Vir­tual ID is good start; much more needs to be done

Governance Now - - FRONT PAGE -

The UIDAI has in­tro­duced two mea­sures to strengthen the se­cu­rity of Aad­haar: a 16-digit vir­tual ID (VID) in place of Aad­haar num­ber for au­then­ti­ca­tion, and a ‘lim­ited KYC’ fea­ture in which agen­cies (other than those pro­vided by the law) will re­ceive a VID and not Aad­haar num­ber of the user.

The move came af­ter yet an­other ex­pose of an unau­tho­rised ac­cess to Aad­haar data­base in which de­mo­graphic data of Aad­haar card holders were be­ing sold on What­sapp, as re­ported by The Tri­bune. Although a huge num­ber of Aad­haar num­bers have al­ready been seeded with dif­fer­ent data­bases, the vir­tual

IDS, if ap­plied care­fully, will con­tain the dam­age. The VID is a kind of mask­ing of the sen­si­tive Aad­haar info. This so­lu­tion, also called ‘to­keni­sa­tion’, was dis­cussed by three fac­ulty mem­bers of the com­puter science depart­ment of IIT Delhi in a pa­per in the Eco­nomic and Political Weekly in Septem­ber 2017.

In an email in­ter­ac­tion with Pratap Vikram Singh, Su­bodh Sharma, speak­ing on be­half of the trio of au­thors also in­clud­ing Sh­weta Agrawal and Sub­hashis Ban­er­jee, talks about the ef­fec­tive­ness of vir­tual IDS, the key tech­no­log­i­cal changes and safe­guards nec­es­sary for se­cured use of Aad­haar. Edited ex­cerpts:

Some ex­perts call vir­tual id and min­i­mum KYC mea­sures of the UIDAI as a ‘too lit­tle too late’ re­sponse.

The con­cept of vir­tual IDS, in our opin­ion, is a good idea. While it is hard to quantify state­ments such as “too lit­tle”, we feel that the other mea­sures such as min­i­mum KYC are nec­es­sary. Whether the mea­sure is “too late” will de­pend on how ef­fec­tive and sim­ple uidai’s mi­gra­tion plan is to re­place the old aad­haar num­bers that have al­ready been linked with the new vir­tual ones. The process can be prob­lem­atic for the poor and the un­der­priv­i­leged if the mi­gra­tion is not ex­e­cuted with ex­treme care.

What are the fun­da­men­tal tech­no­log­i­cal weak­nesses in Aad­haar sys­tem?

No public re­port is avail­able pre­sent­ing facts on the ef­fi­cacy of bio­met­ric false ‘ac­cept’ and false ‘re­ject’ rates; ditto for bio­met­ric dedu­pli­ca­tion. In our opin­ion, it ap­pears that the use cases for ser­vice de­liv­ery us­ing aad­haar are in­ad­e­quately an­a­lysed (so it ap­pears from the PDS ex­clu­sion re­ports).

In­so­far as pri­vacy and se­cu­rity are con­cerned:

(1) as we dis­cuss in our pa­per, the model of us­ing bio­met­rics as a pass­word (sin­gle fac­tor) for au­then­ti­ca­tion and au­tho­ri­sa­tion is con­cep­tu­ally flawed. Bio­met­rics should only be used for iden­tity ver­i­fi­ca­tion, that too un­der ad­ver­sar­ial over­sight.

(2) us­ing a sin­gle iden­ti­fier (aad­haar num­ber) for all ap­pli­ca­tions can cre­ate a vul­ner­a­bil­ity to or­ches­trate cor­re­la­tion at­tacks. This at­tack can pos­si­bly (if done well) be mit­i­gated by vir­tual ids.

(3) The ac­cess con­trol ar­chi­tec­ture ap­pears vague. No clear and crisply de­fined on­line pro­to­col for how data can be ac­cessed and un­der what au­tho­ri­sa­tion, how is it to be checked, and tam­per-proof record­ing of ac­cess and au­tho­ri­sa­tion trails and on­line au­dit. Hence, vul­ner­a­bil­ity to insider at­tacks.

(4) It ap­pears that the pe­riph­eral ser­vices such as web-pages and mobile apps (m-aad­haar) are poorly struc­tured and poorly au­dited.

how does Aad­haar as a sin­gle dig­i­tal iden­ti­fier make in­di­vid­u­als vul­ner­a­ble? What is the so­lu­tion you pro­pose?

The dig­i­tal iden­ti­fier can be used to join data­bases, and mine per­sonal in­for­ma­tion across mul­ti­ple do­mains to pro­file in­di­vid­u­als. aad­haar is not the only global dig­i­tal iden­ti­fier with this

vul­ner­a­bil­ity, mobile num­bers and PAN also are. In fact, well be­fore aad­haar, the In­dian pri­vate en­ter­prises have started us­ing mobile num­bers as a unique id. most data­bases, be it with banks and in­sur­ance, in­come tax, mu­tual funds, air­lines, rail­ways, hos­pi­tals and even small shops, have per­sonal dig­i­tal records in­dexed by mobile num­bers. So, per­haps, mobile num­bers re­quire vir­tu­al­i­sa­tion more than aad­haar does.

Vir­tual ids, for all such unique iden­ti­fiers, can be a so­lu­tion. all you need is that if some­body, say an air­line, calls your vir­tual mobile num­ber, the real one should ring. only a cen­tral author­ity needs to know the map­ping. Ditto with aad­haar.

