Aadhaar Ya Niraadhaar?
Bumblebee
When Nandan Nilekani took charge of the Unique Identification Authority of India he was feted for his business-like approach, his stewardship of a project to give identity numbers to millions of Indians, an exercise unprecedented in its scale across the globe. While most accept the need for creating a systematic database of our citizenry, the path to be taken for this has become the subject matter of a viral attack from many quarters—cabinet ministers and bureaucrats, policy experts and activists, even a few state governments.
Everything, from Nilekani’s procedures for data collection and the potential errors therein, to concerns over privacy, is being questioned.
UIDAI is also a subject very close to the IIT Bombay family. Nandan and many of his aides are from within the alumni community as are several detractors who question its “security” and “developmental” dimensions of they scheme. They claim that the former leads to an invasive state; the latter leaves us with a retreating state.
Bumblebee felt that it was time some of that rumpus in the national stage was brought within the pages of Fundamatics in an unbiased point-counterpoint debate straight from the proverbial horse’s mouth.
Bumblebee
Imagining Aadhaar
Raj Mashruwala
3.Aadhaar was sold to the public to facilitate delivery of public service. Whether this means direct payment for a NREGA recipient, delivery of subsidised LPG cylinders, KYC validation for the SIM card or opening of bank accounts for the unbanked, our babus are discussing, defining, building and testing new apps rapidly. We will see them in 2012.
4- Innovation — new ideas of UID’s uses are in the air. Once you assume a reliable verifiable unique ID, you can dramatically simplify banking and payments, healthcare and education monitoring, and identity fraud detection. People are building such systems right now. Our very own IITB professors are changing their 30-year curriculum and giving assignments to students to envision uses of Aadhaar. Admittedly, one application — the biometric student attendance system — is not in the best interest of junta.
6- Residents— do they want it? At the moment, enrollments lines don’t seem to be getting shorter. We must love standing in lines for no benefits. Wait, maybe people do need verifiable IDs.
7- What is the problem then? The civil society is deeply concerned. Their objections — privacy, reliance on unproven biometric technology, run-away costs and using the information for security instead of development — ought not to be dismissed summarily. Where do we, the armchair democratic activists, go from here? We could:
1. Privacy: Civil society leaders discuss a number of subtopics -
a. Need for a strong personal privacy law that India lacks. Aadhaar is too dangerous without a personal privacy law in place. No one disagrees on the need for such a law. The question is, do we put infrastructure projects on hold until such a law is passed?
b. Use of Aadhaar data for security, including national ID card. National ID card and building the National Population Registry (NPR) are in an act passed by parliament in 2004. Enrollment in NPR is mandatory and would occur regardless of Aadhaar. Would it make sense to build a chinese wall between Aadhaar and NPR?
c. Operational issues, such as data sharing among agencies Privacy is a topic that every country must find its own balance of. It can’t be borrowed from the US or China. Do we put Aadhaar project on hold until we find acceptable answer to privacy? Do we believe we can achieve a national consensus on privacy any time in the near future?
Raj Mashruwala
The Unique Identification Authority of India (UIDAI) will celebrate its third anniversary next month. When Nandan Nilekani took office, he defined its mission “to issue a unique identification number that can be verified
and authenticated in an online, cost-effective manner, which is robust enough to eliminate duplicate and fake identities.”
Hardly a day passes without the press reporting on Nandan or UIDAI, with headings like ‘Declare Aadhaar Illegal’, or, ‘Chidambaram wants Nilekani to log out’. Tabloids and bloggers have a field day speculating, insinuating and dispensing free advice on the matter. Interestingly, the ground-level reality is different. The reality is that Aadhaar has become the largest and fastest growing identity database in the world in less than 14 months. Is Aadhaar the first sign of a brave new world, the next stage of people empowerment?
Before we begin a discussion on the future of Aadhaar, let us first take stock of where it is today.
1. Just the numbers: Over 140M enrolled; 3⁄4 million new enrollments per day; active enrollment camps (16) in every populous state. In short, Aadhaar is growing faster than the mobile phone subscription rate, the most successful private initiative in recent times.
2. The system is working. In a year, it has scaled up to become the world’s largest biometric system, doing 100 trillion biometric comparisons per day while exceeding target accuracy. The reality: Indians will receive a unique ID. Built in the system is a portal for transparency, a toll-free call centre for assistance, an online appointment system, an online enrollment status query, a developer portal and more technical documents than one can read. Let us face it: despite IIT alumni running the show, something real and functional has emerged.
and authenticated in an online, cost-effective manner, which is robust enough to eliminate duplicate and fake identities.”
