wordpress blog stats
Connect with us

Hi, what are you looking for?

Can we map a framework for verification? Varun Bahl on a model for proportionality #NAMA

It is useful to think of a framework for gradation and proportionality for online verification, while also considering harms to privacy

“…What is the verification requirement trying to answer about the user or try to ask about the user rather? …What does that practically end up demanding when it’s combined with other requirements that are usually in that verification instrument?” These were the two questions Varun Sen Bahl, a public policy manager, asked himself before presenting a potential model for the framework of proportionality during MediaNama’sExploring User Verification’ roundtable.

On March 23, 2023, Bahl, along with several other privacy experts, was discussing a possible framework for the gradation of verification or proportionality of verification. Speaking specifically about a possible structure, he presented what he called a “starting point for a more comprehensive mapping” of verification.

MediaNama hosted this discussion with support from Meta and Truecaller. The Internet Freedom Foundation, CUTS International, Centre for Internet and Society, and the Centre for Communication Governance at the National Law University, Delhi, were MediaNama’s community partners for this event. 

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!

Advertisement. Scroll to continue reading.

A spectrum of verification requirements

Bahl presented a slide on a ‘spectrum’ of verification requirements starting from bot detection that seeks to confirm whether the user is a human or a bot up until identity verification.

“The question that a verification requirement can range from is as simple as are you a human or not, which is what captchas usually require all the way up to like essentially identity verification, which is that can we check against some registry if what proof you’ve supplied is actually linkable to you? Or rather, can we check you are who you say you are,” said Bahl.

Safeguards against unnecessary flow of data

Bahl pointed out that authorities can establish a credential requirement per use authentication/ verification/ transaction/ log-in. This creates a problem of ensuring that a lower-level verification question does not end up asking a higher-level question in terms of information.

For example, a person trying to verify the age of a child can do so without having to know the child’s identity and thus use a zero-knowledge proof solution to verify age without disclosing identity. (A zero-knowledge proof is where one party can verify a statement to another party without having to give additional information).

Advertisement. Scroll to continue reading.

Problem of using verification alongside other requirements

According to Bahl, the impact of a verification requirement compounds when it is linked to other connected requirements. For example, if there is a demand to ensure a certain strength-level of validation it raises questions about the sensitivity of data involved and the means of collection. For example, does it makes sense to gather a person’s biometric data just to verify their identity? Do the potential harms involved justify the means? In certain context perhaps but not in others, as per Bahl. Referring to his chart, there are other additional requirements to consider like retention requirements, disclosure requirements, display requirements, etc.

“We can keep building on it and adding to it and perhaps even adding, like more layers and levels and changing meanings and stuff like that. But the idea was some image to start from,” said Bahl.

Can there be a correlation to harms?

When asked about whether there can be a correlation with harms, Bahl suggested a use-case approach. Rather than a single formula which is “not what constitutional jurisprudence requires,” he gave the example of CERT-In’s cybersecurity directions.

Under those directions, authorities that wanted to know about the authenticity of the account ended up asking questions like ‘Who does the account belong to?’ – these questions lie at the other end of the spectrum depicted in Bahl’s presentation.

Advertisement. Scroll to continue reading.

These questions are then combined with a requirement to hold on to such information for five years, even though malicious accounts are taken down within a much shorter period of time.

“So then why am I holding on to the information for five years? So that’s the compounding impact of like the intrusion into privacy that arrives because of the retention requirement combined with the identity verification requirements,” said Bahl.

He argued that this could help policy-makers justify the practice as “disproportionate to the harm” although not to the extent demanded by Puttaswamy judgement. To do that will require more analysis about larger harms, etc. said Bahl.

Note: Bahl’s designation was changed in the headline and lead paragraph at 5:27 PM on March 29, 2023 because he was speaking in his individual capacity at the event. Bahl’s slide has been uploaded as well.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Advertisement. Scroll to continue reading.

Written By

I'm interested in the shaping and strengthening of rights in the digital space. I cover cybersecurity, platform regulation, gig worker economy. In my free time, I'm either binge-watching an anime or off on a hike.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Is it safe to consider all "publicly available data" as public?


PhonePe launched an e-commerce buyer app for ONDC called Pincode. We, however, believe that it should also launch a seller app.


Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).


India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?


After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