Sunday, January 14, 2018

What is the VID and what problem will it solve?

(At the time of writing this, I have not been able to locate the official VID circular either under the Circulars menu or Notifications menu on the UIDAI website, so I rely on detailed news reports such as [1], [2], [3] for this article.)

UIDAI has recently announced that it would start issuing 16-digit Virtual IDs (VIDs) to individuals on demand, who will then provide these in place of the Aadhaar number if they so choose. Individuals can then keep their Aadhaar number secret.

For a long time now, UIDAI has taken the position that the Aadhaar number is not a secret. (Most recently in a press-note which was issued 4 days before the VID announcement). Given the reality that Aadhaar is being asked virtually everywhere, Aadhaar number cannot be expected to remain a secret. Introducing the VID idea seems like a rethink, in light of the data breach reported in the Tribune.

The other problem that UIDAI is trying to solve with the VID, is to avoid "profiling" of residents. In an article on NDTV it was claimed "the Virtual ID that had been in the works for 18 months was introduced to block any attempt at profiling the crores of people who had enrolled for the unique identification number." (end quote) In other words, it is to guard against the possibility, that a malicious attacker, with knowledge of an Aadhaar number will be able to search across multiple financial, telecom, educational, and other databases and obtain a detailed picture or profile of the individual.

This is a problem that UIDAI is not expected to solve. World over, the security and confidentiality of various databases is the responsibility and duty of the organizations that maintain the databases - banks, telecom companies, etc. The profiling problem arises when the databases of these organizations are compromised.

Issuing a VID will NOT solve the profiling issue for the simple reason that if these databases are compromised, the malicious attacker will easily perform the profiling on the basis of the name or even better, the cell number. [I cannot think of a single instance when I have had to share my Aadhaar but not my cell number. I can think of many places where I have had to give my cell number but not Aadhaar, so the cell number seems like a richer profiling key for any malicious attacker. Oh, and I have always had to give my name everywhere!].

This brings us back to the question - why does UIDAI need to add "layers of security" to something we have been told is "fully secure"? Why is UIDAI still unsure whether the Aadhaar number is to remain secret or not? There is no other country where there are so many questions about the National Identity Database. The Passport authority in India or the IT Dept (that issues PAN cards) have never been questioned on the security of their databases. Why do such questions arise about Aadhaar?

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. Even the Passport Authority and the IT Dept DO NOT GIVE OUT citizen information to anyone, except investigative agencies in case of some evidence of crime.

It is worth asking, why does UIDAI even need to give out eKYC data unless there is a crime or other over-riding reason? Sure, it may help a telecom company scale up its user base much faster than its competitors, or it may cut down the time and effort required to populate databases of other private companies. But making life easier for private companies was NOT the purpose of Aadhaar Act to begin with and can never be the purpose of any National Identity Database.

Furthermore, none of the Govt savings that are claimed, such as those from eliminating ghost teachers, fake ration card holders or fake students would be compromised if eKYC is stopped and replaced purely with verification or authentication.

Interestingly, UIDAI only did YES/NO verification and biometric authentication until couple of years ago or so. That was the right approach. UIDAI needs to switch back to it immediately. Further, it should restrict biometric authentication only to government agencies. UIDAI should not be an enabler in the replication of its data in private databases in India and abroad. Then it won't have to worry about profiling based on Aadhaar.

The SC bench hearing the Aadhaar case should focus on this insidious eKYC provision of the Aadhaar act. Surely, as Mr Chidambaram said, this is a bit like locking the door after the horses have bolted. Perhaps we can seek satisfaction in the fact that it will protect the privacy of babies who are born today!

Thursday, January 4, 2018

Tribune report on Data breach

The Tribune carried a news of UIDAI data breach:

This was followed by a clarification from UIDAI:

More information about the Aadhaar breach has come into the public domain subsequently. There are some clear facts that have emerged from everything that is known.

1) The UIDAI essentially admits that resident data (demographic and personal information, probably including photo, and not including fingerprint and iris data) has been accessed in an unauthorized manner. It is said that perhaps 1 lakh un-authorized users had accessed Aadhaar data. It also seems that the authorities had no idea this was happening until the reporter broke the story.

2) The breach of demographic information is a serious matter. Consider for a moment - if intelligence agencies of  foreign countries have access to this information, they can look up the residential address of any officer in Indian security forces. Less ominously, mischief-makers and marketeers can create targeted databases of individuals with particular characteristics within a PIN code.

3) Had the Aadhaar system restricted itself to YES / NO verification (as it correctly did when it was conceived), none of this would have happened. Unfortunately, after the NDA Govt took office, private entities were permitted to access and obtain Aadhaar information (via what is called eKYC). eKYC has permitted many private entities to essentially replicate large sections of Aadhaar database in private databases over which no one can exercise control.

