On April 14, the country celebrated the 126th birth anniversary of Bhim Rao Ambedkar and Prime Minister Narendra Modi chose to mark the occasion by launching a mobile application that he described as a “game changer” — BHIM-Aadhaar. Ostensibly designed to encourage “cashless movement” and digital payments. “This app can work even on a Rs 1,000-1,500 phone, you don’t need a smartphone. If you don’t have a phone, you can use your thumb,” Modi said while speaking at a local sports complex in Nagpur. 

What is BHIM-Aadhaar?

Developed by National Payments Corporation of India (NPCI), the Aadhaar-linked BHIM (Bharat Interface for Money) mobile application is the 34th app based on the Unified Payment Interface (UPI). The app lets you make “simple, easy and quick payment transactions” using UPI according to the NPCI website. 

It was aimed at merchants, allowing them to accept payments from customers by authentication through Aadhaar-linked bank accounts with fingerprint verification. For instance, after a seller registers their account on the app and purchases a fingerprint scanner- which are cheaper than swipe machines- a customer can supposedly pay for a purchase simply using their fingerprint.

Also known as Aadhaar pay, BHIM has been launched by 30 banks including State Bank of India, Punjab National Bank, ICICI and HDFC banks. The Finance Minister Arun Jaitley said that by September 2017, banks would enrol close to 20 lakh merchants on the app. In a bid to promote the app, the government announced an incentive of Rs 495 crore for six months by providing referral codes to consumers and bonuses merchants for downloading the app and transacting through it. 

For those who remember the BHIM app from December 2016, this app would seem to be a version with Aadhaar integration. “BHIM was initially projected as a reference implementation of UPI,” Anivar Aravind, the founder and director of Indic Project (a civic-tech non-profit working on Language engineering, Technology policy and Industry training) told Newslaundry. “Now with this release BHIM is moving from ‘a UPI reference app’ to more of a standalone product of NPCI with Aadhaar Pay & Merchant Integrations and UPI is just a component within the App,” he added.

Srikanth Lakshman, a Hyderabad-based software engineer volunteering for ‘Cashless Consumer’ initiative (a consumer awareness initiative about digital payments), explained in a blog post that BHIM is a minimalistic app in terms of its design, size, features and transaction ability. The threshold for each transaction is Rs 10,000 per transaction and Rs 20,000 per day, as compared to bank run UPI apps which have 1 lakh daily limit, comparing free service roads alongside tolled highways. The app is also inclusive covering 12 Indian languages. “Broadly, it would be an AePS (Aadhaar-enabled Payment System) transaction through BHIM app of merchant,” Lakshman told Newslaundry.

What does NPCI hold?

While the BHIM app would compete with private mobile wallet companies like Paytm, MobiKwik and Freecharge, the state-supported app promoted by the PM has been developed by a private entity. NPCI was set up under section 25 of the Companies Act 1956 (Section 8 of the Companies Act 2013) with indirect holding by the government through a public sector bank that promotes them. According to the NPCI website, the organisation, set up under the “guidance and support of the Reserve Bank of India (RBI) and Indian Bank’s Association (IBA)” is promoted by 10 banks- State Bank of India, Punjab National Bank, Canara Bank, Bank of Baroda, Union Bank of India, Bank of India, ICICI Bank, HDFC Bank, Citibank and HSBC. 

Speaking to Newslaundry, Delhi-based lawyer working on cyber security, Apar Gupta, said that though the government has a fair amount of shareholding in the NPCI, it doesn’t have any operational control or have a say in its functioning. “It is run like a private company itself,” Apar said. “The BHIM app, even though it is being launched by the Prime Minister, and carries a substantial amount of state support in terms of its adoption, the development of the application and the operation is being done by private parties.” In fact, Apar went on to say, its independence was reflected in the terms and conditions (T&C) of the app. 

What exactly are the T&C?

Attempts are being made to study the vulnerabilities of the Aadhaar integration in the app but the official T&C and their opacity is an obstacle to many. 

According to Lakshman, the NPCI changed the UPI T&C on their website recently after the BHIM app was launched. It is not sure if this was a result of rushing the product in trying to meet the deadline or a simple oversight. He suggested that many clauses have been added to the current version of the T&C on the NPCI website- which is very hard to find on the site. “I wasn’t able to get old T&C. But can confidently say 6.4-6.6 were newly added in this version. 3.3-3.5, 8.4, 9.5 and 9.6 all these were newly added clauses. Did not exist before,” Lakshman told Newslaundry. 