Can you ex­plain in plain lan­guage how cryp­to­graph­i­cally em­bed­ding Aad­haar id into Aua-spe­cific ids makes the sys­tem safer from pri­vacy and data pro­tec­tion per­spec­tive? Can you ex­plain why it is needed and how it can be re­solved?

In the cur­rent pro­posal there is no men­tion of cryp­to­graphic em­bed­ding. UIDAI will se­curely (hope­fully) main­tain a map­ping be­tween the global id and the var­i­ous vir­tual ids. This way, if there is a need to join data­bases, say for some le­git­i­mate data an­a­lyt­ics, then the UIDAI will have to fa­cil­i­tate it (there will have to be a mech­a­nism for do­ing that). an al­ter­na­tive would have been to cryp­to­graph­i­cally hide the global id in the vir­tual ids, so that au­tho­rised en­ti­ties with valid keys could link the vir­tual ids them­selves (but still not be able to re­con­struct the global id). That would have been an­other way to do the vir­tual ids.

in your pa­per you point at the need for de­mar­ca­tion be­tween iden­tity ver­i­fi­ca­tion and au­then­ti­ca­tion. giv­ing an ex­am­ple of Aad­haaren­abled ser­vice de­liv­ery, can you ex­plain the im­por­tance of their sep­a­ra­tion?

Ide­ally iden­tity ver­i­fi­ca­tion should hap­pen at the ser­vice provider’s premise, where there is a gen­uine in­ter­est in ver­i­fy­ing the iden­tity and the ser­vice provider will not col­lude with the per­son whose iden­tity is be­ing ver­i­fied (ad­ver­sar­ial over­sight nec­es­sary to en­sure that the per­son does not present a false plas­tic fin­ger with some­body else’s fin­ger­print em­bed­ded on it). con­sider, for ex­am­ple, a bank. The bank should pro­duce an au­then­tic bio­met­ric de­vice, the per­son’s bio­met­rics should be en­crypted by the de­vice and sent to UIDAI for ver­i­fi­ca­tion along with her vir­tual id, and both the bank and the per­son should re­ceive in­de­pen­dent ac­knowl­edge­ments, di­rectly from the UIDAI, about the out­come of the ver­i­fi­ca­tion. That would be a cor­rect iden­tity ver­i­fi­ca­tion pro­to­col. This should only be done once in a while.

an ex­am­ple of an in­cor­rect pro­to­col is: a per­son walks up to a mobile tele­phone ser­vice provider’s of­fi­cer to pro­cure a SIM card, she gives her fin­ger­prints to a de­vice; the op­er­a­tor tells her that the ver­i­fi­ca­tion has failed and asks her to put her fin­gers on the de­vice again, she re­ceives no com­mu­ni­ca­tion from UIDAI, the op­er­a­tor is­sues a SIM in her name and sells it to some­body else. In ef­fect she would have signed a blank pa­per au­tho­ris­ing the agent to is­sue a SIM in her name! Ditto with with­drawal of money, PDS, etc.

Can you ex­plain the pos­si­bil­ity of insider leak of in­for­ma­tion from within UIDAI? how can it be ad­dressed?

con­sider the fol­low­ing sce­nario: some pow­er­ful en­tity can sud­denly de­cide that SSS [the au­thors, Sh­weta, Shubhshis and Su­bodh] are bad peo­ple and in­flu­ence in­sid­ers in UIDAI to ac­cess our per­sonal data il­le­gally with­out war­rants, or put a tab on us. one or more in­sid­ers may use their priv­i­leged ac­cess rights il­le­gally. most at­tacks on pro­tected data­bases hap­pen through in­sid­ers – re­mem­ber Snow­den! Insider leaks are not only a con­cern with UIDai but also with other bu­reau­cra­cies like air­lines and banks.

The only way to en­sure against insider leaks is to have strict ac­cess con­trol pro­to­cols in place to make unau­tho­rised ac­cesses, even by in­sid­ers, im­pos­si­ble.

Aad­haar is of­ten crit­i­cised for a pos­si­bil­ity of its use as a sur­veil­lance tool. Do you agree?

[It] can cer­tainly be­come one with­out checks and bal­ances. But the crit­i­cism is per­haps too broad and vague.

On one hand, there are claims about Aad­haar lead­ing to huge sav­ings which run in sev­eral thou­sand crore ru­pees. On the other, it is crit­i­cised for vi­o­la­tion of pri­vacy and ex­clu­sion in ser­vice de­liv­ery. Does the ben­e­fit out­weigh the risk?

We can­not com­ment on the “sav­ings” – there’ve been many loose state­ments on this al­ready and we will not add to the noise. risks can be mit­i­gated with a proper de­sign, and in­tu­itively a unique ver­i­fi­able iden­tity ap­pears to be a very use­ful tool for gov­er­nance. The real ben­e­fit may come in digi­ti­sa­tion of health records and in data an­a­lyt­ics – econo­met­rics, epi­demi­ol­ogy, etc.

What are the other re­forms and re­dres­sals re­quired to strengthen the unique dig­i­tal iden­tity sys­tem?

care­ful anal­y­sis of the use cases and tak­ing spe­cial care not to cause ex­clu­sion or dis­tress. Keep in mind the huge deficit of cul­tural cap­i­tal in the coun­try.


“Vir­tual ids, for all such unique iden­ti­fiers, can be a so­lu­tion. All you need is that if some­body, say an air­line, calls your vir­tual mobile num­ber, the real one should ring. Only a cen­tral author­ity needs to know the map­ping. Ditto with Aad­haar.”

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.