4) Any corrective action at this time is akin to bolting the door after the horses have fled. While the SC continues to debate and hear "privacy" related cases, the reality of the situation is that much of the information has already been compromised and the genie cannot be put back in the bottle.

(This post was modified in light of information available after the initial Tribune story.)

Sunday, September 10, 2017

RBI moves towards eAadhaar

The RBI has issued a notification enabling the use of eAadhaar obtained from UIDAI website as a valid form of eKYC. See their notification below:

This is a move in the right direction - eAadhaar is absolutely the right way to perform eKYC.

The RBI notification is a vindication of what we have said all along. An individual submitting his eAadhaar is better than having thousands of private entities collect people's biometrics and accessing information directly from UIDAI database.

Friday, September 1, 2017

GSTN sandbox / production mismatch

As of the morning of 1 Sept 2017, we have received information that the signatures that passed in GSTN sandbox do not pass in GSTN production. This is unusual because the two versions (sandbox & production seem to be accepting two different formats).

We are in the process of finding more information and addressing the issue.

Monday, August 28, 2017

GSTN Signatures successful

Working with some of our partners, Truecopy has in past few days been able to successfully demonstrate Digital Signing of GST returns in GSTN sandbox. Anyone who has dealt with the available documentation (or lack thereof) on GSTN signatures would be able to tell you that this definitely deserves a blog post!

Without getting into the details (because GSTN has not asked for our opinion), we want to state that we do not believe that the signature format that GSTN seems to accept is a suitable one. However, we will keep our disagreement aside and help all our partners get their returns accepted in their sandbox.

PS> We also hope there are no more changes to spec, and the same signature formats continue to be accepted tomorrow.

Tuesday, August 1, 2017

The Aadhaar / Privacy case in SC.

The SC is currently considering cases pertaining to Privacy issues surrounding Aadhaar. A few aspects that are relevant to this discussion, have not been brought up prominently so far:

1) Many countries have citizen databases, which include confidential information about citizens. Aadhaar is probably the ONLY example in the world where the Govt actually GIVES OUT information in its database to private parties. (I have not been able to find any other example of a country where the Govt shares information in its database with private entities). This is quite remarkable. Perhaps the Privacy arguments need to focus around whether the Govt can give out citizen data, instead of focusing on whether Govt can collect citizen data.

Some may point out (correctly) that data is given out only after user consent. However, we know that in most cases citizens barely read the consent fine print. Secondly, it is always possible to word the consent in a manner that is deliberately vague, and enables usage of the same data for other purposes.

Perhaps there is a reason why no other country actually GIVES OUT data from citizen databases.

2) The early implementations at UIDAI required the individual to furnish his/her information to the receiving entity, and the receiving entity could only verify that information with a YES / NO response from UIDAI. It was up to the individual to decide what pieces of personal information s/he wanted to share with a particular receiving entity. Today, a receiving entity can fetch ALL pieces of client information in the UIDAI database (except bio-metrics).

3) Collection of bio-metrics is being "normalized". Under the guise of eKYC, so many organizations have begun asking for bio-metrics, that we no longer find it unusual. Recently, there was news that air-travelers would be allowed to fly only after they had authenticated themselves at the airports with their fingerprints. It would be interesting to see how people react when this actually happens.

Sharing your bio-metrics is like sharing your password - except, this is a "password" that you can never change even if its compromised.

A recent news said that almost 93 cr (i.e. 930 million) people had done bio-metric eKYC during July 17, and presented this as a 'proof' that residents were OK with sharing their bio-metrics. The fact is that in most cases, residents are denied service if they decline. A poor person agreeing to provide bio-metrics to get his PDS ration hardly constitutes 'proof'.

4) A citizen has no way to easily ascertain whether a particular device recording his fingerprints is compliant with UIDAI guidelines. Because of 3) above, it is easy for fraudulent entities to trick people into giving their fingerprints on non-UIDAI devices. While Govt bears no direct responsibility for such fraudulent acts, surely its the Govt that is responsible for 3) above.

The Govt may want to consider reverting back to its earlier YES/NO verification system instead of sharing UIDAI data. It may also want to define the circumstances / purposes for which biometrics of citizens can be captured.

Tuesday, June 6, 2017

eKYC, KUA - Latest UIDAI circular specifies fees, etc.

UIDAI has last week (on May 31 2017) published a circular for AUA/ KUA agreements.

Salient points in this circular are the requirements that an agency will need to provide a Bank Guarantee of Rs 25 Lakhs and a license fee of Rs 20 Lakhs (for a 2 year license) to become a KUA. The intention behind this exercise seems to be to weed out any spurious agencies acting as KUAs, and ensure that those seeking to become KUA have financial viability and a genuine business need to obtain eKYC data.

This is certainly a welcome step by UIDAI to impose some sort of financial filters on who can become a KUA.

