The layman often does not know how many tiers of privilege are invisible too him. I have often wondered how I can purchase something that costs less than a dollar and it gets stuck in customs to never be seen again, or emerge after a few months, but couriers deliver international parcels within days. And it was evident that this is a mystery to many and even more have solved it with conspiracy theories, because the only plausible explanation to occur to me till today, living in a bribe riddled country was a twitter user's suggestion made a few years ago, that courier companies have their contacts in customs who clear parcels swiftly for them, while regular parcels wait.
It was today that I realized it is not so. Take the case of Mumbai The Courier cell at the airport clears parcels with Airway bills right there at the airport. Then comes the parcels with tracking numbers starting from "E" - EMS type ones at the Post parcel sorting office behind Sahara Hotel. The poor ones starting with C go all the way to Ballard Estate to clear customs. I guess this is an additional precaution in case customs fails to delay non-courier parcels enough. I imagine they have less storage space at the airport to keep lags, and that is the only reason they come through faster, because surely the government would not prefer some methods of shipments over others, including the government run postal system. Yeah, that was sarcasm. And yes, the speed of international couriers in delivering your parcel is not because they are "better" at it, but because customs seems to hurry them through while taking their own sweet time for others.
Regardless, this is not the purpose of the post. I got a call from DHL today, asking me to upload KYC documents for a shipment coming for me. This is a small quantity of oat bran and apple fiber - both of which, for mysterious reasons are not manufactured in India - at least for retail. I wanted to see what the products are. The total cost of both packets could not be over Rs. 500. KYC for a 500 rupee parcel, failing which it would be returned to sender? Unbelievable. I lost my temper with DHL - they want my official, personal identification and proof of address for their staff to be able to download and print whenever they "need" - PERMANENTLY? WHY? How are my documents their business at all and further, what is their justification to keep them in a usable format with them once the delivery is done?
This led to a search.
The gist of the problem is that our Customs department in all its wisdom issued a circular requiring KYC documents for every parcel going in or out of the country - regardless of the value of the parcel and whether it is eligible for customs duty. This is, presumably to prevent import/export fraud or money laundering, etc. Apparently customs hasn't realized that the letters that are so happily exempt can easily carry diamonds.
Now, as per Customs, these documents can be collected at the time of pick up or delivery. But obviously this is a headache for courier companies, that have found their own workaround. They simply ask customers to upload their documents to the courier's website, from where the courier will use them automatically in the future - at least reducing future headaches. This is a streamlining of operations, that makes sense - from the perspective of a courier. A courier is not responsible for national or individual security or rights of citizens. And our country, that claims to want to go digital has no concept of digital security at all beyond the "money" sites as I call them - tax, aadhaar.
As a result, we have a whole horde of foreign companies with databases of valid identification and proofs of addresses complete with email addresses and phone number (required at time of upoading documents) - from which they can also get date of birth. These documents are obviously good enough quality to be able to be printed and used by third parties for KYC. These documents are accessible - at the very least - to call center employees who call you up to discuss them and employees who will print them out from the database, attach them to parcels, take the parcels for customs clearance and perhaps further down the assembly line all the way to your door, including local delivery agents.
Now, what sort of security problems could be possible because of this?
At the point of the database
Call center employees, people taking print outs or such all the way to your door are unlikely to be highly skilled employees. They are necessary in large numbers. It is unclear what sort of screening procedures happen for them to be entrusted with such data.
Corrupt employees could easily sell identification documents of real people for money. Something like this has the potential to sit nicely on a DVD to go to the highest bidder.
Spy agencies could use such data for various purposes against Indian interest, including the basis of new fake identities. All it takes is one driving licence or passport to rent a place and become a local in a new place and get pretty much any document and begin a brand new life and toss the photocopy of the passport away on getting their new driving licence or whatever. Would be a pretty handy "Shopping mall of documents" to check out which customer of the courier company had photo identification that best suited the agent they were planting.
Given that the records would also come with email addresses and phone numbers with a good chance of being linked to the documents, the possibilities increase. Consider for example a person walking into a mobile provider's showroom asking for "his" SIM to be blocked and providing alternative documents to get a new SIM. If the address proof is a bank statement, for banks where customer ID is the login, should be a simple matter to reset password with a new SIM. Not to mention a list of people using international couriers is an automatic list of people extremely likely to be using electronic payments, to be from the rich and upper classes.
And you don't even have to have dishonest couriers for this. Databases get hacked and data dumps are sold on the black market. One created from such a source would have a very high percentage of lucrative targets with a good possibility of being vulnerable to targeted attacks or identity theft.
There are very very few places where you could get such complete information on such a targettable group - not even government databases could probably give you email addresses, phone numbers and printable copies of ID documents in one place.
How could this be avoided?
First and foremost, six years is plenty of time to collect data. Customs and revenue folks should provide statistics on how many cases of fraud were caught due to KYC data. At the very least, they must demonstrate that the expense and risk to individuals and country of conducting this circus is justified by results of the use of KYC data.
There is no reason to require documents for items not qualifying for duty to begin with - which would be the bulk of parcels. Where duty was paid, customs can easily require the receiver to upload documents to a government website for customs clearances instead of third parties based outside India. Couriers could even expedite the process by intimating customers not registered in customs to do it with their AWB number on booking of shipment to prevent delays in customs. Even then, it is unclear what KYC documents achieve - would be more useful to get a PAN number, which can, quickly be checked against bank accounts, tax status, import licences and more as well as payments made, while providing least "one stop" exploitable information to someone misusing it. With something as specific as a PAN number, customs could even have automatic flags for more than "X" number of shipments in "Y" period - without even having to resort to any kind of snooping or invasions of privacy. Otherwise, simply having a few different shipping addresses (home, office, warehouse, shop - all would have address proof/rental agreement) could result in a workaround for illegal imports anyway.
This absurd requirement for customs puts both individuals as well as country at risk. This cannot be blamed on couriers - they are merely getting customers to "voluntarily" (or else you won't get your parcel) give up their documents to prevent inconvenience to themselves. While they are using the documents legally and have a good excuse for their coercive behavior, it is the responsibility of the government to secure the nation as well as its citizens from potential crime.
At the very least couriers must obtain explicit consent from regular customers to store their data permanently or be required to destroy such records once the need for documents is over - at least minimizing risk.
Third party databases containing complete identifiable information of Indian citizens from documents to contact information and date of birth - are a recipe for security disaster sooner or later.
What can we do to protect ourselves till then?
Do your international shipping through Postal departments as opposed to couriers. Or via E-Commerce websites that have shipping arrangements that don't require you to upload sensitive documents to third parties. You will still have to pay customs duty where applicable, but your documents would be less vulnerable to misuse.