Hardly a day passes without the press reporting on Nandan or UIDAI, with headings like ‘Declare Aadhaar Illegal’, or, ‘Chidambaram wants Nilekani to log out’. Tabloids and bloggers have a field day speculating, insinuating and dispensing free advice on the matter. Interestingly, the ground-level reality is different. The reality is that Aadhaar has become the largest and fastest growing identity database in the world in less than 14 months. Is Aadhaar the first sign of a brave new world, the next stage of people empowerment?
Before we begin a discussion on the future of Aadhaar, let us first take stock of where it is today.
1. Just the numbers: Over 140M enrolled; 3⁄4 million new enrollments per day; active enrollment camps (16) in every populous state. In short, Aadhaar is growing faster than the mobile phone subscription rate, the most successful private initiative in recent times.
2. The system is working. In a year, it has scaled up to become the world’s largest biometric system, doing 100 trillion biometric comparisons per day while exceeding target accuracy. The reality: Indians will receive a unique ID. Built in the system is a portal for transparency, a toll-free call centre for assistance, an online appointment system, an online enrollment status query, a developer portal and more technical documents than one can read. Let us face it: despite IIT alumni running the show, something real and functional has emerged.
3.Aadhaar was sold to the public to facilitate delivery of public service. Whether this means direct payment for a NREGA recipient, delivery of subsidised LPG cylinders, KYC validation for the SIM card or opening of bank accounts for the unbanked, our babus are discussing, defining, building and testing new apps rapidly. We will see them in 2012.
4- Innovation — new ideas of UID’s uses are in the air. Once you assume a reliable verifiable unique ID, you can dramatically simplify banking and payments, healthcare and education monitoring, and identity fraud detection. People are building such systems right now. Our very own IITB professors are changing their 30-year curriculum and giving assignments to students to envision uses of Aadhaar. Admittedly, one application — the biometric student attendance system — is not in the best interest of junta.
5.Costs as per government records, all, I will offer my commentary. At the onset, UIDAI has spent I 468.91 crore (ap- prox. $100 million) from its inception till September, 2011. UIDAI strangely seemed to have grossly under-spent its budget, which was reported to be thousands of crores of rupees. Crap, another target missed.
6- Residents— do they want it? At the moment, enrollments lines don’t seem to be getting shorter. We must love standing in lines for no benefits. Wait, maybe people do need verifiable IDs.
7- What is the problem then? The civil society is deeply concerned. Their objections — privacy, reliance on unproven biometric technology, run-away costs and using the information for security instead of development — ought not to be dismissed summarily. Where do we, the armchair democratic activists, go from here? We could:
- Support the continuation of Aadhaar. This is what the government would want us to do.
- Raise our voice to scrap the programme. This is what some in the civil society would want.
- Find ways to help improve the vision of Aadhaar. This is what the idealist in us would want.
1. Privacy: Civil society leaders discuss a number of subtopics -
a. Need for a strong personal privacy law that India lacks. Aadhaar is too dangerous without a personal privacy law in place. No one disagrees on the need for such a law. The question is, do we put infrastructure projects on hold until such a law is passed?
b. Use of Aadhaar data for security, including national ID card. National ID card and building the National Population Registry (NPR) are in an act passed by parliament in 2004. Enrollment in NPR is mandatory and would occur regardless of Aadhaar. Would it make sense to build a chinese wall between Aadhaar and NPR?
c. Operational issues, such as data sharing among agencies Privacy is a topic that every country must find its own balance of. It can’t be borrowed from the US or China. Do we put Aadhaar project on hold until we find acceptable answer to privacy? Do we believe we can achieve a national consensus on privacy any time in the near future?
2.Unproven biometric technology: The three most common objections are
(a) it is inherently probabilistic and hence fal- lible,
(b) it can easily be faked, and
(c) it is not workable with India’s large and diverse population.
I am absolutely amazed at the speed at which India has produced biometric experts (albeit self-proclaimed) in the last two years. You- Tube is now overflowing with these experts. Having spent a considerable amount of time getting entertained by them, I can safely say that
(a) it is inherently probabilistic and hence fal- lible,
(b) it can easily be faked, and
(c) it is not workable with India’s large and diverse population.
I am absolutely amazed at the speed at which India has produced biometric experts (albeit self-proclaimed) in the last two years. You- Tube is now overflowing with these experts. Having spent a considerable amount of time getting entertained by them, I can safely say that
- These experts have zero understanding of the probability theory. For them, Heisen- berg’s theory of uncertainty would be deeply disturbing. Any verification system has a certain probability of error. We need to characterise it, model it to predict error rates, and include additional verification factors if higher accuracy rates are required. Biometric verification is simply one factor.
- Faking. A four-digit PIN has 1 in a 10,000 chance of getting faked. Credit cards can be spoofed en masse at a negligible cost. We use both daily. We need to under- stand the cost benefits of each verification method and use whichever method is economically acceptable. Biometric identification has many good uses just like other methods such as tokens and passwords.
- Self-proclaimed experts conveniently disregard empirical data analysis on Indian population, which concluded that UIDAI can establish individual uniqueness with desired accuracy (> 99%). Current enroll- ment accuracy results seem to validate the original proof of conceptual results.
d. Indian experts have the uncanny talent of quoting real experts out of the context. The fact remains — we could discuss privacy, technology and intentions of the government ad infinitum.
The crux of the issue is
a. Do we have a severe leakage problem in public benefits schemes due to duplicate and fake identities?
b. Do we want to provide services to people who need them the most, but lack identity proof?
c. Do we want to continue wasting umpteen hours at the bank, at the mobile shop and at the government office, trying to prove our identity over and over again?
Then we need Aadhaar. Aadhaar is necessary, but it may not be sufficient. Scrapping it is definitely not a solution. Can I challenge the IIT community to suggest ways to improve it?
Raj Mashruwala
The author Raj (Mashru) Mashruwala, 1975, Mechanical Engineering, has painstakingly researched the questions. The same thing can’t be claimed for the answers. He refused to provide his bio(metric) to the editors for verification due to privacy reasons.
The UIDAI project is meant to give an identity to all Indians. However, it is not just the security aspects, but also other aspects that don’t seem to have been thought of thoroughly. For instance, the iris scan was not present in the originally proposed plan. But when it was commonly known that fingerprints by themselves may not be enough for de-duplication —and that they can be faked easily — the iris scan was introduced.
There is no cost benefit analysis or feasibility study of any kind available in the public domain. No full life-cycle pilot study of any size for this project has been done and results studied, before launching such a huge and costly project nation wide. Privacy considerations haven’t been looked into either.
All in all, this project is a white elephant in its current form. The earlier it is stopped or at least seriously relooked at, the better it will be for all of us concerned.
Samir has a B.Tech in Electrical Engineering (1983) from IIT Bombay, an MS from Clemson University, South Carolina (1987) and a PhD from Columbia University, New York (1994). He has worked for several companies including Motorola and Alcatel. Currently, he runs a startup called Teknotrends Software Pvt. Ltd. that does cutting-edge work in the area of network security. He is based in Bangalore.
The crux of the issue is
a. Do we have a severe leakage problem in public benefits schemes due to duplicate and fake identities?
b. Do we want to provide services to people who need them the most, but lack identity proof?
c. Do we want to continue wasting umpteen hours at the bank, at the mobile shop and at the government office, trying to prove our identity over and over again?
Then we need Aadhaar. Aadhaar is necessary, but it may not be sufficient. Scrapping it is definitely not a solution. Can I challenge the IIT community to suggest ways to improve it?
Raj Mashruwala
The author Raj (Mashru) Mashruwala, 1975, Mechanical Engineering, has painstakingly researched the questions. The same thing can’t be claimed for the answers. He refused to provide his bio(metric) to the editors for verification due to privacy reasons.
Imaginary Aadhaar
Samir KelekarAt a recent debate on UID in Bangalore, UIDAI's Deputy Director General, Mr. Dalwai was asked about the faking of finger prints, which can easily defeat the biometric scanners of UID. A video of how a faked fingerprint can defeat a typical fingerprint scanner has been put up by Mumbai-based biometric consultant, J. T. D’souza, on You- Tube. One expected a sensible answer from Mr. Dalwai, perhaps something on the lines of, ‘our fingerprint scanners can’t be fooled by such faking’.
But instead, he answered saying that if it does happen, it can only happen in small proportions. As a security professional, I don’t really know whether to laugh or cry at such an answer. It is like saying, yes, our backdoor doesn’t have a latch and is open. But there is little chance that anyone will notice it, or for that matter even if someone does notice it, let us hope that they are not tempted to take anything.
To put it bluntly, we are spending — by various estimates — right from Rs5,000 crores to Rs1,50,000 crores on the UIDAI project. The exact estimate of the project is unknown — so much for its transparency.
But it takes just Rs 30 — a little bit of wax and fevicol — to fake a fingerprint and fool a fin- gerprint scanner. It would take a bit more to
But instead, he answered saying that if it does happen, it can only happen in small proportions. As a security professional, I don’t really know whether to laugh or cry at such an answer. It is like saying, yes, our backdoor doesn’t have a latch and is open. But there is little chance that anyone will notice it, or for that matter even if someone does notice it, let us hope that they are not tempted to take anything.
To put it bluntly, we are spending — by various estimates — right from Rs5,000 crores to Rs1,50,000 crores on the UIDAI project. The exact estimate of the project is unknown — so much for its transparency.