Recently, we have heard some KUAs offering third-parties the ability to obtain eKYC data by making them sub-KUAs. Perhaps UIDAI would come up with regulations governing data sharing by KUAs and liabilities in this regard.

Friday, May 26, 2017

eSanad should become eSa-NAD

Recently the HRD ministry along with NIC launched a portal for online verification of educational documents. The initiative is titled eSanad, and CBSE has already joined in.

Read more here:

The name "eSanad" could be a coincidence but there is no reason why this should not become eSa-NAD. I am of course referring to NAD (National Academic Depository), which is intended to store the educational records of all students. A few thoughts:

1) Government entities have demonstrated the ability to host and manage large amounts of personal confidential information (UIDAI is an example). There is no reason to believe that a Govt entity wont do a good job of managing an Academic Depository (for one, the data will be much lesser, and lot less sensitive).

2) The Govt (HRD / IT Ministries) could frame rules requiring all Depositories under NAD to share / backup the data they gather with eSanad. This will ensure that verifiers have a single location from where this data can be legitimately accessed, rather than having to register with multiple Depositories.

3) CBSE had earlier tried storing their records with the Depositories (NSDL / CDSL). They have now chosen to go with eSanad - a Government initiative hosted by NIC.

4) To reiterate the point made in an earlier post on the topic of NAD, the eSanad authority should publish APIs (just as UIDAI has done) to enable developers to build much needed applications for document verification.

eSanad will hopefully lead to faster realization of an Academic Depository, and put an end to the menace of fake educational credentials.

Friday, May 19, 2017

More on eKYC - an obvious, direct verification mechanism

The earlier post raises an important question: Is there an easier way to perform eKYC without becoming a KUA? 

The answer to that question is thankfully a "YES". But before we get to that, let us ask the question,  What exactly is eKYC?

I find it is useful to view the  UIDAI database as comprising the following groups of information:

1) The Aadhaar number (a unique number for every user)
2) Personal Information of the holder - such as full name, address, gender, date of birth, etc.
3) Biometric Information of the holder - such as Finger-prints, Iris scan, Photograph, etc.
4) Ownership Information of the holder such as Email Address, Phone number, etc.

Performing an eKYC involves ascertaining the following two separate facts, subject to consent of the concerned individual:

A) Ascertaining that the Personal Information & Ownership Information being presented by the holder of an Aadhaar number matches the Personal Information & Ownership Information stored in the UIDAI database against that Aadhaar number.
This is achieved by obtaining the Personal and Ownership Information from UIDAI in an authenticated manner.

B) Ascertaining that the individual presenting the Aadhaar number is who he / she claims to be, i.e., the genuine holder of that Aadhaar number.
This can be achieved in one of two ways. The Biometric-way relies on the assumption that if the individual is able to present biometric (fingerprint / iris) information that matches the Biometric Information stored in the UIDAI database, the individual is who he/she claims to be. The OTP-way relies on the assumption that if the individual can demonstrate ownership of the listed Phone number and Email Address (2 Factor Authentication), the individual is who he/she claims to be.

In the KUA approach, usually the biometric information of the individual is captured and sent to UIDAI along with the presented Aadhaar number. In return UIDAI sends back the Personal Information stored its database against this Aadhaar number.

This KUA approach helps ascertain both A)  and B) above. A) is ascertained because information is provided by UIDAI directly from its own database and B) is ascertained because the individual's biometric is matched with that in the UIDAI database.

Consent is obtained via acceptance of "terms of service", as well as the assumption that the person willingly provided his biometrics.

Following the KUA approach imposes significant contractual obligations, including IT maintenance and audit costs. Thankfully, there also exists an easier way to ascertain A) and B), while ensuring individual consent.

This alternative method is the direct electronic-equivalent of an individual submitting his/her own self-attested paper-based identification documents - something we have been doing for decades for KYC. It requires an individual to simply submit his self-attested eAadhaar document.

The Personal Information of the individual is present in the eAadhaar document that can be freely downloaded from the UIDAI website by any individual. This eAadhaar document is digitally signed by UIDAI. The Personal Information contained in this digitally signed document is therefore authentic, and satisfies the requirement of A) above.

What remains is to be ascertained is B), i.e., that the individual concerned is the genuine owner of that particular Aadhaar number. This can be done by getting the individual to self-attest (digitally sign) the eAadhaar document being submitted. The signature process outlined by UIDAI implicitly ascertains that the person signing is the genuine owner of that Aadhaar number. Further, the receiver can do additional verification by verifying the photograph on the eAadhaar document. Consent is ensured by making it a part of the self-attestation process.

In this alternative mechanism of eKYC, the UIDAI-signed eAadhaar document (including photo) is submitted by the individual aadhaar-holder directly to the recipient. It therefore represents a clear & direct method to perform eKYC. There is no need to go through AUA / KUA approval processes, and one can get started immediately.

Needless to say, care must be taken to securely maintain all eAadhaar documents submitted by users.