On February 27, HR tech firm SpringRole India Pvt Ltd launched a WhatsApp-based tool that can authenticate any person’s government IDs — Aadhaar card, PAN card, voter ID and driver’s licence — by comparing them with data on government databases, using third-party APIs. API, or Application Programming Interface, is a software protocol that allow two programs to interact with each other. In this case, the APIs allow a service provider to pull data from government databases. SpringRole’s service returns data on the ID submitted to it from four government databases: UIDAI, NSDL, Electoral Roll, and Sarathi. It also does facial verification: comparing a photo on an ID with a photo submitted via WhatsApp.

The tool was initially free for the first 1,000 users, and later for 2,500 due to demand, Anoop Suresh, the VP of Business and Operations at SpringWorks, the parent brand, told MediaNama. As of the evening of February 28th, 24 hours after the launch, 1,300 people had used it. After this trial run, the company will charge users ₹49/person, initially via Razorpay, and plans to move to WhatsApp Pay eventually.

In light of the ambiguity around private access to Aadhaar data, and the suspension of licenses of AUA/KUA firms following the Supreme Court judgment on Aadhaar, the tool’s verification of Aadhaar information is concerning. In addition, the tool was initially launched without a privacy policy; it is only after concerns were raised on Twitter and after MediaNama spoke with the company’s marketing head Abhash Kumar that the privacy policy was released the next day. Suresh called it “a bit of an oversight on our end”.

We’ve highlighted concerns, including its engagement with the draft Personal Data Protection Bill below.

How the WhatsApp Bot works

SpringVerify uses a WhatsApp business account — the account is unverified as of now — with automated responses to engage with users. We have reached out to WhatsApp to know if this service complies with their terms of use and will update when we hear from them.

Users have to send a photo/scan of an ID to the SpringVerify number. The service then extracts information from the IDs using a third-party API to run optical character recognition (OCR) on the sent photo/scan to extract the information. It then verifies the data extracted against 4 government databases — UIDAI, NSDL, Electoral Roll, and Sarathi — using four third-party APIs. At least one of the APIs used to compare submitted data with government database is from Khosla Labs, Suresh told us. The service also asks for the submission of a photograph to run facial verification on the IDs using another API. A ‘Court Check’ service is also available to see if there are any court cases pending against users in India.

MediaNama tested this tool using IDs available on the internet to verify a PAN card, Voter ID, and Aadhaar card (screenshots below). After the verification, a PDF report is sent to the user.

Redacted reports for IDs we tested:

  • Aadhaar Card test report
    • Details returned in the SpringVerify report: Unredacted Aadhaar number, full name, age range, gender, state, partially redacted mobile number
  • Voter ID test report [download]
    • Details returned in the SpringVerify report: Unredacted voter ID number (EPIC number), full name, age, gender, father’s name, district, parliamentary constituency, polling station, address
  • PAN Card test report [download]
    • Details returned in the SpringVerify report: Unredacted PAN number, full name, date of birth, age, father’s name, PAN type
SpringVerify

Message flow for verification of PAN Card. “Reset” is the same as “Springstart”. We have redacted personal details from this message.

SpringVerify

Aadhaar data is not stored at all.

SpringVerify

Consent to run facial recognition on someone else’s documents was taken at the end of the message flow.

Our observations:

  • The bot accepts publicly available images for facial recognition purposes, defeating the entire purpose of facial verification. We tried this with Virat Kohli’s voter ID that he had uploaded on Instagram against his publicly available photo. That gave a “Perfect” match. Also, the OCR misread his EPIC number because of which his details were not verified.[Redacted report here.]
  • Consent? When we responded to the service confirming that we’re checking someone else’s documents, all it asked us was whether we had taken their consent. Suresh told us that the bot informs users that they have to get the person’s consent “before proceeding” with the verification, but we got such a notice at the end of the message flow. Also, there’s no way for the service to verify whether user consent has been taken.
  • Accuracy is questionable: On running the tool against Hanuman’s Aadhaar number, which doesn’t exist in the UIDAI database anymore, the report concluded “Information unavailable”. The report doesn’t appear to have any options for non-existent Aadhaar numbers. [Partially redacted report available here.]
  • Nothing in this tool prevents its misuse: Despite telling the bot that I was identifying my documents, I tested it with a PAN card, a voter ID card and an Aadhaar card, all of which belonged to different people — and it still worked. Suresh said that there is no way for them to verify if the person sent their own documents, and that the Indian government doesn’t have a framework in place to ensure this.
  • Court Check service is inaccurate: Using the bot, users can check if there are any court cases/challans against them. Using the Aadhaar number, voter ID or the driver’s licence, the bot runs the user’s name, father’s name, and address through digitised court records. The accuracy rate for this is low and it has yielded many false positives as well, Abhash Kumar said. Suresh said that Court Check data is also deleted after 72 hours.

Concerns related to verification of personal data

1. Access to Aadhaar data by private entities is a sore point between UIDAI and the larger Aadhaar ecosystem, and the judiciary. The Supreme Court had earlier struck down Section 57 of the original Aadhaar Act to prohibit private usage of Aadhaar data. But this was undone by the Aadhaar (Amendment) Act, 2019.

Rahul Narayan, a Supreme Court advocate, disagreed with the entire premise of SpringVerify’s operations. “The bigger illegality is that private companies can use government APIs in this manner. What is the policy of allowing access to government APIs?” For him, harvesting publicly available data in this manner is a violation of the spirit of the Aadhaar judgement which said that all private use of Aadhaar is bad.

Suresh, however, claims that SpringVerify’s use of Aadhaar data is legal because all the data that it gives in its Aadhaar verification report is already publicly available. This is why SpringVerify doesn’t need a license to authenticate Aadhaar, he said.

2. Need to licence Aadhaar authenticating agency: Narayan said that this whole service “seems to be on the edge of legality” because the Aadhaar (Amendment) Act, 2019, hasn’t yet released the regulations that would let users authenticate their own Aadhaar data [Section 4(3)]. Thus, even voluntary authentication of Aadhaar isn’t legal right now, Narayan pointed out. Moreover, if an external entity, such as SpringVerify, wants to authenticate Aadhaar, the UIDAI has to practically certify its standards of privacy and security [Section 4(4)]. But these standards have not been released yet. “The potential offence is in the hands of the app doing the verification. They are the ones authenticating the data,” Narayan said, disagreeing that private companies can legally scrape such data.

Suresh, however, reiterated that since SpringVerify returns only partial information to the user, it does not need a licence. “Licensing is required when I have got the full gamut of information. Like how it works with NSDL,” he said. He told us that one of SpringVerify’s API vendors, Khosla Labs, had been been licensed as an AUA/KUA agent by UIDAI. As per Suresh, Khosla Labs still gets its information directly from the UIDAI. However, according to the Terms of Use of Veri5|Digital, Khosla Labs’ AUA product, their “license to operate as an Authentication User Agency (‘AUA’) has been suspended on account of Supreme Court Judgement which suspended license of several AUA’s on the ground of public policy”. Srikanth Nadhamuni, the co-founder and chairperson of Khosla Labs, was a part of the founding team of Aadhaar, and is a former CTO of the UIDAI. We have contacted Khosla Labs about the validity of their licence.

In December 2018, the UIDAI had declined to provide the list of private agencies whose license to do eKYC has been cancelled.

3. Data disclosed to SpringVerify and its third-party vendors: The RBI’s KYC Rules state that any authentication process can only verify correctness of Aadhaar data, not yield the data itself. However, even the UIDAI website returns more information than just Yes/No. The UIDAI website offers an Aadhaar verification service, where anybody can enter any Aadhaar number, and get the full Aadhaar number, the age range, gender, state and mobile number as a result (see screenshot below).

UIDAI, SpringVerify

Aadhaar verification on the UIDAI’s website disclosed the full Aadhaar number, but we have redacted it. This Aadhaar number is not linked to a mobile number and hence didn’t show one.

The SpringVerify report, however, includes all of this and the person’s full name. According to Suresh, this is all legal since this information is “banded” and “masked” and “the full gamut of information” associated with an Aadhaar number doesn’t come back, neither on the UIDAI website nor in the SpringVerify report.

Data storage and data sharing:

  • Aadhaar data is not stored at all but all other data is stored for 72 hours by SpringVerify. This allows the company to deal with any issues that might arise with verification, Kumar and Suresh told us.
  • SpringVerify employees don’t have visibility into the content. The troubleshooting team only looks at technical errors using “masked data”, but doesn’t look at the data itself, Suresh said. “We keep it [the customer data] completely hidden from everyone on the team,” he said. Suresh said that nobody monitors the WhatsApp bot. Thus, customers can choose to give feedback through a phone call.
  • SpringVerify’s vendors delete all data within 20 minutes to 24 hours. SpringVerify is working with its vendors bring this down to 20 minutes across the board.
  • Facial recognition is done using a third-party API to generate a “Face Match Score”. This data is subsequently deleted by the vendor. “And this is a complete purge which means that they will delete all the pictures, any data that has been extracted, any reports that have been generated; all of those are removed,” Suresh said. None of the customer data is used to train the vendor’s AI/ML models, he said.
  • Customer data is not shared within the company or with a third-party. SpringVerify’s WhatsApp tool “is a completely isolated component” which is “independent of every other product and service we have”, Suresh told us. None of the vendors have access to customer data or use it for other products. It is a “completely hands-off” process, he said. “Under ISO 27001:2013 compliance [a global security certification for information security standards], as part of any information that we send them [the vendors], it has to sit in a silo by itself,” he said.

4. Potentially violative of the Personal Data Protection Bill, 2019: Even though the PDP Bill hasn’t been passed yet, and is still under consultation, if it were to be enforced in its current form, this service will be violative of some sections in the Bill, according to Narayan:

  • Section 13: To process sensitive personal data for employment purposes, explicit consent is a must. Sensitive personal data includes their photographs, gender, etc. SpringVerify will need to take consent from the employees directly, Narayan said. “Section 13 hits them squarely” as employers won’t be able to verify someone else’s documents using the bot.
  • Section 11: Consent to process documents must be taken before documents are solicited through the bot, not after, and directly from the data principal. While dealing with sensitive personal data, inferred consent is not acceptable under the Bill, Narayan explained. Same is true for running facial recognition on anybody’s photographs, he said.
  • Section 31: If the aim of this service is to let employers verify their employees, including those who just want to verify their domestic help, and the service envisions itself as a data processor, SpringVerify will have to enter a contract with each such employer, Narayan said. Even then, this is not an exemption from Section 13, he clarified.
  • Section 27: Since the service uses facial recognition5.  technology to authenticate identities and will potentially do large scale profiling of sensitive personal data, especially biometric data in the form of facial data, it will have to carry out data protection impact assessment and get it approved by the yet-to-be-established Data Protection Authority before it does any such processing.
  • Section 92: Since the service is running facial recognition on people’s photographs, it is processing biometric data. Such processing will need to be notified by the Central Government, he said.

“To the extent that people verify their own documents through the service, it is probably legal”, but for verification of others’ documents, SpringVerify’s “entire business model is flawed”, Narayan said.

*

Edited by Trisha Jalan and Nikhil Pahwa