The Unique ID Project.. What should be Unique?
The UID Authority of India (UIDAI) has decided to run its pilot in
Karnataka and has rightly put the versatile and energetic e-Governance
secretary, Mr M N Vidyashankar in charge of the pilot project. We
hope the pilot will be successful in throwing up the learning points which
may drive the project further. Our best wishes to Mr Nandan Nilekani as
well as Mr M N Vidyashankar for a successful completion of the project.
This project is of great significance to all the Citizens of India since it
will transform all of them into "Netizens" with a "Digital ID" maintained
in the data base of the UIDAI. All of us will henceforth be "Information"
and in due course we can avail any service from the community only through
this "Information Avatar". As a corollary, we need to remember that if for
any reason the UID is corrupted and the data associated with my UID is
inaccurate, then we may lose our natural privileges we are entitled to as
citizens of India.
In view of this high stakes for every citizen if India, it is necessary for
every Citizen to contribute his views to the UIDAI so that no hasty
decision is taken in a matter which can mean the life and death the
Citizens of India.
I therefore raise a few concerns through this column and invite others to
join me in contributing their views so that these can be addressed at the
time of the pilot project being implemented in Karnataka.
I would like to record my views on the following five points
1. UID without a UID Card:
2. Data Association
3. Responsibility for Data Accuracy
4. Responsibility for Data Security
5. Voice of the People
1. UID without a UID Card:
Mr Nandan Nilekani has taken a strategically correct and intelligent
decision to keep the issue of "Cards" away from the immediate discussion by
declaring that in the first two or three years, the UIDAI will focus only
on creating the "Unique Number" and not focus on the instrument that holds
the ID such as the "ID Card". As a result, unnecessary commercial
intervention of whether it should be a smart card or some thing else, what
should be the technology for it etc is now not the immediate issue.
In view of this vital decision, the UIDs when created will be held only in
digital form and therefore there will be a "Virtual UID Card" for every
Citizen which will be dynamically created whenever the data base is queried
and values returned. If this Virtual UID Card works, then the next task
will be easy since it only means a transport of this "Virtual ID Card" to
the face of a plastic card with or without memory in the form of a smart
card.
Since Mr Nandan has clarified during his TV interviews in the last few
days, the UID Card will eventually be having limited data and service
related data would be incorporated in other service related Cards.
For example, UID will contain certain data such as the serial number,
name and photograph of the holder . There may also be other associated data
such as as the father's name, mother's name, data of birth, sex, place of
birth, UID of the father, UID of the mother, finger print, and address .
When a decision on the Physical card is taken, it will be necessary to
determine if all the UID data has to be placed in the card itself or not.
(Naavi's views in this regard is also captured in the earlier article
The National ID Card Challenge for Nandan Nilekani..).
Naavi has been
an advocate of "ZeMo Cards" which essentially means that the ID Card can be
of zero memory and contain only the basic ID parameters and all other data
should be accessible through an authorized query of the virtual data base.
The current
thinking of the UIDAI is therefore similar to what Naavi has been
advocating except that the issue of Card has been completely kept out of
the responsibility of the UIDAI and left to the individual service
organizations which will use the UID for delivering their services. For
example, the NREGS may issue it's own cards to its members where UID is one
of the components. They may use either a Smart Card or a ZeMo card as they
deem fit.
This leaves the
flexibility which was necessary for the UIDAI to avoid commercial
influences on its activity since the Smart Card lobby is a powerful lobby
which could have single handedly derailed the UID project. Mr Nandan should
be specially congratulated for the master stroke of dividing the two
aspects of creating a UID and issuing of the Cards. This may turn out to be
the single most important decision at this point of time to take the
project forward. May be once the data is created, UIDAI can register itself
as a Certifying Authority in India and issue Digital Certificates
under their digital signature which will become a document acceptable in a
Court of law as per the provisions of the ITA 2000.
