The year 2018 will go down in history as a witness to one of the most vehemently fought privacy battles opposing imposition of Aadhaar. To those who fought against Aadhaar, the Supreme Court judgement came as some relief. However, there is at least one other requirement of identity certificate, which has remained unnoticed and, hence, uncontested.

This is the requirement of digital certificates. While Aadhaar is required for getting benefits, digital certificates are required for submissions like filing corporate income-tax returns, uploading tender documents, disclosing margin statements and stockholdings in depositories.

Unfortunately, digital certificates use an instrument of personal identity which has long been discarded in most countries.

A bit of history of these digital certificates explains the reason behind their complete disuse elsewhere.

Before 1976, there was ongoing research on how to share a key used by a sender to encrypt a text with the receiver of the encrypted text. This key had to be securely shared so that no one else but the receiver gets it. To solve this puzzle, in 1976, Whitfield Diffie and Martin Hellman came up with an idea that there could be two keys. One key which is used to encrypt and another key which could be used to decrypt.

This postulate, known as Diffie-Hellman Key Exchange, was used by Ron Rivest, Adi Shamir and Leonard Adleman in 1977 to bring out what is now commonly known as RSA algorithm, after the names of its inventors.

It uses two keys: one is public key and another one is a private key. Something encrypted with the private key of one person can be decrypted using the public key of the same person and vice versa.

Simply put, a message could be sent encrypted by a public key of someone. And only he/she could decrypt it using his/her private key. So, the riddle of sending a key securely was solved. But there was one issue. To make these two keys unique, they had to be fairly large prime numbers.

These large key sizes required computers with increased processing power to encrypt and decrypt a message. Due to this, RSA algorithm was never used as an alternative to the existing one-key system for encrypting documents. So, slowly and gradually, this discovery of RSA appeared to be losing its value.

Digital certificates brought back the technology into focus.

Digital certificates use the RSA concept of public key and private key. And, in order to expand this further, the entire concept of third-party trust was brought in.

These third-party trust-givers like VeriSign (sold to Symantec in 2010), Thawte, Digisign, etc, certify that the public key of a person is, indeed, his public key. This process is done by the certifier (trust-giver), encrypting the public key of a person with his own private key.

So, when someone wants to use a public key of someone else, he tests it by decrypting it with the public key of the third-party certifier which has been made available in the public domain.

This idea gave a new lease of life to the almost defunct RSA invention, which, in normal course, could not be used for day-to-day secure encryption process. Encryption process became a trust-giving process with the advent of digital certificates.

And this was sold as a massive third-party trust-giving phenomenon all over the world. Remnants of this are still widely sold in terms of secure email and identifying e-commerce servers through SSL (secure socket layer) certificates.

In order to bring in more business sense, these certificates were also differentiated by categories. Currently, there are three different classes of certificates being used by certifying agencies in India. The process for granting them increases progressively as the class of certificate increases.

Class-2 certificate requires more details compared to class-1 and class-3 requires further more compared to class-2. The higher the class of certificate more is the money required. The irony, however, is that the technology for all these remains the same. Only the documentation required is more which probably requires more money to be charged.

In India, IT Act 2000 was enacted to give legal sanctity to the digital certificate regime. An authority called controller of certifying authorities (CCA) was formed. This CCA, as per their website www.cca.gov.in, in turn, has appointed subordinate certifying authorities all over India. Some of these are GNFC, nCode, IDRBT, Indian Air Force (surprising that they needed it), etc.

These certifying authorities issue digital certificates, which are commonly used for filing balance sheets, submitting tenders on government procurement sites, reporting stock exchange transactions and also government websites for purposes of SSL.

Government websites using SSL, having no ecommerce usage, is rather strange.

The main reason for the usage of digital certificates is that they uniquely identify the person, or entity submitting a document. In fact, this is far removed from reality. Almost all directors of companies have handed over their digital certificates to their chartered accountants (CAs) who use them on their computers to digitally sign the documents.

Similarly, in government work, where annual confidential reports, since the past few years, have to be signed digitally, personal assistants (PAs) of the officers are using these certificates to digitally sign the uploaded documents. With CAs or PAs handling these digital certificates, their being proof of authentication might be lost.

Besides having lost the purpose for which these certificates were issued, there is also an issue of privacy. All personal data is shared with these private agencies authorised by the CCA. The security and safety of the certifying agency’s infrastructure is almost always believed and never questioned. This is because their usage is mandatory.

While this may look not good for privacy issue of individuals, this is not so for the companies involved. Almost all private entities that have obtained the licence to supply these certificates are into money. Their charges range from Rs899 per year to Rs2,999 per year as per e-mudhra website https://www.emudhradigital.com/price-list.php ., And then there are the annual renewal charges.

This yearly renewal and issuance of these certificates might soon make us among the few, worldwide, countries that still use this technology. The only place that these certificates do abound, worldwide, are in e-commerce-related sites which need to prove their trustworthiness to consumers.

This could also not be sold and, hence, was bundled as part of the SSL protocol. SSL, many believe, provides secure transmission to their messages, etc, on the Internet. This, too, is debatable, as the strength of the underlying encryption in SSL may be too weak to pose a real challenge to hackers.

If simple emails are recognised by the IT Act, digital certificates and the entire regime of public key infrastructure (PKI) supporting this, needs a rethink. Not only is it a serious threat to privacy, but also defeats the purpose of authentication that it was initially designed for.

(Sanjay Pandey, an IPS officer from the 1986-batch, is a Director General of Police, Maharashtra and Commandant General, Home Guards and Director, Civil Defence)