By Ashit Srivastava
Recently, it was reported that law enforcement agencies (LEA) across India were blocking multiple SIM cards issued to any individual. This was after the Department of Telecommunications directed that there be a cap on the number of SIMs which can be issued against any subscriber, the maximum limit being nine.
It has come to the notice of LEA that there were a plethora of SIM cards being issued to individuals. In one case, 6,800 connections were issued against the same identity. The Ministry of Home Affairs and Department of Telecommunications are working hand in hand to curb such practices.
A research paper done by one Naveen Jakhar highlighted how the Department of Telecommunications through Artificial Intelligence was able to curb the issuance of multiple SIM cards to the same individual. The name of the mechanism used was Artificial Intelligence and Facial Recognition powered Solution for Telecom SIM Subscriber Verification (ASTR).
As cases of cyber crime/frauds are increasing in India, many are vulnerable to such attacks. An incremental increase was seen in such attacks during and after Covid when India registered more than 50,000 cases of cybercrime. This should not come as a shocker. Cyber fraud is also committed through SIM cards issued on forged identity proofs. One famous case was highlighted in the Jamtara series on Netflix which shows a large syndicate working behind this. The series shows a phishing business in which the vulnerable victims are attacked, leading to the exposure of sensitive data—debit card details, OTP, PIN and CVV.
So how can such digital and telecommunication frauds be prevented? The common link among all the incidents is fake SIM cards, which are used to link to a bank account. Then fraud calls are made to citizens for taking out information and withdrawing money.
Jakhar’s research paper says that it will be hard to trace the SIMs. However, DoT’s instruction on the cap in the number of SIMs for an individual will help. There are several ways in which multiple SIMs can be issued against the same individual. Forging Proof of Identity (PoI) document means an individual can have several forged documents to his credit and this can be utilised for procuring several SIMs also.
However, ASTR will be a game changer even if a fraudster has several forged PoIs for getting SIMs and is able to change his name, address and even modify his look in the forged PoIs. ASTR works on the principle of Convolutional Neural Network, which is a deeper Artificial Intelligence that works in layers and is mostly utilised for the purpose of visual imagery.
In simpler terms, it can be utilised for detecting similarities between images. So even if a fraudster is able to create multiple forged PoIs, the image utilised by him in them will be pretty much the same. This data can be analysed by ASTR to find how many SIMs are issued to the same photo of the individual. Thus, an accurate number can be found and all the illegally acquired SIMs cards can be deactivated.
This technology was utilised in Mewat, Haryana, and has been successful in neutralising 4.96 lakh fake SIMs cards. Similar cases also came to light in Odisha, where 52,000 telecom connections were disconnected using ASTR, and in Gujarat, wherein 29,552 fake SIM cards were found using ASTR.
However, as ASTR is a machine learning based modus operandi, it will require large amount of data sets for processing and training for bringing accuracy in results. That means, data of all the subscribers of SIMs has to be shared (and is already being) with ASTR.
This raises the core question of privacy and the KS Puttaswamy-I (2017) case which had categorically laid down three criteria for curbing privacy rights—there must be a law, there must be legitimate state aim and the law must be proportionate.
There is no denying that there is a legitimate state aim in curbing cybercrime and phishing. Additionally, the third criteria of proportionality can also be seen in this mechanism. As a manual check of all the data sets of subscribers of SIMs will be next to impossible, ASTR does this job within a few seconds with great accuracy. The test of proportionality works on the principle of bringing efficiency within the existing framework without distorting the fundamental right in question. In this case, the fundamental right to privacy has to be balanced against the menace of phishing, for which the data of the subscriber will be shared with ASTR and LEA. This will be proportional provided that the data of the subscriber is only utilised for this purpose and not shared with other agencies for other purposes.
Yet, the question of consent remains. The other question is of “Purpose Limitation”. The data with the service provider is being shared with LEA, but this was not the original purpose for sharing of the data. Will this not be a breach of trust for the SIM subscriber?
The first criteria of the three pronged-test of KS Puttaswamy-I demands a law be in place. But is there legislation in place for LEA to access such processed data and how is the data handled? If not, it is a clear breach of the privacy guidelines laid in KS Puttaswamy-I.
Jakhar mentions provisions in the Telegraph Rules, Indian Penal Code and Information Technology Act which will be relevant in this case:
- Telegraph Rules Rule 416A—special powers of Telegraph Authority.
- Telegraph Rules Rule 419—interception or monitoring of telephone.
- Telegraph Rules Rule 427—illegal or improper use of telephone.
- Indian Penal Code Sections 415 to 420— cheating, impersonation.
- Indian Penal Code Sections 463 to 476— creating false documents, using fake documents.
- Indian Penal Code Sections 463, 465 and 468—forgery for purpose of cheating.
- Information & Technology Act Section 66C—punishment for identity theft.
- Information & Technology Act Section 66D—punishment for cheating by personation by using computer resource.
These provisions will be relevant for catching individuals committing forgery or impersonating. However, this does not broadly cover the privacy angle of the subscriber whose data will be processed by ASTR and possibly shared with LEA or other authorities.
Standard operating protocols will be needed to ensure that the data of an individual is handled with all safety measures, keeping the principle of purpose limitation in mind.
—The writer is Assistant Professor, National Law University, Jabalpur