In the
absence of the physical card however, the virtual data base becomes
critical to the integrity of the system and will be a target of attack for
cyber terrorists and data thieves. The security of the data therefore
becomes paramount and there is a need for appropriate measures in this
regard.
2. Data Association
At present the indications are that the following 12 parameters would be
associated with the UID data.
1. Name
2.UID Number of the holder
3.Photograph
4.Right hand fore finger print
5.Name of the Father
6. Name of the Mother
7. UID of the Father
8. UID of Mother
9. Date of Birth
10. Sex
11.Place of Birth
12. Address
It is necessary to debate if all these 12
parameters are required and whether some more are to be added. It
is also necessary to consider if all of them need to be considered as a
primary ID parameters or can be classified further as "Primary" and
"Secondary". More importantly, we need to debate if can any of be
considered as the "Root ID parameter".
While the UID itself will be a Root ID for
downstream services available to the Citizen of India, there is a need to
recognize one single "Root UID Parameter" so that in the event of
any dispute, the UID would be owned by the person in undisputable control
of the "Root ID Parameter".
For example let us presume that there is an
effort to duplicate a UID by a person who is confronted by a law
enforcement agency. He may have a UID number (and a card if issued) in
his name and address. The only parameter which he cannot duplicate is his
"Bio Metric feature". In the set of 12 parameters chosen by the UIDAI
now, the finger print is the only biometric feature which the law
enforcement person can check to verify the ownership of the UID. This can
be defeated only if the data base itself is hacked and the finger print
of the impersonator is planted in place of the genuine fingerprint. This
is an issue of the data security which is separately discussed.
The reason why we may think of segregating
the ID data into "Primary" and "Secondary" is that some of the ID
parameters can be kept out of the Primary data base and can even be kept
offline. While the primary database has to be accessible on the Internet
and despite the authentication mechanisms used or DRP strategies, they
are still amenable to hacking attacks. The secondary data base however
can be kept away from the Internet and in multiple formats so that the
data in the secondary data base can be used for verification when the
primary data is disputed.
For example, we may collect multiple
biometric features say
1.Left hand thumb print scan
2.All fingers scan
3.Hand geometry scan
4.Iris scan, etc
If the technology vendors prefer the
forefinger (index finger) because the finger print readers are more
easily operated with the fore finger than the thumb, it can be used as
the primary biometric print but the remaining biometric features can be
considered for the secondary data base.
This procedure will provide for "Multi
Factor Biometric Authentication" of a person.
We must however admit that the "Left Hand
Thumb Impression" is an age old tradition in India and given an option it
should be considered more suitable than the forefinger. It is necessary
for us to remember that there is a finger print indexing system presently
in use which appears to have been successful. It is found in the index of
"Nadi Grantha" used by the Nadi Astrologers who sift through thousands of
files with the Right Hand Thumb impression of males and left hand thumb
impression of females. The visual examination by a human can usually
provide a short list of 15 to 20 files from the thousands available. With
a computerized scanning of the finger print perhaps the accuracy can be
far better. This indicates that finger prints in general and the thumb
prints in general have the potential to index millions of records and
with no other supporting parameter, it should be possible to zero in on a
document solely with the finger print index.
If the index is run on multiple levels with
multiple finger prints, the accuracy should be good enough for UID system
where we need to pick one document out of a billion document based only
on the finger prints obtained from a person.
Since there are already a host of property
documents where the left hand thump impressions are recorded, it may be
perhaps good if the left hand thumb impression is made the primary ID
parameter and other 9 finger prints be accepted as secondary and tertiary
finger print references. This will also counter the problem of some of
the labour class people not having clear finger prints.
