Monday, January 15, 2018

The Aadhaar challenge and real issues - should we stop using computers if they are misused?


When computers were sought to be introduced in the banking and insurance sectors in India in 70s, the trade unions were spooked and they stalled computerisation on the specious ground that labour was cheap in India. This wisdom combined with protectionism resulted in imposition of 500% custom duty on electronics items and computers which continued until Rajiv Gandhi brought it down sharply. This spell of stupidity set India's development of indigenous electronics and computer software back by at least two decades. Argumentative Indians have strong opinions which is a virtue when backed with independent study - unfortunately most folks are lazy, they would rather argue and learn instead of learn and argue. Aadhaar is a terrific and elegant tool which should be replicated across the world, but due to inept politicians, poor legislation on data protection and privacy of data, argumentative Indians have enough "scoring points" to derail the project unless the Judiciary rises to the occasion.

Supreme Court is going to start hearing the petitions against the Aadhaar system from 17-Jan-2018. UIDAI (Unique Identification Authority of India) manages Aadhaar subject to the Aadhaar Act (published 16th March 2016: https://goo.gl/r77j8S). Individual’s right to privacy was settled in a landmark judgment by the Supreme Court of India (https://goo.gl/tGTwtV); a nine-judge bench unanimously ruled that the right to privacy was a fundamental right to be guaranteed under Article 21 of the Constitution of India – the right to privacy could be equated with the right to life and liberty. Now a five-judge bench will rule on the constitutional validity of Aadhaar being challenged by petitioners and objectors who fear that Aadhaar will be used (misused) as a tool for surveillance and it will exclude many from delivery of services, if it is made mandatory, due to constraints of its technology or Government’s reach.

Aadhaar identity system beats ALL other countries' systems in terms of its size & breadth, having registered over one billion Indian residents across all age groups and demographics, and its sophistication which enables identity authentication online in seconds. It is also an extremely lean system as it stores the minimum data that is essential for identification - it contains nothing extra. Unfortunately it is also a system that is grossly misunderstood which is only one reason it has raised the hackles of many; the second reason is the absence of data protection and privacy laws in India which heighten the risks consequent to linking of the permanent Aadhaar number with other databases in which an individual's information is available; unscrupulous politicians can utilise the State machinery to profile individuals to harass them and suppress dissent. The second reason begs reforms and new legislation including amendments in the Aadhaar Act; the Aadhaar program itself by no means deserves rejection.

Aadhaar's potential of transforming India in double quick time is proved through enablement of Direct Benefits Transfer and elimination of duplicate or ghost identities – Government claims having made cost savings higher than Rs.50K crores with partial implementations in LPG and PDS (Public Distribution System) (https://goo.gl/JRhfMt). The leaky subsidy programs of Government cost over Rs.4 lac crores p.a. and conservative estimates of leakages that can be fixed through Aadhaar are +40% or cost savings of Rs.1.6 lac crores p.a.. Aadhaar helps in targeted delivery of benefits – it short-circuits corrupt and inefficient bureaucratic systems and processes. Additionally, there are enormous unquantifiable benefits: inducement to “honest behaviour”; full inclusion of correct beneficiaries who were excluded or who were being short-changed. For e.g. just about 20% of PAN cards out of the 250 million issued by the Income Tax Department so far, belong to active tax payers so there must be many duplicates and fakes among the balance 80% which Aadhaar can help in invalidating (https://goo.gl/qQAyxv).

Having a good id system like Aadhaar alone is not enough. Its implementation cannot be safe without a framework of sensible and strong data protection and privacy laws. Access to Aadhaar should be permitted only after (1) defining proper protocols for querying Aadhaar database for each “use case” consistent with the data protection framework and (2) seeding myriad databases like PAN, Bank Accounts, Mobile Nos., Passports, PF/Pension Accounts should not be mandated without first having rules of data sharing and linking. Linking with the intent of 360 degree profiling could well be the hope (or agenda) of some politicians in power. Aadhaar id system cannot be blamed for the recent bamboozling by Government and many service providers to force everyone to link Aadhaar number with their databases - linking certainly impacts privacy and it is likely to be found objectionable by the Courts. Aadhaar database (Central Identity Repository) does NOT store any of the linked database references – it is designed to hold ONLY 1) Identity information (comprising demographics and biometrics data of individuals) and 2) authentication request records for a certain period; duration being determined by the Government.

