Sunday, January 14, 2018

What is the VID and what problem will it solve?

(At the time of writing this, I have not been able to locate the official VID circular either under the Circulars menu or Notifications menu on the UIDAI website, so I rely on detailed news reports such as [1], [2], [3] for this article.)

UIDAI has recently announced that it would start issuing 16-digit Virtual IDs (VIDs) to individuals on demand, who will then provide these in place of the Aadhaar number if they so choose. Individuals can then keep their Aadhaar number secret.

For a long time now, UIDAI has taken the position that the Aadhaar number is not a secret. (Most recently in a press-note which was issued 4 days before the VID announcement). Given the reality that Aadhaar is being asked virtually everywhere, Aadhaar number cannot be expected to remain a secret. Introducing the VID idea seems like a rethink, in light of the data breach reported in the Tribune.

The other problem that UIDAI is trying to solve with the VID, is to avoid "profiling" of residents. In an article on NDTV it was claimed "the Virtual ID that had been in the works for 18 months was introduced to block any attempt at profiling the crores of people who had enrolled for the unique identification number." (end quote) In other words, it is to guard against the possibility, that a malicious attacker, with knowledge of an Aadhaar number will be able to search across multiple financial, telecom, educational, and other databases and obtain a detailed picture or profile of the individual.

This is a problem that UIDAI is not expected to solve. World over, the security and confidentiality of various databases is the responsibility and duty of the organizations that maintain the databases - banks, telecom companies, etc. The profiling problem arises when the databases of these organizations are compromised.

Issuing a VID will NOT solve the profiling issue for the simple reason that if these databases are compromised, the malicious attacker will easily perform the profiling on the basis of the name or even better, the cell number. [I cannot think of a single instance when I have had to share my Aadhaar but not my cell number. I can think of many places where I have had to give my cell number but not Aadhaar, so the cell number seems like a richer profiling key for any malicious attacker. Oh, and I have always had to give my name everywhere!].

This brings us back to the question - why does UIDAI need to add "layers of security" to something we have been told is "fully secure"? Why is UIDAI still unsure whether the Aadhaar number is to remain secret or not? There is no other country where there are so many questions about the National Identity Database. The Passport authority in India or the IT Dept (that issues PAN cards) have never been questioned on the security of their databases. Why do such questions arise about Aadhaar?

Unique ID Authority of India is "Unique" for one reason. It is the ONLY National Database in the world that GIVES OUT citizen information to private entities. Even the Passport Authority and the IT Dept DO NOT GIVE OUT citizen information to anyone, except investigative agencies in case of some evidence of crime.

It is worth asking, why does UIDAI even need to give out eKYC data unless there is a crime or other over-riding reason? Sure, it may help a telecom company scale up its user base much faster than its competitors, or it may cut down the time and effort required to populate databases of other private companies. But making life easier for private companies was NOT the purpose of Aadhaar Act to begin with and can never be the purpose of any National Identity Database.

Furthermore, none of the Govt savings that are claimed, such as those from eliminating ghost teachers, fake ration card holders or fake students would be compromised if eKYC is stopped and replaced purely with verification or authentication.

Interestingly, UIDAI only did YES/NO verification and biometric authentication until couple of years ago or so. That was the right approach. UIDAI needs to switch back to it immediately. Further, it should restrict biometric authentication only to government agencies. UIDAI should not be an enabler in the replication of its data in private databases in India and abroad. Then it won't have to worry about profiling based on Aadhaar.

The SC bench hearing the Aadhaar case should focus on this insidious eKYC provision of the Aadhaar act. Surely, as Mr Chidambaram said, this is a bit like locking the door after the horses have bolted. Perhaps we can seek satisfaction in the fact that it will protect the privacy of babies who are born today!

Thursday, January 4, 2018

Tribune report on Data breach

The Tribune carried a news of UIDAI data breach:

This was followed by a clarification from UIDAI:

More information about the Aadhaar breach has come into the public domain subsequently. There are some clear facts that have emerged from everything that is known.

1) The UIDAI essentially admits that resident data (demographic and personal information, probably including photo, and not including fingerprint and iris data) has been accessed in an unauthorized manner. It is said that perhaps 1 lakh un-authorized users had accessed Aadhaar data. It also seems that the authorities had no idea this was happening until the reporter broke the story.

2) The breach of demographic information is a serious matter. Consider for a moment - if intelligence agencies of  foreign countries have access to this information, they can look up the residential address of any officer in Indian security forces. Less ominously, mischief-makers and marketeers can create targeted databases of individuals with particular characteristics within a PIN code.

3) Had the Aadhaar system restricted itself to YES / NO verification (as it correctly did when it was conceived), none of this would have happened. Unfortunately, after the NDA Govt took office, private entities were permitted to access and obtain Aadhaar information (via what is called eKYC). eKYC has permitted many private entities to essentially replicate large sections of Aadhaar database in private databases over which no one can exercise control.

4) Any corrective action at this time is akin to bolting the door after the horses have fled. While the SC continues to debate and hear "privacy" related cases, the reality of the situation is that much of the information has already been compromised and the genie cannot be put back in the bottle.

(This post was modified in light of information available after the initial Tribune story.)