Similarly, we can make the name more
reliable as an ID parameter by adding the names of the father, grand
father and the great grand father of a person to the name field. While
the Primary UID data base may contain the actual name with the initials
used by the person, the secondary data base may contain the expansion of
the initials, name of the father, name of the grand father and name of
the great grand father. It is possible however that some may not have the
names of the grand father and great grand father available in which case
the fields may have to be left as "Unknown". The three generation
father-link is a tradition and if it is anachronic for the current
generation, we can record the names of the female members of the earlier
generation also. This would almost mean recording the family tree in the
secondary data base. Though this would be a little cumbersome, there may
be a useful cross reference/verification possibility to establish any
attempts at entering false data into the UID system.
Also, while the date of birth is one of the
parameters used, extending it to the time of birth (as known and declared
by the person) would make it more specific. This is also more suited for
the secondary data base while "Age" (as on the date of the issue of the
card) alone can be added to the primary data base.
It is obvious that in such a system the Card
holder will primarily enter the data into the record and some of them
have to be accepted as the declaration of the person even though they may
not be independently verifiable. Most of these non verifiable data will
be in the secondary data base and will be useful as verification
parameter in case of disputes.
Out of the 12 parameters indicated for
inclusion in the UID data base, "Address" is one parameter which is
subject to change. It is therefore not suitable as part of the ID
document. It is better that it is removed from the database. If required,
it can be part of the secondary data base and used as "Registered Address
at the time of first creation of the data".
Out of the other parameters, Photograph is
also subject to change over the period. If present, it can be a source of
misinterpretation. A serious consideration has to be given to discuss if
this has to be considered as part of the primary data base or to be
pushed to the secondary data base.
The UID of the father and mother
are also parameters more ideally suited for the secondary data base.
The primary data base may have to contain
the UID issue date as a reference for the photograph and the age of the
person.
Since the UID data is in digital form and
may have to be accessed by the subject online with the use of a digital
signature, it may be useful to include an "E-Mail ID" as an additional ID
parameter perhaps in the secondary data base.
In summary
(a) We need to maintain a Primary UID data
base and a Secondary UID data base with some parameters captured in the
primary base and some in the secondary data base with different storage
and access controls.
(b) We may consider making LTM as the
primary biometric ID to be incorporated in the Primary UID data base
and the other finger prints and probably the Iris scan also to be
recorded in the secondary UID data base
(c) We may record the names of grand
father and great grand father to expand the name and maintain the same
in the Secondary UID database
(d) We may record the time of birth in the
date of birth field and maintain it in the secondary UID data base.
(e) Address has to be removed from the UID
data base. e-mail address to be added to the secondary data base.
(f) The parameters required for the
Primary data base are Name with initials, Sex, Age, UID number,
photograph and finger print, date of issue. Amongst these, the name,
sex and age is not confidential. The photograph may be substituted by
an impersonator but the finger print remains an unalterable mark of the
original ID holder. If and when the ID card has to be issued, it may
contain only these 7 parameters.
3. Responsibility for Data Accuracy
Apart from the risk of impersonation, the other risk associated with the
UID system which is also going to be integrated with many downstream data
is the possibility of "Errors" of the data. Today, many of the Voters find
that the information about their name, sex and age on the Card are
incorrect and make them ineligible to exercise their franchise. The reason
for such inaccuracies is that the system for "Correction" is too
complicated and once a clerical error gets into the system, they tend to
remain.
In view of the criticality of the UID system, it is essential that
inaccuracies need to be eliminated at the time of generation and then there
should be an expeditious but strong process of correction of inaccuracies.
It must be remembered that UID will be "Information Residing Inside a
Computer Resource" and is subject to the provisions of Information
Technology Act 2000 (ITA 2000) and the proposed amendments through
Information Technology Amendment Act 2008. (ITA 2008).
Any alteration of UID information which is unauthorised and causes wrongful
harm is therefore an "offence" under Section 66, 72, 72A of ITA 2000/8 and
is also subject to payment of compensation under Section 43 and 43A ITA
2000/8.
The UID authority is also subject to the provisions of Sec 67C since the
ultimate owner of the data is that of the data subject and the UIDAI is
only an "Intermediary" as per the provisions of ITA 2000/8
Maintenance of "Inaccurate Data" leading to wrongful loss would constitute
lack of "Due Diligence" and could make the UIDAI liable.
One option for the Government is to pass a law making the UIDAI and its
staff immune to any legal challenges. This would be perhaps the most likely
happening since this is the trend in Government functioning. This would
however result in "Authority without Responsibility" and ideally should be
avoided.
We hope that Mr Nandan Nilekani would not like UIDAI to be protected from
public scrutiny through such protectionist policies.
4. Responsibility for Data Security
Data Security will remain to be the biggest challenge in the UID project
and multiple strategies are required to be adopted for the purpose.
The law of the land provides some protection to the data subjects through
the ITA 2000/8 and imposes certain responsibilities to the UIDAI for
reasonable security practices to be maintained by UIDAI.
If there is no attempt by the Government to shield the UIDAI from the
provisions of the existing law, then we may consider that there is a legal
structure for data security. It may still be necessary to define the
"Reasonable Security Practice" for this service.
In view of the criticality of the UID operation, the "Reasonable" security
practices may have to be substantially stringent. It is necessary to
implement globally acceptable principles of data security and privacy
protection to meet the requirements.
Some of the security practices required for data security and privacy
protection of the UID system may be constructed with the
IISF 309 suggested by Naavi.org.
Some of the specific requirements under this framework for ITA 2008
compliance includes
1. Obtaining the consent of the UID holders for inclusion of the data which
would be in the form of an application made by the data subject and
validated in its electronic form.
If data is validated on paper and the UIDAI takes the responsibility for
digitization then some member of UIDAI should be held accountable for any
inaccurate data that may creep in . Such a person has to validate the
electronic form of the data with his digital signature and take the legal
liability for the inaccuracies.
A copy of the data as entered in the data base has to be provided to the
data subject in print form with appropriate certification under Section 65B
of Indian Evidence Act as per established principles of Cyber Evidence
Archival.
As a part of this data validation process, it may be necessary to provide
access to the data in the data base to the holder of the UID so that he can
verify the data any time and any number of times during the lifetime of the
data.
Though this facility may not be used by many of the UID holders who are not
cyber savvy, it is an essential part of Cyber Law Compliance.
This may require validation of the person making the query. If we need to
use "Digital Signatures" for validation, the UID itself may have to also
include an "E-Mail Address" in the minimum as a "Digital Identity
parameter".
2. Data has to be encrypted in storage and every element of the data base
has to be digitally signed by an officer of the UID.
3. Appropriate audit trail of who accessed the data and what was the hash
value of the data accessed before and after the access session etc will
have to be captured along with the mode of access, IP address etc and
archived in such a manner that they are available for judicial scrutiny
when required.
4. The hardware and software used by UIDAI should be source code audited
and certified for integrity. Supplies from countries suspected to be
preparing for Cyber Warfare against India must be avoided.
5. Voice of the People
As some one who is working on Netizen Welfare for over a decade, the
undersigned would like to make a strong demand with the Government of India
as well as Mr Nandan Nilekani himself that the UIDAI should establish
appropriate systems and procedures which would ensure that Netizens are
protected against the inefficiency and malicious intentions of the staff of
UIDAI. Even if they tend to be honest, they may be used by others to
inconvenience honest Netizens.
This requires constitution of an "Ombudsman" and " UID Dispute Resolution
Board". Such a UID Dispute Resolution Board should not be solely
constituted out of Government servants (eg: Proposed Review Committee under
ITA 2008 for Section 69/69A/69B issues) and must consist of Netizen
Activists and Netizen Interest bodies such as Digital Society of India or
Cyber Society of India.
Whether UIDAI will be a typical Government project with authority
without responsibility or a true PPP with the reputation of people like
Nandan Nilekani at stake would be determined by how the UIDAI responds to
this demand by Netizen activists to be part of the dispute resolution
mechanism.
Comments are Welcome at naavi@vsnl.com
Naavi
Aug 30, 2009