Identity information in the Aadhaar system is meant to be used solely for establishing identity of an individual. The individual has three important rights: 1) update his/her demographic identity data, subject to verification for certain fields against specified documentary proof, 2) view the Authentication request records at any time and 3) deactivate or activate identity data sharing or authentication function of Aadhaar. Authentication request record contains the identity of requesting entity, date and time the request was made and the system response (Yes/No – i.e. to confirm or deny the authenticity of data contained in the request); the purpose of the request is not known nor stored.

What are the minimum set of protocols that should be followed and made known to public?

Use Case#1 Identity Authentication request (this function has been disclosed on UIDAI’s website)

An Identity Authentication request (i.e. an online query to Aadhaar System submitted by a Requesting Entity) should be allowed to be made by anyone supplying the Aadhaar number and any one demographic data (Name, Address, Postal Code, Date of Birth, email, gender, telephone number) or any one biometric data (fingerprint scan or iris scan). The System would give the response as “Yes” or “No”. The UIDAI website confirms the current system works exactly like this (https://goo.gl/ugNmSp). Such Requesting Entities don’t need any logins. Example of this Use Case: A security guard on being shown your Aadhar Number and Name can submit such a request through a smart phone app and obtain the answer Yes/No on his mobile; another Use Case: security guard can submit your Aadhaar number and ask you to touch a fingerprint scanner and obtain a Yes/No answer. In future Aadhaar system may include facial data points set as one of the biometric identity information, however, in that case it may want the Authentication request to contain one more demographic data, for e.g. Aadhaar no. + Name + Face; this is because facial recognition based on low quality cameras is less reliable than fingerprint or iris scan (https://goo.gl/NqLWpg).

Use Case#2 KYC confirmation – like banks or insurance companies require (this function is not fully or explicitly disclosed on UIDAI’s website)

The authorised Requesting Entity’s request (i.e. an online query to Aadhaar System) should be allowed to be made only with Logins assigned by UIDAI or UIDAI’s designated senior officers. With such an “empowered” Login, the user will get the required demographic data for any Aadhaar number submitted to the Aadhaar system; demographic data may include some or all of these fields: name, photo, address, postal code, date of birth, gender, email and phone number. There should be a defined process and submission of adequate documentation duly signed, preferably digitally, before creation of such empowered Logins by authorised officers whose id must also be stored. There should be a life cycle record maintained of assignment or blocking of such Logins. Aadhaar system should block suspicious usage from such Logins, for e.g. a) above threshold speed of successive requests and the period over which continuous requests occur would thwart subversion through Bots (robots which may attempt to suck all available data), b) quick successive requests from IP addresses which are from regions far apart and c) simultaneous requests from the same Login - would help to block users who have illegally got hold of a Login. UIDAI’s website should describe this process otherwise it would be misleading Aadhaar registrants into believing that their demographics data is never shared with anyone; on going through the UIDAI website one may believe that identity data is used ONLY for the Use Case of “authentication” in which Aadhaar system responds merely with a “Yes” or “No” response.

Use Case#3 Linking Aadhaar with another service provider's database - like Bank or Mobile Phone TELCO or Insurance company etc.

The service provider must have an individual's consent who must visit the office of the service provider or the individual himself or herself must link own Aadhaar number through an online process by visiting the service provider's portal. In the former Use case, the individual can confirm his/her consent by inputting an OTP received from Aadhaar system or touching a finger print scanner or peering into an iris scanner as required by the linking application running on the computer of the service provider. In the latter Use Case, the individual can confirm his/her consent after following the same authentication process. The linking process would require the service provider to store both the Aadhaar number and the Authentication Request reference number to which Aadhaar System has responded "Yes". If just the Aadhaar number is stored, it would not assure that the same was authenticated AND its linking consented to by the individual. 