But it takes just Rs 30 — a little bit of wax and fevicol — to fake a fingerprint and fool a fin- gerprint scanner. It would take a bit more to
identify someone else's fingerprint from say a glass of water, taking a photograph of it, making a transparency, etching it on a PCB and then making a fake fingerprint.
Fraudsters everywhere are a determined lot, and when such a process to steal and fake fingerprints can be scaled to millions and billions, it makes ‘business’-sense for fraudsters to invest their time and money in the scam.
To top it all, there are various news reports which say that banking will be solely based on one's fingerprints after the UID comes in full swing. This is indeed what the fraudsters would want.
Fraudsters everywhere are a determined lot, and when such a process to steal and fake fingerprints can be scaled to millions and billions, it makes ‘business’-sense for fraudsters to invest their time and money in the scam.
To top it all, there are various news reports which say that banking will be solely based on one's fingerprints after the UID comes in full swing. This is indeed what the fraudsters would want.
The UIDAI project is meant to give an identity to all Indians. However, it is not just the security aspects, but also other aspects that don’t seem to have been thought of thoroughly. For instance, the iris scan was not present in the originally proposed plan. But when it was commonly known that fingerprints by themselves may not be enough for de-duplication —and that they can be faked easily — the iris scan was introduced.
There is no cost benefit analysis or feasibility study of any kind available in the public domain. No full life-cycle pilot study of any size for this project has been done and results studied, before launching such a huge and costly project nation wide. Privacy considerations haven’t been looked into either.
All the claimed benefits of this project are mere speculations; they are not based on a systematic study. For instance, one of the claims is that leakages in government- sponsored schemes such as NREGA and PDS will be reduced. There is no substantiation of this claim. Less than 10% of the leakages are due to double-dipping at the last mile. Most leakages take place at the back-end, with the active connivance of politicians and the powers that be, and UIDAI can do nothing about that.
Interestingly, a recent report by a US research entity — the research was commissioned by the US government itself — bursts the myth of the usefulness of biometrics. It recommends that especially in remote areas where no direct supervision is possible, biometrics by itself should not be used for any authentication. If it must be used, there has to be another factor of authentication. Two-factor authentication is not proposed by UIDAI, and cannot be easily introduced in a country like India where due to lack of literacy, things such as passwords cannot be easily used.
Another big problem with biometrics is that unlike a password or a PIN which banks use, biometric information once lost, is irreplaceable. Once you have lost your biometric identity, you have lost it for good. Passwords or PIN numbers on the other hand, can be easily replaced. In a recently reported incident from Mumbai, it was found that fakesters picked up biometrics of people in order to issue them UIDs. These fakesters now have the biometric data of those people, and now, they are forever excluded from the UIDAI project.
Other issues include the fact that the National Identification Authority of India bill has not been passed by the Parliament. Thus, the legality itself of this project is suspicious. Foreign companies have been given control or access to biometric data of our country’s citizens. There is no concept of a security clearance to bid for projects from UIDAI — a fact which puts our national security itself at risk.
Interestingly, a recent report by a US research entity — the research was commissioned by the US government itself — bursts the myth of the usefulness of biometrics. It recommends that especially in remote areas where no direct supervision is possible, biometrics by itself should not be used for any authentication. If it must be used, there has to be another factor of authentication. Two-factor authentication is not proposed by UIDAI, and cannot be easily introduced in a country like India where due to lack of literacy, things such as passwords cannot be easily used.
Another big problem with biometrics is that unlike a password or a PIN which banks use, biometric information once lost, is irreplaceable. Once you have lost your biometric identity, you have lost it for good. Passwords or PIN numbers on the other hand, can be easily replaced. In a recently reported incident from Mumbai, it was found that fakesters picked up biometrics of people in order to issue them UIDs. These fakesters now have the biometric data of those people, and now, they are forever excluded from the UIDAI project.
Other issues include the fact that the National Identification Authority of India bill has not been passed by the Parliament. Thus, the legality itself of this project is suspicious. Foreign companies have been given control or access to biometric data of our country’s citizens. There is no concept of a security clearance to bid for projects from UIDAI — a fact which puts our national security itself at risk.
All in all, this project is a white elephant in its current form. The earlier it is stopped or at least seriously relooked at, the better it will be for all of us concerned.
Samir has a B.Tech in Electrical Engineering (1983) from IIT Bombay, an MS from Clemson University, South Carolina (1987) and a PhD from Columbia University, New York (1994). He has worked for several companies including Motorola and Alcatel. Currently, he runs a startup called Teknotrends Software Pvt. Ltd. that does cutting-edge work in the area of network security. He is based in Bangalore.
