Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021 - uidai.gov.in/images/Draft_A…

Draft put for consultation 'silently' by @UIDAI on May 20, 2021 and closing by June 2, 2021.

Some highlights on thread.

@SFLCin @internetfreedom @nixxin

On definitions - ANCS - #Aadhaar Number Capture Service is a new tech getting a mention. There are very references technical details of this service, which will run by @UIDAI. At the outset, does seem like OAuth endpoint being run.

Regulations without sufficient details is bad

Offline verification gets regulatory recognition.

4 types of offline verification. They are allowing paper copy to be collected, which is deeply problematic.

But regulations now seek redaction / black out of first 8 digits. Will we see this in reality? Take your guess

Authentication types - such careful wording to allow facial authentication, without explicitly mentioning that in regulations.

#CoWIN is the first large scale app to perform facial authentication.

#OVSE must tell the Aadhaar holder - the nature of information received during auth / verification, its use - in local language *AND* must provide alternate viable means of identification, and cannot deny / refuse any service.

Upon withdrawing consent, Aadhaar data shall be deleted by the requesting entity in a verifiable manner and an acknowledgement of the same to be shared with resident.

Capturing biometrics. It is to be noted that @AyushmanNHA is capturing facial data for #CoWIN facial authentication pilot - without the processes and specification laid down by the authority in public domain.

Side stepping a bit on facial authentication guidelines by volunteers. Yeah, you will not see any reference to UIDAI, but this is how all #Aadhaar tech was built.

cryptpad.fr/file/#/3/file/…

Coming back - "In all modes, Aadhaar number is mandatory and is submitted along with input parameters" - is such a disregard to #VID. But this is where we see - #ANCS Token eventually replacing, but there are no technical details of the same available, while the regulation has it

Notification about authentication / verification to Aadhaar holder, including the case of offline verification, where OVSE should notify about verification. through email and/or SMS on mobile number and/or paper based
acknowledgement. Basically, get a slip when you share #Aadhaar

Chapter III is about licensing of service providers. Basically, any private entity fulfilling the criteria (regulated financial sector entities / telcos) + OTHERS(!) are eligible. Chapter also deals with responsibilities of ASAs

#OVSE - This is pratically every amar-akbar-antony entity in India that demands #Aadhaar.

1 (b) makes no sense, after allowing to collect paper copies of Aadhaar at the top.

Log maintainence -- While @UIDAI itself will keep logs only for 6 months, per SC judgement, @UIDAI is now regulating that private entities / AUAs will have to keep them for 2 + 5 = 7 years! #SaveOurPrivacy

ASA too will have to maintain logs for 2 + 5 = 7 years.

Missed a key point on consent. Unless explicitly opted-out, you have presumed to have consented to modified purpose!!!

This is #ConsentWashing #AutoTickBox by regulation

1.3 is specifically for @AyushmanNHA - Remember NHA is an authority *WITHOUT* Centre / State Act.

"Special Purpose Organization" is a new phrasing.

2 is all regulated entities in financial / telecom sector.

3.1.7 is strange - What is "Any other entity"?

Category 3 -- Any other entity of national importance as determined by the Authority - for #ASA (which are directly connected to #CIDR) access is BS.

Does the authority have powers to determine entity of national importance in base act @apar1984 @prasanna_s @PrasanthTweets?

#ANCS token reference from Aadhaar Authentication Application Security Standard (of JH SRDH) aadhaar.jharkhand.gov.in/Aadhaar_Authen…