If such empowered logins (Use Case#2) are created without proper protocols, as mentioned in the above para, the misuse of the type seen in the episode reported by The Tribune of 3rd January, 2018 will happen: A rogue designated officer or his agent, by using the relevant program execution rights, created an empowered Login (of Use Case#2 type) for Rachna Khaira who had offered to pay all of Rs.500 online –with this login, she claimed that she could access the demographic data of any of the 1.2 billion Aadhaar numbers. The Tribune story exposed the vulnerability of the protocol in place at UIDAI which had claimed that Aadhaar's data cannot leak out. As a matter of fact Aadhaar Act allows parting of demographics data for authentication but NEVER the biometric data. Incidentally, demographic data of all voters is in public domain and it can even be downloaded for distribution (https://goo.gl/DsczTp). The Tribune story was sensationalised as a “leak of 1.2 billion Aadhaar identity records”; this created an impression that the entire Aadhaar database had been copied in an unscrupulous way in another storage media freely available for distribution. Actually, nothing of the sort could have happened because the Aadhaar system would have undoubtedly blocked, one can safely bet, any attempt to retrieve multiple records at a high speed from any specific Login (even an empowered one). UIDAI filed an FIR against Rachna Khaira and this action compounded the suspicion of a cover up of its alleged blunder which had resulted in the whole database getting leaked. If Aadhaar system is designed with a proper audit trail, which undoubtedly must be the case, UIDAI ought not to take longer than few minutes to identify the rogue (or careless) designated officer who created, or who enabled an agent to create, the empowered Login called Anamika_6677 for the pseudo name Anamika that the Tribune's journalist had adopted (read her "dramatic" story here: https://goo.gl/v5F2xJ).

CEO of UIDAI, Ajay Bhushan Pandey writing in Economic Times of 14th January, 2018 (https://goo.gl/Zb14rQ) reiterated the safety of Aadhaar database without shedding light on the protocols UIDAI follows in creating such (Use Case#2) empowered Logins and the traceability of creation of such Logins; one would also like to know how many such Logins have been handed out? There was a news story that 5,000 such Logins were handed out to State officials and another one that 1 lac such Logins were created for CSCs (Common Services Centres) for VLEs (Village Level Entrepreneurs) who provide services to rural residents. Empowered logins are also allowed to print anyone’s Aadhaar card. Many people mistakenly think that printing an Aadhaar card is a breach –actually the Aadhaar card has little intrinsic value – one can equally well print Aadhaar demographic identity info on plain paper and it would be as good an id proof as the original Aadhaar card; even an electronic image of Aadhaar on a smart phone (download the app: mAadhaar) should serve as an “Aadhaar Card”. Aadhaar system offers all these capabilities, however, to prevent misuse of authorised Use Case#2 Logins, there should be a proper protocol and auditability process which should be published on UIDAI website. Hopefully Aadhaar has built all of these processes and protocols and all it needs to do is publish them. In any case there is no fear, based on any available evidence, that Aadhaar database in whole, is at risk of getting leaked out; UIDAI's website says the biometric identity data is encrypted, using the highest available level encryption algorithms, before storing in the CIDR. [It is highly improbable that any hacker can get to its CIDR data. Vendors who use Aadhaar authentication services are authorized by the UIDAI as Authorized User Agencies (AUAs). Each AUA must use an Authorized Service Agency (ASA) — these are the only entities allowed to connect to the CIDR. However, any software developer can write an Aadhaar authentication application using UIDAI's API (Application Programming Interface) components - the direct access to CIDR is thus prevented in case of common users.]

On UIDAI website’s “print media” page, various news reports were chronologically listed – Tribune story was NOT mentioned (https://goo.gl/YWdixi ) – this betrays a timidity that I found uncharacteristic of UIDAI of the past; during Nandan Nilekani’s tenure there would have been full disclosure for sure.

What does Nandan Nilekani have to say about the Aadhaar and the FIR filed by UIDAI?

Nandan says Aadhaar is safe and it will pass the data privacy test which is expected to be defined by the Supreme Court. He said Aadhaar is being maligned through a sustained campaign (https://goo.gl/AiBMhu story of 15th January 2018). He complimented the proposed introduction of the “Virtual Id” facility. CEO of UIDAI had said in his above mentioned ET article of 14th January 2018, that this facility was debated nine years ago but was kept in abeyance.

