Sunday, May 21

Why you should be concerned about #Aadhar being made mandatory for citizen of India?

#Aadhar card is a part of world’s largest bio-metrics identity program. The initial vision of Congress Govt was to use #Aadhar to stop fraud and pilferage from India’s social welfare programs. Now the BJP government is gradually making it mandatory for every citizen to use #Aadhar cards for buying railway tickets, Filing tax returns, obtaining PAN card, procuring SIM card & for opening bank account.

So the Indian government now wants to change the Aadhar Vision. This has given rise to concerns of millions because Aadhar database has iris and finger print stored in a central database. Given the weak cyber security laws in the country, you often wonder how safe your banking transactions are; given the fact even your telecom operator store has your Aadhar number. People with Half-Knowledge are trying to convince us that even USA uses SSN and #Aadhar is similar to SSN. One needs to understand SSN is much different from Aadhar and how India’s Aadhar cannot be compared to the USA’s Social Security Number.

What is the difference between Aadhar and SSN
The main difference between Aadhar & SSN is that #Aadhar captures biometrics and SSN does not. Those who still do not understand the impact of Indian governments decision to make Aadhar mandatory need to read further.
                                           In 1936, SSN was introduced as a 9-digit number to be used by the government to track ac citizen’s income and ensure the social benefit on the basis of the same. That’s quite much like Aadhar of ours. Gradually more US government agencies and corporates started storing the records of SSN. In 1961, just like the US Internal Revenue Service started using SSN for identifying taxpayers. However in 1977, under Jimmy Carter, the 39th President of the United States, it was decided that SSN cannot be used as an identification document. Rather, it should only be used as a legal permit to work.

On the Social Security website of the USA government, it is clearly mentioned: “The card was never intended to serve as a personal identification document – that is, it does not establish that the person presenting the card is actually the person whose name & SSN appear on the card.” So eventually in 1977 USA  made a rule that SSN cannot be used for identification of an individual either by govt or private companies. The mistake corrected by USA is being repeated by India by its plans to use Aadhar, which is a single digital identity number as an 'Identity Card' to authenticate you as an Indian citizen.

Aadhar Applicability:   

SSN is for citizens and non-citizens authorized to work in USA: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.
Aadhar is for ALL Indian residents and not just citizen: The Aadhar number is available to any resident of India. Anyone who has stayed in India for 182 days can apply for #Aadhar card . However SSN is only given to the US citizens who have permit to work in the country.

Aadhar Data Collection :

The process of registering people for Aadhar was executed through private enterprises known as "Enroller" who operated freely without any government supervision at the field level. The qualifications needed to become an enrollment agency were quite low and nobody was from a recognized name and often unqualified people were used to collect the data which lead to incorrect data collection as media has widely reported.  It is alleged that some untrained enrollers forgot to collect some, for example address or fingerprint and then to cover their mistake the fudged the data by updating missing data with someone elses data. Shocking but if you remember the kind of sub-contractors who were collecting your Aadhar data I can say whats alleged is not impossible.

Why should we be concerned about #Aadhar Data Security:

#Aadhar database stores everything from finger print to iris to personal details. However in SSN, the US government didn’t collect finger prints. To support their logic, the Social Security website reads: “The use of fingerprints was associated in the public mind with criminal activity, making this approach undesirable.” SSN doesn’t even contain any photograph for that matter. In 2007, there were talks to include these details to act against terrorism, but the country who have experienced terrorist attacks in its worst form and often behave cynical on this matter actually went against it.

Observation of USA Homeland Security about bio-metric identification:

“A bio-metric identifier, such as a fingerprint, can be an effective and highly accurate way to establish the identity of an individual, but it can also facilitate a much higher degree of tracking and profiling than would be appropriate for many transactions,” said Marc Rotenberg, Executive Director, Electronic Privacy Information Center a research organization, speaking on the Use and Misuse of the Social Security Number before the Subcommittee on of the U.S. House of Representatives. He observed that the severe problems would arise if bio-metric identifiers are compromised. "What will happen at the point that your bio-metric identifiers no longer identify you?” he added.

SSN is never used as Unique Identifier while govt plans to use Aadhar as an Unique Identifier:

As per Privacy Policy Guidance Memo of  USA Homeland Security,  “Department of Homeland Security shall not collect or use SSN as a unique identifier; rather, programs shall create their own unique identifiers to identify or link information concerning an individual”.  The SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. Did Indian government not consider the impact of their decision to and reasoning of of USA Homeland Security?  Govt is allowing private companies to use Aadhar but USA does not allow SSN to be used by private companies except to verify that person has a work permit. What memo says is that the SSN is required by private businesses only on two cases:

(1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.

However for Aadhar as we know, even the mobile store (read Private Entity) that operates from a small kiosk will ask you to show your Aadhar Card to identify yourself to buy a sim card and no one can stop them from saving a copy of your Aadhar card (how can you?). The banks are already refusing a new bank account for those who do not have Aadhar. I just hope that governments understand what a grave risk they are subjecting all Indians by forcing a software system which is already subject of numerous data leaks 

Why are some IT engineers concerned about #Aadhar? 
Each software system is built to requirement and if the requirements change then there is need to redesign & rebuild the software.  If the initial purpose of Aadhar was to be used in similar manner as SSN where Aadhar becomes the unique ID which is used by government agencies to identify a person and now Aadhar is being used not just by the government but banks, telecom companies and any other private company which means  the usage of Aadhar System will increase by 100X then what the system may have been originally intended to handle
                                                                      To get an idea of the volume of Aadhar transactions in a single month, in Dec 2016  alone 2 Cr 79 lakh NEW subscribers were added as per TRAI.. People are buying dual and quad SIM phone so one can imagine the number of times #Aadhar data is being accessed by the Telecom companies and there are another 100 industry sectors from Health to Banking to Hotel that will soon start using Aadhar to validate their customers..

Here is the link to view Wireless Subscriber added in Dec 2016  - Click this link
Here is the link to view latest TRAI Telecom Subscription report - Click this link

 
Let me highlight few burning QUESTIONS that the current Govt & UIDAI need to answer -

1) Was #Aadhar architecture designed to handle this large volume of daily transaction? 

2) Is  #Aadhar secure enough to be accessed by any private company that wants to use it? 

3) Who is monitoring the use of Aadhar data by private companies? 

4) If the Aadhar Database is secure then why has Aadhar data been leaked so many times in last 2 years? If the data was not leaked then why is the Tribune reporter who exposed DataLeak not charged with treason and put in jail?

5) Has any independent agency conducted an audit of the #Aadhar Software? Why is govt not publishing the report of such audit so that Indians are reassured that their personal data as well as their bio-metrics are secure & safe? 

6) Today hardly 1% of Indians have #Aadhar card, Will Aadhar system be able to handle #Aadhar transaction when entire India has #Aadhar and every private company starts accessing #Aadhar database to authenticate the customer? 

7) If Software Audit of Aadhar Software (typically done once every year for critical IT systems) has not been done so far it is a huge concern. Who are the CEO & CTO of #Aadhar Software (UIDAI) and why have they not advised the government to conduct  'Yearly Software Audit' of such a crucial software that is going to handle and manage world's biggest citizen bio-metrics database?

8) Does the Aadhar team not think it is necessary to audit the security, availability & scalability of its system by an independent expert agency?

9) Why is #Aadhar & Government not publishing a whitepaper on the security and stability of Aadhar system, particularly after a series of data breaches have been reported by the media?

10) How can #Aadhar team get away from the responsibility by saying the data breaches were not at the source? 

11) Finally if citizen's bio-metrics data is leaked will he be able to sue the government? The answer is no - the BJP government has cleverly avoided any responsibility towards data leak. I am not a supporter of any political party but I must admit the Congress government did not have this Draconian law and they did not try to fool the public.

I hope someone from the government reads this blog and many other blogs by IT industry experts and better sense prevails. Software systems are great enablers but if they are not designed well they can play havoc beyond our imagination and that is why software industry defines processes and guidelines to ensure development and maintenance of quality software. It would be sad if the most crucial software of India takes a hit because of a bunch of overconfident and under qualified engineers that decide not to use external agencies to validate the software they have built. 

P.S- I have tweeted to UIDAI and volunteered to review the Aadhar System and advice UIDAI because a billion Indians my data privacy is at stake but I did not get a response from UIDAI.


No comments:

Post a Comment

MUSTREAD : How can you use Index Funds to help create wealth? HDFC MF Weekend Bytes

https://www.hdfcfund.com/knowledge-stack/mf-vault/weekend-bytes/how-can-you-use-index-funds-help-create-wealth?utm_source=Netcore...