 (8).png)
1 week ago
3
ARTICLE AD BOX
Summary
‘Know your customer’ norms were designed to curb financial crime, but they have exposed millions to the risk of their identity data being stolen. The good news is that privacy-preserving technologies could let identities be verified without stockpiling the information that hackers target.
Today, more than half of all data breach incidents target personally identifiable information—tax identities, passport numbers, biometric data and the like. In most instances, this information was collected and stored to comply with know-your-customer (KYC) obligations.
Could the regulations we put in place to prevent financial crime be the leading reason why identity theft has risen so dramatically? And has KYC insistence led regulated entities to create some of the most valuable and breach-prone datasets in India’s economy?
This does not have to be the case. Even though Section 11A of the Prevention of Money Laundering Act (PMLA), 2002, permits identity verification using either Aadhaar authentication or offline verification, regulated entities continue to require their customers to submit copies of their personal information.
As a result, most companies find themselves in control of vast databases of identity information—scanned copies of Aadhaar cards, PAN cards, passports and the like. And, since money laundering is a “continuous offence,” this information ends up being retained indefinitely.
This practice conflicts with the minimalist philosophy that animates our data protection law. Under the Digital Personal Data Protection Act (DPDPA) of 2023, data processing must be limited to what is necessary for the specific purpose and personal data must be erased after that purpose has been served.
Although the law permits verification, institutional practice has evolved to mandate permanent archiving. While the DPDPA does allow for exemptions to comply with existing laws, our current maximalist interpretation of KYC obligations is certainly not the most proportionate way to achieve these objectives.
First, we need to ask ourselves whether we truly need all the information we currently collect. Why, for instance, does the Central KYC (CKYC) template require the submission of a married woman’s maiden name, father’s name, spouse’s name and her mother’s name? While none of this strengthens identity verification, it expands the collateral damage of a breach.
Our current approach to KYC has exponentially expanded our vulnerability to identity theft. Every additional document retained and unnecessary data-field collected expands the blast radius of a single compromise. Should we not be exploring alternative ways to achieve our PMLA objectives—ones that do not require regulated entities to maintain massive databases of identity documents?
It was once assumed that privacy and law enforcement lay at opposite ends of a zero-sum trade-off. That statement is no longer true. Zero-Knowledge Proofs (ZKPs) allow us to verify a statement without accessing the underlying data.
Using ZKPs, you can prove that you are above 18 without disclosing your actual age, or that you are an Indian resident without having to reveal your actual address.
This provides us with a technical solution to the verification problem that does not require organizations to retain custody of identity documents to prove that verification was completed. What is being replaced here is document retention, not regulatory accountability.
If we can amend the law to confirm that the use of ZKP solutions for identity verification is sufficient to meet the user verification obligations under applicable laws, we can reduce the collection of identity documents to the point where there will be nothing to breach and even less to steal.
But identity verification is only one part of the story. Most laws also require regulated entities to ensure that, if any verified customer violates the law, details of that customer needed to aid the investigation will be made available on request to law enforcement. As a result, any identity verification system that cannot ultimately respond to a lawful summons will not be a viable regulatory solution.
This means that even though ZKP addresses the verification requirements in a privacy-preserving manner, we will also need a ‘break glass’ mechanism to give legitimate authorities a way to recover the identity of the person under investigation, while ensuring that it still remains permanently invisible to the regulated entity.
One possible solution would be to implement ‘auditable privacy’—a technological solution that keeps identity information encrypted and unusable by default, but capable of being revealed if authorized through lawful due process.
Consider this proposed solution: whenever users undergo KYC, their personal data is encrypted using a public key controlled by a designated authority. At enrolment, the regulated entity collects and stores this encrypted package while simultaneously verifying that the encrypted data satisfies KYC requirements through a user-generated ZKP. This ensures that the regulated entity holds a personal information package that remains encrypted until an investigation is triggered.
In such a case, in response to a court order, the designated authority can decrypt the payload to recover the complete identity package. The entire chain—encryption, storage, decryption—can be made cryptographically auditable, thus reducing the risk of misuse.
This approach ticks multiple boxes. For regulated entities, it reduces the risk of data breaches. For users, it guarantees privacy. For regulators, it ensures that when the veil of privacy needs to be pierced, it can, via due process, reveal identity details in a verifiable and legally admissible way.
The author is a partner at Trilegal and the author of ‘The Third Way: India’s Revolutionary Approach to Data Governance’. His X handle is @matthan.
English (US) ·