Now that data privacy concerns are threatening the idea of Aadhaar, the “Virtual Id” facility will serve to address some people’s concerns. As the Virtual Id will be perishable (it has a finite life of few days defined by the user who can generate Virtual Ids any number of times) it will serve to authenticate one’s Id but it will prevent 360-degree profiling which can happen if the permanent Aadhaar number is provided to a service provider or an authority. For e.g. if Aadhaar number is stored in databases of PAN, Banks, Mobile service providers, Passport, PF or Pension Funds, National Crime Record Bureau's database etc. then someone duly authorised by any department of the Government or through a Court Order (and not from UIDAI – because it is not in its mandate) can pull all the records together and create a 360-degree view of an individual through processing of a query by the Aadhaar number. However, if Virtual Id (with its time stamp) is stored in all these databases then it is not possible to link the relevant records of an individual in different databases and form a 360-degree profile; this defeats the nefarious design of a “surveillance state” [same Virtual Id can get allotted to another person, after its expiry, however, at a given instant one Virtual Id will be mapped to only one Aadhaar]. The Virtual Id idea is good in theory, however, the Government is known to change its rules and it could well force individuals to supply their permanent Aadhaar number instead of a Virtual Id. Already there were news reports that Income Tax Department has been empowered to find addresses from “PAN linked Aadhaar numbers” and pursue “missing” tax payers whereas CEO of UDIAI said on 14th January 2018 that individuals need not supply permanent Aadhaar number to any authority including IT Department or Banks (https://goo.gl/gyY6tP).

PRESCRIPTIONS going forward:

1) Introducing Facial recognition as one of the biometrics along with one demographic attribute for authentication in the Aadhaar system is a good idea (https://goo.gl/wKbpRL ). It will serve to enhance inclusivity of Aadhaar – some people do not have fingerprints which can be scanned and matched easily.

2) India needs stronger data protection laws and enhanced respect for individual’s privacy. Aadhaar system properly implemented does not impinge on individual’s privacy. For e.g. the Aadhaar enrollment agents have been caught selling individual's data - these people should be jailed rather than fined. 

3) Investment in implementing Aadhaar is probably less than rupees 10K crores. It has paid back this investment many times over within couple of years. In future it can save lacs of crore rupees p.a. and it can increase the honesty coefficient of Indians in a very significant way which is priceless. It will help serve for the first time, many genuine beneficiaries who have been left out or who have been short-changed by the corrupt.

4) A well designed multi-media campaign (TV, Press, Radio, Cinema and Hoardings) is required to explain i) what Aadhar is and what it is NOT, ii) how and why to generate Virtual Id and iii) precautions the individual must take at the time of linking Aadhaar with a service provider's database [to ensure that the agency asking to link Aadhaar is so authorised by the Government and that the agent is running the right program for linking and it is not a facade behind which another operation is being performed (for e.g. if the agent has user's bank account number, he could transfer funds when you provide your OTP or get your finger print or iris scanned on his devices)].

5) Government must recognise the difference between the needs of "authentication" and "linking". The former serves to verify identity (when you supply a Virtual Id), the latter helps in profiling (when you link your permanent Aadhaar number). Government should MINIMISE the Aadhaar linking drive with the permanent Aadhaar number. Government should provide individuals the option of linking the temporary Virtual Id which will serve authentication requirement. Those who were coerced to link their permanent Aadhaar number should be allowed to substitute it with the Virtual Id (alternatively they should be allotted another Aadhaar number). These "needs" should be debated - I would recommend linking Election Card, Ration Card, PAN Card, Driving License, Land Purchase Registrations, Crime Records but not Banking Accounts or Mobile Numbers which should use Aadhaar only for authentication.

6) Modi Government was ill advised to pass Aadhaar bill as a money bill in Lok Sabha, presumably to save itself the blushes in Rajya Sabha. [Jai Ram Ramesh has filed a petition challenging introduction of Aadhaar as a money bill]. This indeed displays a lack of understanding, in Modi Government, of the utility of Aadhaar. Aadhaar is not just a tool for efficient targeted delivery of monetary benefits, it is also a security enhancing tool. For e.g. militants using fake identities will be deterred from operations in Kashmir if everyone in the State is forced to have an Aadhaar id. Ironically, Aadhaar Act excludes the State of J&K!! Aadhaar Act needs to be modified on both counts, to expand its scope and applicability across whole India. Even the name of the Act should be changed: From The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 to The Aadhaar (Unique Id System for Indian residents anywhere in the World).