Srikanth.CashlessConsumer | ஸ்‌ரீகாந்த் Profile picture
Moved to @logic@freeradical.zone. Pseudogeek | Free(dom) code, தமிழ், #CashlessConsumer, #DigitalPayments, #opendata fanboy, #publictransit #GovTech

May 30, 2021, 23 tweets

Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021 - uidai.gov.in/images/Draft_A…

Draft put for consultation 'silently' by @UIDAI on May 20, 2021 and closing by June 2, 2021.

Some highlights on thread.

@SFLCin @internetfreedom @nixxin

The proposed regulations will supersede the Aadhaar (Authentication) Regulations, 2016 uidai.gov.in/images/regulat…

Context : This is the regulation relating to Authentication coming after #Aadhaar Amendments and the Aadhaar Good Governance Rules 2020

TLDR - This regulations is around authentication framework, including offline verification appointment of requesting entities and AUA/ASA, Obligations of Offline Verification Seeking Entities (OVSE), eKYC guidelines, regulations around logs, audit, transaction data

On definitions - ANCS - #Aadhaar Number Capture Service is a new tech getting a mention. There are very references technical details of this service, which will run by @UIDAI. At the outset, does seem like OAuth endpoint being run.

Regulations without sufficient details is bad

Offline verification gets regulatory recognition.

4 types of offline verification. They are allowing paper copy to be collected, which is deeply problematic.

But regulations now seek redaction / black out of first 8 digits. Will we see this in reality? Take your guess

Authentication types - such careful wording to allow facial authentication, without explicitly mentioning that in regulations.

#CoWIN is the first large scale app to perform facial authentication.

#OVSE must tell the Aadhaar holder - the nature of information received during auth / verification, its use - in local language *AND* must provide alternate viable means of identification, and cannot deny / refuse any service.

Upon withdrawing consent, Aadhaar data shall be deleted by the requesting entity in a verifiable manner and an acknowledgement of the same to be shared with resident.

Capturing biometrics. It is to be noted that @AyushmanNHA is capturing facial data for #CoWIN facial authentication pilot - without the processes and specification laid down by the authority in public domain.

Side stepping a bit on facial authentication guidelines by volunteers. Yeah, you will not see any reference to UIDAI, but this is how all #Aadhaar tech was built.

cryptpad.fr/file/#/3/file/…

Coming back - "In all modes, Aadhaar number is mandatory and is submitted along with input parameters" - is such a disregard to #VID. But this is where we see - #ANCS Token eventually replacing, but there are no technical details of the same available, while the regulation has it

Notification about authentication / verification to Aadhaar holder, including the case of offline verification, where OVSE should notify about verification. through email and/or SMS on mobile number and/or paper based
acknowledgement. Basically, get a slip when you share #Aadhaar

Chapter III is about licensing of service providers. Basically, any private entity fulfilling the criteria (regulated financial sector entities / telcos) + OTHERS(!) are eligible. Chapter also deals with responsibilities of ASAs

#OVSE - This is pratically every amar-akbar-antony entity in India that demands #Aadhaar.

1 (b) makes no sense, after allowing to collect paper copies of Aadhaar at the top.

Log maintainence -- While @UIDAI itself will keep logs only for 6 months, per SC judgement, @UIDAI is now regulating that private entities / AUAs will have to keep them for 2 + 5 = 7 years! #SaveOurPrivacy

ASA too will have to maintain logs for 2 + 5 = 7 years.

Missed a key point on consent. Unless explicitly opted-out, you have presumed to have consented to modified purpose!!!

This is #ConsentWashing #AutoTickBox by regulation

What the above means - Unless one explicitly opts-out of anything @AyushmanNHA brings - one is deemed to have consented for any purpose they modify - after one gave #Aadhaar for vaccination.

This has grave implications on health ID + tracking.

1.3 is specifically for @AyushmanNHA - Remember NHA is an authority *WITHOUT* Centre / State Act.

"Special Purpose Organization" is a new phrasing.

2 is all regulated entities in financial / telecom sector.

3.1.7 is strange - What is "Any other entity"?

Category 3 -- Any other entity of national importance as determined by the Authority - for #ASA (which are directly connected to #CIDR) access is BS.

Does the authority have powers to determine entity of national importance in base act @apar1984 @prasanna_s @PrasanthTweets?

That's a wrap on the draft. There are few provisions "on paper" which tries to gives better rights to holders (Like OVSE notification) - but sweepingly bad provisions undermine everything else.

#ANCS token reference from Aadhaar Authentication Application Security Standard (of JH SRDH) aadhaar.jharkhand.gov.in/Aadhaar_Authen…

#ANCS - There is very little technical detail on this OAuth(?) like implementation. "Please note that your Aadhaar number will be captured by the UIDAI’s ANCS (Aadhaar Number Capture Service) on their website" -- tells another search result.

Need more technical documentation

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling