Tuesday, May 30

Intelligent Sensors for Predictive Maintenance of Railways

When comparing European Rail with Indian Rail you will notice quite a lot of differences. European rails are limited companies & are definitely more professionally managed as compared to Indian Railway which has catered to fancies of Railway Ministers who had no understanding or education to manage railway. Ministers did not know How & Why railway has to run like a profitable business if it has to safely transport passengers. A loss making company cannot spend on safety of its passengers and accidents will further cripple the railways. Railway does not need to server Fancy Tea in Mud Cups to become popular - Indian's requirements are very basic, we want punctuality, cleanliness & above all safety of passengers.
                                             Being software architect and a fan of Event Driven Architecture ( An event triggers a software process that checks the type of event and accordingly performs predefined relative action, helping us build smarter software that can decide next task based on previous event). To give a simple real life example, if a "Duranto Fast Train" that is supposed to travel with max speed of 120miles per hour in a particular sector, crosses a station at speed of 130 miles per hour then an unmanned 'Speed Sensor" located at every few kilometers, will captures the speed and sends it to a Rail Database in Real Time or Immediately in layman's language. What happens next is that a Smart Software program that is watching Database for any unusual event understand that the current speed captured by sensor is more than Speed Limit for this particular ' Duranto Fast Train' and this is a EVENT that needs to be ACTED upon. The program next checks what are the recommended actions for 'THIS OVER SPEEDING EVENT' and triggers those actions.
Let's say there are 3 recommended actions in the given order of priority
1) Send SMS to driver that he is over speeding along with time, location & speed data
2) Send SMS to NEXT 5 stations to manually monitor the speed of the train
3) Send SMS to Rail Management so that over-speeding is captured in drivers report card & he is given warning and training if required
The software will perform above 3 actions and continue to watch for other events. Since it is smart software it is able to use other data to identify each train running across the country so One Software will be useful for all trains. This is very simple & limited example of how Sensor, Software & Internet can bring automation in monitoring one aspect of operation & improve safety - rail safety has many aspects as we are all aware and Sensor/Software/Events can help make rail journey safer. Railways in Europe are using Ultrasonic and Microwave sensors to detect flaws in engine parts, wheels, tracks. Ultrasonic sensors emits short ultrasonic pulses and detects the echoes that are reflected from the object - in this case the train. he echoes can be analyzed to predict potential breakdown and help prevent accidents before they can happen. Indian Railways only advantge is as a late comer they have options and technologies that have been tested so they can pick and choose and go for a custom solution. Is railway considering it? Spending money on research is great but if the research does not consider the lessons learnt by Euro Rail and US Rail and comes out with totally different type of solution that has not been tested in real life then we are wasting money. Companies likfe TIBCO have worked withh US and European railways to design Sensor based solutions and they can guide Indian Railways. I would be keen to work on such a project that will change the security paradigm of Indian Railway and guarantee safe journey to each Indian traveler


Tuesday, May 23

Burning questions about #Aadhar that we want answered

I have moved the key burning questions about #Aadhar to a new post. Indian citizen is not aware of the answers to these questions and UIDAI  needs to answer the questions before forcing Aadhar down our throat. I am surprised that IT industry leaders are not asking these questions to the government.

Few burning questions regarding #Aadhar are as follows

1) Was #Aadhar architecture designed to handle this large volume of transaction? 

2) Is  #Aadhar secure enough to be accessed by any private company that wants to use it? 

3) Who is monitoring the use of Aadhar data by private companies? 

4) If the Aadhar Database is secure then why has Aadhar data been leaked so many times in last 2 years?

5) Has any independent agency conducted an audit of the #Aadhar Software? Why is govt not publishing the report of such audit so that Indians are reassured that their bio-metrics are safe? 

6) Today hardly 1% of Indians have #Adhar card, Will Aadhar will the system be able to handle #Aadhar transaction when entire India has #Aadhar and every private company starts accessing #Aadhar database to authenticate the customer? 

7) If Software Audit of Aadhar Software has not been done so far it is a huge concern, Who are the CEO & CTO of #Aadhar Software (UIDAI) and why have they not advised the government to conduct  'Yearly Software Audit' of such a crucial software that is going to handle and manage world's biggest citizen bio-metrics database?

8) Does the Aadhar team not think it is necessary to audit the security, availability & scalability of its system by an independent expert agency?

9) Why is #Aadhar & Government not publishing a whitepaper on the security and stability of Aadhar system, particularly after a series of data breaches have been reported by the media?

10) How can #Aadhar team get away fro the responsibility by saying the data breaches were not at the source? 

11) Finally if citizen's bio-metrics data is leaked will he be able to sue the government?

I hope someone from the UIDAI & Govt reads this blog and many other blogs by IT industry experts and better sense prevails. Software systems are great enablers but if they are not designed well they can play havoc beyond our imagination and that is why software industry defines processes and guidelines to ensure development and maintenance of quality software. It would be sad if the most crucial software of India takes a hit because of a bunch of overconfident and under qualified engineers that decide not to use external agencies to validate the software they have built. Indian Govt needs to take measure to ensure security of internet transactions and review the laws to ensure consumer protection. The slogan of Digital India should be changed to Digital India, Secure India. Is #Aadhar 100% secure? I will believe when government publishes a whitepaper on the security measures take to ensure Security of my #Aadhar data and justifies why #Aadhar is being allowed to be used by private companies. It seems we have not learned anything from the mistakes committed by USA when they implemented SSN (Social Security Number)

Sunday, May 21

Why you should be concerned about #Aadhar being made mandatory for citizen of India?

#Aadhar card is a part of world’s largest bio-metrics identity program. The initial vision of Congress Govt was to use #Aadhar to stop fraud and pilferage from India’s social welfare programs. Now the BJP government is gradually making it mandatory for every citizen to use #Aadhar cards for buying railway tickets, Filing tax returns, obtaining PAN card, procuring SIM card & for opening bank account.

So the Indian government now wants to change the Aadhar Vision. This has given rise to concerns of millions because Aadhar database has iris and finger print stored in a central database. Given the weak cyber security laws in the country, you often wonder how safe your banking transactions are; given the fact even your telecom operator store has your Aadhar number. People with Half-Knowledge are trying to convince us that even USA uses SSN and #Aadhar is similar to SSN. One needs to understand SSN is much different from Aadhar and how India’s Aadhar cannot be compared to the USA’s Social Security Number.

What is the difference between Aadhar and SSN
The main difference between Aadhar & SSN is that #Aadhar captures biometrics and SSN does not. Those who still do not understand the impact of Indian governments decision to make Aadhar mandatory need to read further.
                                           In 1936, SSN was introduced as a 9-digit number to be used by the government to track ac citizen’s income and ensure the social benefit on the basis of the same. That’s quite much like Aadhar of ours. Gradually more US government agencies and corporates started storing the records of SSN. In 1961, just like the US Internal Revenue Service started using SSN for identifying taxpayers. However in 1977, under Jimmy Carter, the 39th President of the United States, it was decided that SSN cannot be used as an identification document. Rather, it should only be used as a legal permit to work.

On the Social Security website of the USA government, it is clearly mentioned: “The card was never intended to serve as a personal identification document – that is, it does not establish that the person presenting the card is actually the person whose name & SSN appear on the card.” So eventually in 1977 USA  made a rule that SSN cannot be used for identification of an individual either by govt or private companies. The mistake corrected by USA is being repeated by India by its plans to use Aadhar, which is a single digital identity number as an 'Identity Card' to authenticate you as an Indian citizen.

Aadhar Applicability:   

SSN is for citizens and non-citizens authorized to work in USA: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.
Aadhar is for ALL Indian residents and not just citizen: The Aadhar number is available to any resident of India. Anyone who has stayed in India for 182 days can apply for #Aadhar card . However SSN is only given to the US citizens who have permit to work in the country.

Aadhar Data Collection :

The process of registering people for Aadhar was executed through private enterprises known as "Enroller" who operated freely without any government supervision at the field level. The qualifications needed to become an enrollment agency were quite low and nobody was from a recognized name and often unqualified people were used to collect the data which lead to incorrect data collection as media has widely reported.  It is alleged that some untrained enrollers forgot to collect some, for example address or fingerprint and then to cover their mistake the fudged the data by updating missing data with someone elses data. Shocking but if you remember the kind of sub-contractors who were collecting your Aadhar data I can say whats alleged is not impossible.

Why should we be concerned about #Aadhar Data Security:

#Aadhar database stores everything from finger print to iris to personal details. However in SSN, the US government didn’t collect finger prints. To support their logic, the Social Security website reads: “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable.” SSN doesn’t even contain any photograph for that matter. In 2007, there were talks to include these details to act against terrorism, but the country who have experienced terrorist attacks in its worst form and often behave cynical on this matter actually went against it.

Observation of USA Homeland Security about bio-metric identification:

“A bio-metric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, Executive Director, Electronic Privacy Information Center a research organization, speaking on the Use and Misuse of the Social Security Number before the Subcommittee on of the U.S. House of Representatives. He observed that the severe problems would arise if bio-metric identifiers are compromised. "What will happen at the point that your bio-metric identifiers no longer identify you?” he added.

SSN is never used as Unique Identifier while govt plans to use Aadhar as an Unique Identifier:

As per Privacy Policy Guidance Memo of  USA Homeland Security,  “Department of Homeland Security shall not collect or use SSN as a unique identifier; rather, programs shall create their own unique identifiers to identify or link information concerning an individual”.  The SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. Did Indian government not consider the impact of their decision to and reasoning of of USA Homeland Security?  Govt is allowing private companies to use Aadhar but USA does not allow SSN to be used by private companies except to verify that person has a work permit. What memo says is that the SSN is required by private businesses only on two cases:

(1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.

However for Aadhar as we know, even the mobile store (read Private Entity) that operates from a small kiosk will ask you to show your Aadhar Card to identify yourself to buy a sim card and no one can stop them from saving a copy of your Aadhar card (how can you?). The banks are already refusing a new bank account for those who do not have Aadhar. I just hope that governments understand what a grave risk they are subjecting all Indians by forcing a software system which is already subject of numerous data leaks 

Why are some IT engineers concerned about #Aadhar? 
Each software system is built to requirement and if the requirements change then there is need to redesign & rebuild the software.  If the initial purpose of Aadhar was to be used in similar manner as SSN where Aadhar becomes the unique ID which is used by government agencies to identify a person and now Aadhar is being used not just by the government but banks, telecom companies and any other private company which means  the usage of Aadhar System will increase by 100X then what the system may have been originally intended to handle
                                                                      To get an idea of the volume of Aadhar transactions in a single month, in Dec 2016  alone 2 Cr 79 lakh NEW subscribers were added as per TRAI.. People are buying dual and quad SIM phone so one can imagine the number of times #Aadhar data is being accessed by the Telecom companies and there are another 100 industry sectors from Health to Banking to Hotel that will soon start using Aadhar to validate their customers..

Here is the link to view Wireless Subscriber added in Dec 2016  - Click this link
Here is the link to view latest TRAI Telecom Subscription report - Click this link

 
Let me highlight few burning QUESTIONS that the current Govt & UIDAI need to answer -

1) Was #Aadhar architecture designed to handle this large volume of daily transaction? 

2) Is  #Aadhar secure enough to be accessed by any private company that wants to use it? 

3) Who is monitoring the use of Aadhar data by private companies? 

4) If the Aadhar Database is secure then why has Aadhar data been leaked so many times in last 2 years? If the data was not leaked then why is the Tribune reporter who exposed DataLeak not charged with treason and put in jail?

5) Has any independent agency conducted an audit of the #Aadhar Software? Why is govt not publishing the report of such audit so that Indians are reassured that their personal data as well as their bio-metrics are secure & safe? 

6) Today hardly 1% of Indians have #Aadhar card, Will Aadhar system be able to handle #Aadhar transaction when entire India has #Aadhar and every private company starts accessing #Aadhar database to authenticate the customer? 

7) If Software Audit of Aadhar Software (typically done once every year for critical IT systems) has not been done so far it is a huge concern. Who are the CEO & CTO of #Aadhar Software (UIDAI) and why have they not advised the government to conduct  'Yearly Software Audit' of such a crucial software that is going to handle and manage world's biggest citizen bio-metrics database?

8) Does the Aadhar team not think it is necessary to audit the security, availability & scalability of its system by an independent expert agency?

9) Why is #Aadhar & Government not publishing a whitepaper on the security and stability of Aadhar system, particularly after a series of data breaches have been reported by the media?

10) How can #Aadhar team get away from the responsibility by saying the data breaches were not at the source? 

11) Finally if citizen's bio-metrics data is leaked will he be able to sue the government? The answer is no - the BJP government has cleverly avoided any responsibility towards data leak. I am not a supporter of any political party but I must admit the Congress government did not have this Draconian law and they did not try to fool the public.

I hope someone from the government reads this blog and many other blogs by IT industry experts and better sense prevails. Software systems are great enablers but if they are not designed well they can play havoc beyond our imagination and that is why software industry defines processes and guidelines to ensure development and maintenance of quality software. It would be sad if the most crucial software of India takes a hit because of a bunch of overconfident and under qualified engineers that decide not to use external agencies to validate the software they have built. 

P.S- I have tweeted to UIDAI and volunteered to review the Aadhar System and advice UIDAI because a billion Indians my data privacy is at stake but I did not get a response from UIDAI.


MUSTREAD : How can you use Index Funds to help create wealth? HDFC MF Weekend Bytes

https://www.hdfcfund.com/knowledge-stack/mf-vault/weekend-bytes/how-can-you-use-index-funds-help-create-wealth?utm_source=Netcore&...