Ex­plor­ing Soft­ware: Build­ing a Web of Trust

OpenSource For You - - Contents - By: Dr Anil Seth The au­thor has earned the right to do what in­ter­ests him. You can find him on­line at http://sethanil.com and http://sethanil.blogspot. com, or you can reach him via email at anil@sethanil.com.

The head­lines scream, “So many thou­sands of peo­ple de­prived of ra­tions, in our na­tional cap­i­tal, New Delhi.” So how do these peo­ple prove they are who they say they are, when Aad­haar ver­i­fi­ca­tion has failed for some rea­son or the other? The au­thor takes up the is­sues con­cern­ing trust in a world where ma­chines can be fal­li­ble and se­nior cit­i­zens can be eas­ily lured by con­men.

The man smiled and said to me, “Now let us use the left thumb.” I rubbed it against my shirt and tried. The man said, “Let us try the other thumb. You will have to help me. Oth­er­wise …” I tried the other thumb. Cleaned it on my shirt and then rubbed it on my fore­head to make it moist. The man gave me a big smile and said, “Wel­come back and have a pleas­ant stay.”

This set me think­ing, “How do you prove that you are who you say you are.” At US Im­mi­gra­tion, my wife and I went to the self-ser­vice booths first. There were many au­to­mated coun­ters and we could take our time. My wife’s ver­i­fi­ca­tion was a breeze. A man helped me and my ver­i­fi­ca­tion was par­tially suc­cess­ful. But be­cause it was par­tial, both of us now had to be man­u­ally ver­i­fied. Had my man­ual ver­i­fi­ca­tion failed, I ex­pect I would have had to be ver­i­fied by the se­cu­rity po­lice.

So, while most peo­ple may not have a prob­lem with bio­met­ric or other ver­i­fi­ca­tion pro­cesses, how do you han­dle the cases that are prob­lem­atic? Since cross­ing in­ter­na­tional bor­ders is usu­ally a rare oc­cur­rence, de­layed ver­i­fi­ca­tion may not be crit­i­cal. Be­sides, at bor­ders, gov­ern­ments are will­ing to spend money on the se­cu­rity process.

The is­sue of a cen­tral au­thor­ity

I faced dif­fi­cul­ties with Aad­haar ver­i­fi­ca­tion as well. Fin­ger­print ver­i­fi­ca­tion just would not work. For­tu­nately, I could link my reg­is­tered phone us­ing a one time pass­word (OTP). I wanted to do this just in case the Supreme Court al­lowed manda­tory link­ing of phones to Aad­haar while I was away. I could not risk the phone used for all the OTPs be­ing dis­abled.

In an­other case, the iris ver­i­fi­ca­tion worked only af­ter a cou­ple of at­tempts. The per­son at the counter men­tioned that on some days, as many as 40 per cent of the peo­ple had prob­lems – not all be­cause of bio­met­rics but also be­cause of a mis­match in the name or age. The op­er­a­tor felt dis­heart­ened as he had to deal with the frus­trated, re­tired peo­ple who had of­ten come from out of town with their chil­dren hav­ing taken the day off.

The sec­ond is­sue is re­lated to what hap­pens if you rely on a com­mon au­thor­ity for au­then­ti­ca­tion. The day I was leav­ing for the US, I read in a Mum­bai pa­per how a woman had been cheated of ` 100,000. It seemed that the re­cent death of her hus­band en­ti­tled her to an in­sur­ance claim of ` 10 mil­lion. She trusted the phone calls she re­ceived be­cause the peo­ple who called seemed to know so much. And she be­lieved them when they claimed that they had got all this in­for­ma­tion from her hus­band when he took the in­sur­ance pol­icy.

True, cen­tralised ver­i­fi­ca­tion is con­ve­nient. But the trou­ble lies in its con­ve­nience. It is far too easy for spam­mers and con-artists to tar­get their vic­tims. In one case, I my­self shared in­for­ma­tion so eas­ily to a per­son pre­tend­ing to be from the in­come tax of­fice. As it hap­pened, this turned out to be use­ful. I had in­formed the caller that my fa­ther had passed away a few years ear­lier. Coin­ci­den­tally, I stopped get­ting calls from an in­vest­ment com­pany want­ing to talk to my fa­ther!

Re­tired peo­ple are a favourite tar­get of sell­ers of fake in­sur­ance poli­cies. I would ac­tu­ally re­gard it not as mis­selling but as le­galised fraud by the in­sur­ance com­pa­nies. It should be ob­vi­ous to even an idiot that cer­tain types of poli­cies make no sense for any re­tired per­son. One of my relatives got a pol­icy for which he was to pay pre­mium till he was over a 100! He had eight such ab­surd poli­cies. It was le­gally too late to force the in­sur­ance com­pany to can­cel the poli­cies. And my cousin said that his fa­ther de­served to lose the money for be­ing so stupid. He re­fused to ap­proach the con­sumer courts. Vic­tims of such poli­cies are in­vari­ably the ones who are financially vul­ner­a­ble and are eas­ily mis­led by false prom­ises of re­turns.

There is noth­ing se­cret or dan­ger­ous about an­nounc­ing your re­tire­ment or the death of a loved one ex­cept that with a com­mon ver­i­fi­ca­tion process, crim­i­nals can mine data more ef­fec­tively and tar­get their vic­tims with a greater suc­cess rate.

It is im­por­tant to ap­pre­ci­ate that the cen­tralised au­then­ti­ca­tion process does not have to be com­pro­mised for the fraud­sters to be able to col­lect the in­for­ma­tion about their tar­gets. A com­mon thread to link var­i­ous sources of data is enough.

A Web of trust

I am re­minded of years ago, when se­cu­rity is­sues for web­sites be­came a ma­jor con­cern lead­ing to the for­ma­tion of com­pa­nies like Verisign and Thawte (in­ci­den­tally, the money from Thawte helped cre­ate Ubuntu).

An al­ter­na­tive mode of ver­i­fi­ca­tion, mod­elled on the way hu­mans trust each other, was pro­posed. If you trust a group which trusts a site, you trust the site. This is ob­vi­ously ex­ten­si­ble, as you can trust a site that is trusted by a group, which in turn is trusted by a group that you trust. So here, you have a ‘Web of trust’. Ob­vi­ously, it is more com­plex than that. Check out https://en.wikipedia.org/wiki/We­b_of_trust for more de­tails, in­clud­ing the is­sues and con­cerns as­so­ci­ated with the model.

With the suc­cess of blockchains, a de­cen­tralised model like the ‘Web of trust’ may be­come a con­ve­nient and vi­able al­ter­na­tive now. For ex­am­ple, re­boot­ing the Web of trust is an in­ter­est­ing pos­si­bil­ity (http://www.we­boftrust.info/).

Email as the link

Some years ago, BSNL forced changes in email IDs on its users, and I was unhappy. I be­lieved that the sin­gle life­time ID of­fered by Google was a saviour. Now, as I think about this, I won­der what I have done!

It was far too painful to cre­ate and main­tain dif­fer­ent email IDs. Hence, most of the sites know me by my gmail ID. This makes it far too easy for data min­ers to cre­ate a pro­file of me for what­ever goals they may have. Even though Google sites and Face­book sites are not re­lated, it is easy to link the data as Face­book knows my email ID.

One of the very use­ful fea­tures of email from the early days was the con­cept of an alias. The ex­ter­nal world knew of a sim­ple email ID, which could be for­warded to the ap­pro­pri­ate per­son. The same con­cept could be ex­tended to in­di­vid­u­als. What if you could cre­ate aliases for your email ID and use a dif­fer­ent alias for dif­fer­ent sites.

You can do that even to­day, by cre­at­ing mul­ti­ple email IDs and for­ward­ing the mail to a com­mon ID. You could set it up to delete the mails from the sec­ondary email ac­counts af­ter for­ward­ing. Although there is the nui­sance of hav­ing to cre­ate pass­words for mul­ti­ple ac­counts, I wish I had thought of it in the light of the re­cent mis­use of peo­ple’s Face­book data.

Fi­nal thoughts

Se­cu­rity can be vis­i­ble, like a per­son sur­rounded by po­lice ve­hi­cles with po­lice­men hold­ing ter­ri­fy­ing guns. Or it can be like the un­der­stated kind pro­vided for western lead­ers. You know the se­cu­rity men are around but they are vir­tu­ally in­vis­i­ble.

We do not want se­cu­rity to be so com­plex that even sim­ple op­er­a­tions like trans­fer­ring a small sum of money be­come a pain. How­ever, we are no longer liv­ing in small vil­lages, at a time when there was no need to lock one’s front door. We need to make sure that we use pro­cesses that do not leave so wide a pub­lic trail that crim­i­nals can tar­get us with ease.

Anil Seth

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.