Besides the added T&Cs, there are discrepancies in the versions available on the app and the NPCI website. There is a PDF of the T&Cs of the BHIM app available on the NPCI website which is not easily searchable. 

Other than the differences between the two versions of T&Cs, there are many clauses that have raised eyebrows of security researchers and analysts. 

Apar went on to say “What I would expect is that the terms and conditions on the NPCI website should match the terms and conditions on the app itself. They should include a link within the application to view it.” However, according to a study by Cashless Consumer, the link is not available to Android users but only iOS users. 

To begin with, the T&Cs of the application are available to Android users only at the time of installation and users are not notified when there are any changes in the T&C. There are about 250 million smart phones in the country out of which a vast majority are Android phones, and given that most of the phones within the Rs1000-1500 bracket as touted by Modi would typically be Android phones, it is imperative to at least provide a link of the T&C. 

“So, there is a problem with how consent is being obtained from users,” he stressed, stating that the idea of consent is to give proper notice to the user before he/she agrees to use the service. 

The fifth clause in the section called “Disclaimer of Liability” states the following:

This essentially means that the NPCI is not liable to inform users about any changes in the T&Cs, a clause similar to the ones that exist in the T&Cs of private mobile wallet platforms like Paytm. “It impacts the effectiveness of the consent which is given by the user,” Apar said. However, consent is only one of the concerns. Security researchers have expressed concerns about a particular clause present in the web version of the T&C which states the following:

Reverse engineering is one of the key aspects that testers and analysts use to examine the vulnerabilities and loopholes of a system. “BHIM is a closed source product. So auditing the code for vulnerabilities is not possible for citizens/independent developers. But as in any software BHIM also has bugs. But both UPI and BHIM do not offer a bug tracker for public to file technical issues,” Anivar told us. 

While necessary for auditing the system, the above clause makes security researchers vulnerable to legal ramifications given that there is “little judicial recourse” as stated by Apar. He, Lakshman and Anivar echoed the fact that the development of the app was done privately, and as such the codes and specifications of the app are not publicly available when the government of India has a policy for adopting open source softwares. Anivar suggested that even the UIDAI which comes under the Ministry of Electronics and Information Technology is supposed to be following the government’s policy on open source but don’t seem to. “Even projects like UIDAI, which is directly under MEITY and bound to follow Govt policy onOpen source & open standards are bringing Aadhaar into payments in proprietary way via contract with private entity like NPCI,” Anivar said. “This means even tech savvy free and open source community among citizen are prevented from analysing consumer interests in the code,” he added. 

Lakshman said that all the UPI-based apps are “closed source” and opined that making it open source would improve transparency and security.

Notice the clauses in the section called “User Obligations”. 

Not only does the NPCI seemingly absolve itself of responsibility but also leaves the consumer with little judicial recourse in the case of error or theft. It can be observed that a consumer can’t begin a legal process without “vetting by NPCI in case it relates to the functions of the NPCI”. “If they [the consumer] read it plainly, it will seem as if they have no rights. There is very little a consumer can actually do under the law,” Apar said. 

While Aadhaar integration of many apps created a furore about the vulnerabilities present in the system, analysts suggest that the same vulnerabilities would apply to the BHIM-Aadhaar app as well.

The Aadhaar Act only allows the Unique Identification Authority of India (UIDAI) to take action, as per their discretion. Similar is the case with the BHIM app where the user is supposed to get “prior approval and vetting by NPCI” raising questions about how it functions. “The very existence of the remedies is in doubt,” Apar said. “They don’t even have the technical capability to assess that a person who has suffered the loss was negligent or whether the fault can be attributed to the platform or application or to the bank.”

This comes after last month’s Bank of Maharashtra (BoM) fraud, when a bug in the UPI app cost the state-run bank crores of rupees. According to an Indian Express report, hackers siphoned off Rs 1.42 crore from the bank by exploiting a flaw in the UPI app. However, an Economic Times report suggested that Rs 25 lakh had been transferred to 19 banks and attempts are being made to recover it. “Total amount of loss, as reported by BoM, is about Rs 25 crore.”

“They’ve recovered some amount and some amount is still pending. They’ve filed a police complaint also and the investigation is on,” NPCI Managing Director and Chief Executive AP Hota was quoted as saying. 

Many of the users didn’t have sufficient balance in the account when the transactions went through. The software company that allegedly introduced the bug faces no criminal charges or financial penalty.

Following the incident, the current T&C states that the NPCI shall not be responsible for “any electronic or mechanical defect, data failure or corruption, viruses and bugs or related problems that may be attributable to User telecommunication equipment and/or the Services provided by any Service Provider”. As per the current T&C, the user would now have to bear the loss whether or not he/she is aware of the transaction. “The NPCI now modified their terms of BHIM app after BoM fraud to penalise users and threatening them with criminal cases for similar losses via badly built apps, this is not consumer-friendly,” Anivar said. 

