Can we map a framework for verification? NASSCOM’s Varun Bahl on a model for proportionality #NAMA - March 28, 2023 at 08:51AM

“…What is the verification requirement trying to answer about the user or try to ask about the user rather? …What does that practically end up demanding when it’s combined with other requirements that are usually in that verification instrument?” These were the two questions National Association of Software and Service Companies’ Varun Sen Bahl asked himself before presenting a potential model for the framework of proportionality during MediaNama’s ‘Exploring User Verification’ roundtable.

On March 23, 2023, Bahl, along with several other privacy experts, was discussing a possible framework for the gradation of verification or proportionality of verification. Speaking specifically about a possible structure, he presented what he called a “starting point for a more comprehensive mapping” of verification.

MediaNama hosted this discussion with support from Meta and Truecaller. The Internet Freedom Foundation, CUTS International, Centre for Internet and Society, and the Centre for Communication Governance at the National Law University, Delhi, were MediaNama’s community partners for this event.

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!

A spectrum of verification requirements

Bahl presented a slide on a ‘spectrum’ of verification requirements starting from bot detection that seeks to confirm whether the user is a human or a bot up until identity verification.

“The question that a verification requirement can range from is as simple as are you a human or not, which is what captchas usually require all the way up to like essentially identity verification, which is that can we check against some registry if what proof you’ve supplied is actually linkable to you? Or rather, can we check you are who you say you are,” said Bahl.

Safeguards against unnecessary flow of data

Bahl pointed out that authorities can establish a credential requirement per use authentication/ verification/ transaction/ log-in. This creates a problem of ensuring that a lower-level verification question does not end up asking a higher-level question in terms of information.

For example, a person trying to verify the age of a child can do so without having to know the child’s identity and thus use a zero-knowledge proof solution to verify age without disclosing identity. (A zero-knowledge proof is where one party can verify a statement to another party without having to give additional information).

Problem of using verification alongside other requirements

According to Bahl, the impact of a verification requirement compounds when it is linked to other connected requirements. For example, if there is a demand to ensure a certain strength-level of validation it raises questions about the sensitivity of data involved and the means of collection. For example, does it makes sense to gather a person’s biometric data just to verify their identity? Do the potential harms involved justify the means? In certain context perhaps but not in others, as per Bahl. Referring to his chart, there are other additional requirements to consider like retention requirements, disclosure requirements, display requirements, etc.

“We can keep building on it and adding to it and perhaps even adding, like more layers and levels and changing meanings and stuff like that. But the idea was some image to start from,” said Bahl.

Can there be a correlation to harms?

When asked about whether there can be a correlation with harms, Bahl suggested a use-case approach. Rather than a single formula which is “not what constitutional jurisprudence requires,” he gave the example of CERT-In’s cybersecurity directions.

Under those directions, authorities that wanted to know about the authenticity of the account ended up asking questions like ‘Who does the account belong to?’ – these questions lie at the other end of the spectrum depicted in Bahl’s presentation.

These questions are then combined with a requirement to hold on to such information for five years, even though malicious accounts are taken down within a much shorter period of time.

“So then why am I holding on to the information for five years? So that’s the compounding impact of like the intrusion into privacy that arrives because of the retention requirement combined with the identity verification requirements,” said Bahl.

He argued that this could help policy-makers justify the practice as “disproportionate to the harm” although not to the extent demanded by Puttaswamy judgement. To do that will require more analysis about larger harms, etc. said Bahl.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.