How can a user prove that they haven’t given consent to something?
For example, how does Nehmat Kaur, who did not consent to linking her Aadhaar with her bank account prove that she hasn’t given her consent? It’s her word versus that of the bank.
.@AxisBankSupport I did not consent to linking my #Aadhaar with my bank account. I just got a message saying that my #Aadhaar is linked! A photocopy of my #Aadhaar was on your records given long ago but I specifically told my branch to not link it.
— Nehmat Kaur (@Nehmat_K) November 29, 2017
You might say biometrics may be needed for consent, but that isn’t a case here, and it’s probably not going to happen because it’s cumbersome to make people queue up outside bank branches for fingerprint authentication, like they have to queue up outside ATM queues last year. You could say that a One Time Password (OTP) can be sent for confirming consent, and a trail of digital records could be kept, confirming that data.
But that can be manufactured too: digital information in malleable and can be manufactured. There is precedence here, especially when it comes to telecom:
Telecom operators in India have a history of “manufactured consent”, in the literal, non-political sense: there was massive fraud in the Mobile VAS ecosystem, where customers were billed for subscribing to services that they never subscribed to. It happened to me a few times as well, once where I woke up in the morning to find that I had been billed for purchasing an animation at 3AM, when I was asleep. Often, telecom operators had logs to prove consent, and these could be faked. Click here to watch Vijay Shekhar Sharma, Paytm and One97 founder, explain how logs were manufactured to indicate out-bound dialers and consent for purchases of ringtones, when none of this had happened. If call logs can be manufactured, OTP logs can be manufactured too.
So how does someone prove that they haven’t consented?
Even when the logs haven’t been faked, and there is a tickbox which has been checked, how does someone prove understand and intent?Rahul Ajatshatru, lawyer, at our #NAMAprivacy Bangalore, said that “consent comes from when there is a meeting of minds, where people actually appreciate what they’re agreeing to. If the user does not understand the usage or the nuances, there is no consent even if I’ve clicked I agree. It can be challenged that I never thought it meant that. And courts have interpreted: it’s about what the parties understood what it meant at the time of signing.”
In the same vein, how can customers who found that Airtel had opened their payments bank prove that they have not given actual consent here? Sure, they might have clicked a checkbox, but is that really consent? Can consent not be taken with misinformation? We also have a history of mis-selling of telecom plans in India, where customers are shown a different plan from what they are signed up for.
With more services being connected to Aadhaar, and new users, facing issues of information asymmetry and bounded rationality coming online, the challenges that companies that sign up for this as they scale will face will not be around getting consent, but in proving that the consent taken is for real, and is informed and valid.