Kaarana

Technology

Feedback on IBBI — Information Utility IU regulations

logic

Following is feedback sent to Insolvency and Bankruptcy Board of India (IBBI), the insolvency, bankruptcy regulator of India.

IBBI uses Aadhaar numbers as part of composite keys and technical standards published by IBBI violates the Supreme Court judgement on Aadhaar limiting the use of Aadhaar to functions of state subsidy, its deviation from data protection standards, Aadhaar regulations related to tokenization, Aadhaar data vault.

Dear Sir / Madam,

This general feedback is provided as sought by Insolvency Bankruptcy Board of India (IBBI) for its DISCUSSION PAPER – IPA & IU REGULATIONS to highlight incompatibility with Information Utility (IU) regulations, particularly the technical standards and various aspects of Aadhaar Act.

The IU regulation refers the Technical Standards meant to be followed by IUs.

Following are some feedback related to THE REPORT OF THE TECHNICAL COMMITTEE ON INFORMATION UTILITIES available at https://www.ibbi.gov.in/Report_of_the_Technical_Committee_on_Information_Utilities2.pdf

As per the Supreme Court judgement on Aadhaar, the use of Aadhaar as identifier is only subject to matters related to obtaining government subsidy, benefits and cannot be mandated by any other entity. It also specifies that private entities cannot mandate Aadhaar.

2. The IBBI Technical standards extensively use Aadhaar in multiple places violating not just Supreme Court guidelines but also UIDAI regulations pertaining to storage and use of Aadhaar numbers. These include

a. Technical Standards 13(2)(c) and 13(2)(f) pertaining to registration and verification of identity of individual user. Use of Aadhaar is not backed by law and hence IBBI technical standards needs to be updated to use alternate identifiers for individual users registering with IU for availing any IU services.

b. The clause pertaining to verification of identity with UIDAI is expressly prohibited by law as use of Aadhaar amd eKYC is prohibited as per Aadhaar judgement.

c. 13(2)(d) – Unique Identifier for each record and each Use again proposes Aadhaar to be used as unique identifier. Please note that as per the judgement and regulations by UIDAI, storage of Aadhaar number is prohibited by entities for purposes other than subsidy. Entities can at best store only the last 4 digits of UID and can only store tokenized hashes of UID and must not be storing UID of individuals.

d. 13(2)(d) also uses Aadhaar as part of Unique Debt Identifier and stores 12 digits Aadhaar number in plain text. This is directly in violation with regulations issued by UIDAI in regards to data security and use of Aadhaar number in applications. https://www.uidai.gov.in/images/resource/FAQs_Aadhaar_Data_Vault_v1_0_13122017.pdf

e. 13(2)(j) Consent Framework for providing access to information to third parties also refers to consent artefact containing Aadhaar number of representative to whom consent is provided. Use of Aadhaar here as well is not backed by law.

3. For the above noted inconsistencies with Aadhaar Act, Regulations of UIDAI with regards to storage and use of Aadhaar number in applications and the Supreme Court judgement on the Aadhaar case, it is suggested that the use of Aadhaar in the technical standards to be reviewed and suitable alternatives like use of PAN is used for individuals users for registration, verification, unique debt ID as is being done with the case of non-individual users using IU services.

4. It is also suggested that IBBI audit IU to ensure compliance with laws, regulations related to Aadhaar and conduct a full IT audit to ensure full compliance after the technical standards is modified to be compliant with law.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top