that participants review the Debian Patent Policy.

This was the first such Hangout on software patents from iSPIRT, and there are plans to organize more such Hangouts to generate greater understanding of this topic.