The T&Cs bring with it tremendous responsibility and liability on the consumer while there is hardly anything to imply that the NPCI is viable for anything. “A lot of terms and services are a one-sided contract which are made between a user and a service provider. So, the user has very little negotiation ability and they are drafted by the service provider to shield it from liability,” Apar said. For instance, the first and third clause in the section called “Disclaimer of Liability” on the website states that: 

However, it would be important to note that the above mentioned clause doesn’t exist on the app version of the T&C. Given that some are web only and do not require the user to read or click a tab typically called “I do” indicating they were atelast aware of the T&Cs.

Breach of privacy?

Aadhaar has been in the eye of the storm since the government decided to integrate it with many state-run schemes. In February, Sameer Kochhar, Chairman of Skoch group (a Gurugram- based think tank) wrote a blog post, raising concerns about the vulnerabilities and loopholes in the Aadhaar-enabled Payment system. Kochhar also posted a video with his blog post which explained how biometric data and the 12-digit Aadhaar number could be stored on a device. Reportedly, Kochhar was also slapped with a First Information Report (FIR) for “spreading rumours”. 

With the launch of BHIM, researchers are still busy studying the app, and Cashless Consumer post has raised many privacy concerns associated with the app. One of them being that the app attaches geographical location of the device every time a request is made for a UPI transaction. However, this is common to all apps on UPI. When Newslaundry raised this particular feature with Apar, he laughed and said that “you are at the mercy of the NPCI”. “NPCI’s approach is ‘I OWN YOU’ and ‘I don’t Guarantee anything’. I am not a legal expert. Sending SMS to activate BHIM is considered as accepting terms and conditions,” Anivar said.

Besides this feature, certain clauses on the app’s terms of service point serious fingers on the privacy aspect of the app. Read the following clauses on the web version of the app. 

Lakshman raised the clause pertaining to the NPCI being able to “monitor and record any or all telephone conversations” on twitter, the Aadhaar news twitter handle quoted his tweet and said that it was a “wrong reading of the TnC”. 

In response to the tweet claiming he had a “wrong reading of the TnC”, Lakshman clarified that the NPCI doesn’t have any call centre for users for one to allege wrong reading on analysts. “Even though the app doesn’t technically record / monitor calls, consumer by accepting TnC gives NPCI, at its discretion, to monitor / record telephone conversations between customers of BHIM potentially through arrangements with telcos,” Lakshman told Newslaundry. “Note that, NPCI/BHIM doesn’t run any call center for users, hence question of NPCI recording customer care conversations doesn’t arise.”

Apar argued that the T&Cs were broadly framed, suggesting that it is unclear to what extent the NPCI would actually go in recording calls. Though many private companies have similar clauses, this initiative has a great amount of state-endorsement associated with it. “When digital modes of payments are being pushed so heavily, and it has now become a part state policy to promote electronic wallets and digital payments, the promotion of the this application by several government ministries political personalities, certain amount of protection should also be present within it,” Apar told Newslaundry. “It is an application which requires transfer of money, hence it requires a higher degree of trust,” he added.

The fact that the NPCI has the right to “disclose any information as necessary to satisfy any law, regulation or governmental request,” has raised concerns among lawyers, activists and analysts. “Given the amount of data being disclosed without notice to a user, given how much information they are disclosing to any government entity pursuant to request, which is again not defined, this can be very evasive towards a person’s privacy,” Apar said.

“NPCI is not government. People use BHIM because it is the Prime Ministers appeal. But it is sad to see the Prime Minister promoting a product without ensuring its Terms and Conditions are in citizen interest,” Anivar said. 

Newslaundry tried to reach out to the NPCI for the older version of the T&C and for a comment on the concerns raised in the T&Cs. However, persistent calls, e-mails and direct messages through the NPCI’s twitter handle fetched no response. The only person that Newslaundry could reach through the official contact number provided on the website was a bewildered security guard at the Goregaon, Mumbai office who told us that “Madam 5:30 baje wapas aengi reception par, aap tab call kijiye, abhi who meeting me hai, mein security hoon (The madam will come back by 5:30pm, call after that, she is in a meeting currently)”. We did, she wasn’t. Since then all calls made to the NPCI went unanswered. We aren’t sure how easy it would be for a simple consumer to reach out to them under more dire circumstances.

This piece will be updated to reflect their response if any.