Friday, May 26, 2017

eSanad should become eSa-NAD

Recently the HRD ministry along with NIC launched a portal for online verification of educational documents. The initiative is titled eSanad, and CBSE has already joined in.

Read more here:

The name "eSanad" could be a coincidence but there is no reason why this should not become eSa-NAD. I am of course referring to NAD (National Academic Depository), which is intended to store the educational records of all students. A few thoughts:

1) Government entities have demonstrated the ability to host and manage large amounts of personal confidential information (UIDAI is an example). There is no reason to believe that a Govt entity wont do a good job of managing an Academic Depository (for one, the data will be much lesser, and lot less sensitive).

2) The Govt (HRD / IT Ministries) could frame rules requiring all Depositories under NAD to share / backup the data they gather with eSanad. This will ensure that verifiers have a single location from where this data can be legitimately accessed, rather than having to register with multiple Depositories.

3) CBSE had earlier tried storing their records with the Depositories (NSDL / CDSL). They have now chosen to go with eSanad - a Government initiative hosted by NIC.

4) To reiterate the point made in an earlier post on the topic of NAD, the eSanad authority should publish APIs (just as UIDAI has done) to enable developers to build much needed applications for document verification.

eSanad will hopefully lead to faster realization of an Academic Depository, and put an end to the menace of fake educational credentials.

Friday, May 19, 2017

More on eKYC - an obvious, direct verification mechanism

The earlier post raises an important question: Is there an easier way to perform eKYC without becoming a KUA? 

The answer to that question is thankfully a "YES". But before we get to that, let us ask the question,  What exactly is eKYC?

I find it is useful to view the  UIDAI database as comprising the following groups of information:

1) The Aadhaar number (a unique number for every user)
2) Personal Information of the holder - such as full name, address, gender, date of birth, etc.
3) Biometric Information of the holder - such as Finger-prints, Iris scan, Photograph, etc.
4) Ownership Information of the holder such as Email Address, Phone number, etc.

Performing an eKYC involves ascertaining the following two separate facts, subject to consent of the concerned individual:

A) Ascertaining that the Personal Information & Ownership Information being presented by the holder of an Aadhaar number matches the Personal Information & Ownership Information stored in the UIDAI database against that Aadhaar number.
This is achieved by obtaining the Personal and Ownership Information from UIDAI in an authenticated manner.

B) Ascertaining that the individual presenting the Aadhaar number is who he / she claims to be, i.e., the genuine holder of that Aadhaar number.
This can be achieved in one of two ways. The Biometric-way relies on the assumption that if the individual is able to present biometric (fingerprint / iris) information that matches the Biometric Information stored in the UIDAI database, the individual is who he/she claims to be. The OTP-way relies on the assumption that if the individual can demonstrate ownership of the listed Phone number and Email Address (2 Factor Authentication), the individual is who he/she claims to be.

In the KUA approach, usually the biometric information of the individual is captured and sent to UIDAI along with the presented Aadhaar number. In return UIDAI sends back the Personal Information stored its database against this Aadhaar number.

This KUA approach helps ascertain both A)  and B) above. A) is ascertained because information is provided by UIDAI directly from its own database and B) is ascertained because the individual's biometric is matched with that in the UIDAI database.

Consent is obtained via acceptance of "terms of service", as well as the assumption that the person willingly provided his biometrics.

Following the KUA approach imposes significant contractual obligations, including IT maintenance and audit costs. Thankfully, there also exists an easier way to ascertain A) and B), while ensuring individual consent.

This alternative method is the direct electronic-equivalent of an individual submitting his/her own self-attested paper-based identification documents - something we have been doing for decades for KYC. It requires an individual to simply submit his self-attested eAadhaar document.

The Personal Information of the individual is present in the eAadhaar document that can be freely downloaded from the UIDAI website by any individual. This eAadhaar document is digitally signed by UIDAI. The Personal Information contained in this digitally signed document is therefore authentic, and satisfies the requirement of A) above.

What remains is to be ascertained is B), i.e., that the individual concerned is the genuine owner of that particular Aadhaar number. This can be done by getting the individual to self-attest (digitally sign) the eAadhaar document being submitted. The signature process outlined by UIDAI implicitly ascertains that the person signing is the genuine owner of that Aadhaar number. Further, the receiver can do additional verification by verifying the photograph on the eAadhaar document. Consent is ensured by making it a part of the self-attestation process.

In this alternative mechanism of eKYC, the UIDAI-signed eAadhaar document (including photo) is submitted by the individual aadhaar-holder directly to the recipient. It therefore represents a clear & direct method to perform eKYC. There is no need to go through AUA / KUA approval processes, and one can get started immediately.

Needless to say, care must be taken to securely maintain all eAadhaar documents submitted by users.

Tuesday, May 9, 2017

Sharing eKYC Data - NOT to be done!

UIDAI has on several occasions reiterated the need for eKYC data to be kept confidential. Our own reading is that eKYC data should never be shared between two separate corporate entities, no matter what the relationship between them.

When sensitive data is 'shared' between two entities, it is theoretically no longer secure. This is because each of the two entities can now claim that any data-leakage happened from the other entity.(i.e., It provides each of them an avenue to repudiate any possible data leakage).

Any entity, large or small that wants eKYC data of residents should therefore obtain it from UIDAI directly, submit itself to the rules and regulations of UIDAI, and maintain all data securely. (This seems to be the view of several large companies as well - which encourage entities to directly work with UIDAI rather than go via them.)

Here is a blog link that makes for an interesting read & has some more relevant information on the topic: