The ambitious UID project initiated by the Government of India is a welcome news for us. But the various challenges in mitigating the security risks and privacy issues is indeed a staggering experience for the UIDAI. This article helps the readers understand the various challenges for the Government in implementing the UID project.

The Government of India’s (GoI) initiative on creating the UID Authority of India (UIDAI) under the aegis of the Planning Commission and beginning the process of allocating the UID (Unique Identification Number) is a welcome news. The UIDAI headed by Nandan Nilekani with high technological experience and leadership qualities is certainly a step towards executing the UID (Unique Identification Number) project effectively. As this move is intended to bestow the benefits of information technology to the common man and help establish identity of the citizens, it certainly enhances the security at various levels.

Since it has been over 3 months since Nilekani took charge as the chairman of UIDAI (Unique Identification Authority of India) on July 13, 2009 and already his team are up to their work, it is time for us to examine the security aspects and privacy issues of UID project. Having a single nationally accepted identification and identity number will enable the government to not only better manage internal security, but also enable direct contact between the state and its citizen. This in turn can help in offering benefits to citizens without the need for proving the identity from various government documents.

But all of this is in theory, and the large potential benefits rest on the privacy factors and security mechanisms that go into building and maintaining such a large and potent database. Nandan Nilekani and his team [UIDAI] are about to come up against a range of hurdles.

Need for UID

In India, we have different methods of identifying and verifying individuals; it is either done through a PAN card, passport, driving licence, ration card, voters’ ID card, LIC policy or even a letter from the Gram Panchayat or corporator. Any of these identification documents could also have varying information, which then leads to irregularity. The lack of a standardised method of identification is apparent. Hence, there is a need for unique identification of every individual. It is being created in such a manner that it is applicable across all sectors, and is recognised as a standard proof of identity. It is being designed to be unique so that nobody is able to duplicate or misuse it.

What is UID?

To put it simply, UID is a unique 16 digit number that is assigned to each individual in our billion-plus population, which will be used to identify the person for all interactions he or she will have with any public body, regulatory authority or law-enforcement agency. It will work much like social security numbers do in the United States, except that UID will be more wide-ranging. The UID along with the biometric data, will serve as a conclusive proof of identity across India, making it unnecessary for any citizen to carry multiple documentation from a variety of government agencies. It can be used while traveling, opening a bank account, getting a telephone connection, voting in elections and so on.

The Government hopes one immediate benefit will be the war on terror, with infiltrators and others finding it much harder to move around. People below the poverty line will find UID easier access to welfare schemes for their benefit, and not to find such aid diverted to those not entitled to them.

However, the key challenge will lie in setting up layers of security so that the integrity of UID is maintained. This is particularly important in a country where production of fake documentation from birth to death certificates and everything in between, including ration cards, caste certificates, educational degrees, etc, has been duplicated with ease.

"The key role of UIDAI is to create a national authentication and an identity system - an infrastructure on which Centre, state governments and private sectors can have value added applications."

Integrating UID

Nandan Nilekani, Chairman, UIDAI

Before addressing the privacy and security concerns of UID project, let us understand how the UID is integrated into other documents issued by the Government of India. Contrary to what some of you may think, various central and state agencies will continue to use their own database for their activities. The only change will be that each record in the many different databases will have the national ID number [UID] added to it.

In other words, GoI, state and other agencies will continue to have a passport database with the external affairs ministry, a PAN (Permanent Account Number) database with the finance ministry, a terrorist database with the home ministry, a BPL (Below Poverty Line) database with the state governments, the election commission's voters database, and so on. Each of these databases will eventually have one more piece of information namely the UID. One of the key objectives of UID project is to integrate all of them under one roof, so that GoI can identify all the citizens and provide various facilities to them.

"One of the key issues for UIDAI is to ensure that there are no duplicates in database and this process can be possible only through biometric authentication."

Security Process

For those of you who have mistaken the UID as a form of "Multipurpose National Identity Card" (MNIC), Nilekani has made it clear that UID is a 16 digit number which is tagged to the biometric features of a individual person. The UID is not an physical electronic smart card or a RFID (Radio Frequency IDentification) card with a biometric authentication system inside it. On a different note, the MNIC project was initialised in 2002 by the previous Government with a plan to design, implement and distribute the MNICs to all the citizens of India. Since the UID project is closely linked to the MNIC project, in future it is likely to be linked together and implemented. But presently, Nilekani has issued a statement that UIDAI has no plans to implement the MNIC along with UID in near future.

Speaking of the security mechanism in UID project, one wonders - if there is no physical Identity card or electronic smart card, then how will UIDAI validate its citizens. For implementing this, two different processes have to followed, the first one being the recording process and the second one - the authentication process. Let us know these two processes in brief.

1) Recording Process : In the first process, the UIDAI builds up a centralised database consisting of UID, biometric record and various other details of the person. The UIDAI allocates a unique 16 digit number (UID) which is randomly generated by the main computer to every citizen. Then a biometric data record is made by scanning the iris or 10 fingerprints of a person. This biometric data is tagged to the person's unique 16 digit number (UID). The UID tagged to the biometric record of a citizen is later used in the authentication process.

2) Authentication Process : In the second process, whenever a person has be identified whether he/she is a genuine one, a fresh biometric scan is made and then the scanned image is sent to the centralised server. The server takes the fresh scanned biometric image as an input and compares it with all the already stored biometric records in the database. If a relevant match found is found, then the person is designated to be a genuine citizen.

Though the above concepts and process is simple in theory, in practical this is a mammoth and very complex project with various security challenges and privacy issues. UIDAI will have to ensure that the vast amount of biometric data collected is accurately recorded in the system - particularly the matching of the right fingerprints with the correct UID's. In the coming section, we will address all these issues in detail.

Online Authentication - Security Risks

According to Nilekani's plan of proposed authentication by taking a fingerprint of a person and sending it across a mobile phone and establishing identity has many challenges. As we know that the scanned fingerprint image is sent to the centralised database server by the person, the online authentication is done by a "Yes" or "No" response. In this process, one of the key issues is to ensure that the scanned fingerprint image to be sent online to the centralised database through mobile phone is a secured line. In a secured line, all communications are encrypted and then sent to the other terminal. Since strong encryption features ensure additional security, this can be considered by the UIDAI. Otherwise the outbound signal of fingerprint data can be manipulated by a hacker. Hence if incorrect data is given to the central database, the response from the authentication process would also be incorrect.

Another drawback of UID online authentication is the response code in digital format i.e. Yes or No form. If the authentication process is successful, the response code should also contain some additional data containing the name/age/address of the person. Since additional information after authentication process is also helpful to establish the correct identity of a person, UIDAI can probably review their authentication process policy.

Biometric Challenges

Electronic scanning and matching technologies are not 100 percent error-free. Since biometrics is not an exact science, the problem is not only is the underlying data flawed, even the biometric technologies have some error rates. Given the large numbers involved, even a 5 percent error rate will translate into 50 million records being matched incorrectly. At the time of purchasing biometric scanning equipments, it is important for UIDAI to include a clause mentioning the calibration requirements - asking the vendors to comply when the tender is floated. Once the biometric scanning equipments are purchased, UIDAI should also collaborate with the Government based Electronics Test & Development Centre (ETDC), Standardization, Testing and Quality Certification (STQC) to ensure that the purchased biometric scanning equipments are free of errors.

"Authenticating 600 million people in next four to five years is a Herculean task."

Scanning - Practical Challenges

While biometric data in digital format is the norm for modern day authentication process, choosing the right type of scanning device is more important. While fingerprinting is the most straightforward biometric available, iris scans are more reliable. But the equipment for iris scans is expensive and the implementation process is cumbersome. Many people could object to it as being invasive and there were also very few suppliers of iris scan technology.

While UIDAI decides the type of biometric scan, experts argue that UIDAI should try to counter the challenge of residents in rural India. The erosion of fingerprints of people who are involved in heavy physical labour or eyesight being affected over a period of time is one such challenge. In case of eye scan, eye sights or surgery or accident can make the biometrics non-usable. In such instances, experts are of the view that UIDAI may take all 10 fingerprints, besides an eye scan, of all residents in rural India to avoid loss of physical identification due to harsh working conditions.

The coming months are crucial because the Biometrics Committee with stakeholders from different ministries would come up with the final decision on the type of biometric scan set. While the decision on the fingerprint or iris scan is being taken, it is important for the committee to take the security factors into consideration without compromising on the privacy factors.

"In the coming months we will know the type of biometric scan i.e. scanning all your 10 fingerprints or an iris scan."

Secure Database

The need for a secure National database of citizens and their biometric data is crucial to ensure that it is not hacked by anti-social or anti-national elements. While Nilekani has emphasized the need to secure the database from hackers, he has also added that it is important to mitigate those risks. However security experts are of the view that the database should be secured by implementing stronger cryptographic algorithms to encrypt and decrypt the data while accessing them. This process could deter the hackers from hacking the database since the customised encryption algorithm would prevent from making sense of the stored data.

Another key concern is the availability of stored data in the database being accessed online through leased or dedicated networks. We all know that once any data is online, the network is subjected to hacks from hackers through any nodal points. To address this, an effective control on the data being accessed is required. Role Based Access Control (RBAC) based model would be an ideal choice for centralised UID system. To be specific, sensitive information in the UID database like biometric data has to be accessed by authorised personnels only and not by any other persons who do not have the specific access rights.

National Security

As far as National Security is concerned, UID is fundamentally being prepared to identify Indian citizens so that better security can be provided by omitting illegal immigrants and terrorists. The terror attacks of 26 November, 2008 in Mumbai have further hastened the GoI to set up the need for UID to its citizens. In the light of emerging security threats, it is natural for the Government to think of ensuring that the UID is strong enough to meet the National Security requirements.

Since the Identity of a person is paramount to National Security, GoI should come up with a clear picture on the illegal Bangladeshi immigrants and the UID. As we all know that the primary purpose of UID is to ensure a positive identity to the citizens of India, the political class should not compromise with the National Security especially by diluting the purpose of UID. The Government on its part can bring out a positive policy statement making its stand clear to the citizens of India.

Since Nilekani and his team do not have policy powers pertaining to the National Security Act, the GoI can debate with various experts and policy makers on making the UID mandatory at a later stage. At this stage, the GoI can consider to discuss on integrating the need for UID with the National Security Act, so that illegal immigrants from other countries can be identified and brought to justice.

Since UID's help in identifying the genuine Indians, they can be certainly be used for the purpose of National Security. However, the real power of the UID is in its ability to provide ease of identity establishment to Indian citizens when accessing a variety of governmental and private-sector services.

"Addressing illegal immigration into India and terrorist threats should be the goal of the UID program."

Privacy Issues

Privacy is a key concern as all of an individual’s personal (biometric) information will be stored in one database where the possibility of corruption and exploitation of data is far greater than when having the information disbursed. Risks that arise from this centralisation include possible errors in the collection of information, recording of inaccurate data, corruption of data from anonymous sources, and unauthorised access to or disclosure of personal information. This has naturally raised some criticisms from the privacy supporters in general.

Other countries with national identification systems have confronted numerous problems with similar risks such as trading and selling of information, and India, which has no specific established data protection laws such as the U.S. Federal Privacy Statute or the European Directive on Data Protection, is ill-equipped to deal with such problems. The Government needs to formulate tougher laws relating to the privacy of UID data by making amendments to the existing IT Act. The centralised nature of data collection (biometric information) inherent in the UID proposal only heightens the risk of misuse of personal information and therefore potentially violates privacy rights. We need to recognise the fact that the provisions in the Act is only an enabling provision and the checks and balances required to prevent misuse of law needs to be incorporated in the rules and regulations that needs to be formulated now. If we are vigilant and persuasive, we can ensure that sufficient safeguards are built into the system to prevent abuse of the provisions.

The UIDAI has to strike a balance between "privacy and purpose" on the biometric data collected from the citizens. The biometric database of people should not be misused in any way by the personnel of UIDAI or others. Suppose the biometric data (digital fingerprint) of a person is compromised, then the consequences of such incidents are fatal. This can lead to further chaos because the digital fingerprint is basically used for authentication process. Hence if the critical biometric data of a citizen is compromised, all future authentication process for such person could prove wrong. UIDAI has to look at the design as to how to make it more secure from malicious elements - both internal and external sources.

The privacy of individuals should not be compromised either through misuse by state bodies or by others gaining unauthorised access. This is vital, because if people suspect that the government cannot safeguard personal information, public support for the entire project might vanish. On privacy issues, there is a high “legitimate concern” about the security of the UID database with respect to the stored biometric information. The nation has to be ensured by the GoI that the database would not be misused and result in an invasion of privacy of its citizens.

Checks and Balances

In any given security system, it is easy to identify the risks and vulnerabilities from external sources. However a given security system can be secure only if we address the risks from internal sources in addition to external ones. Since the UIDAI project is very critical in nature, the UID and biometric data maintained by it should also be secured by the very persons employed to maintain them. In other words, as data security is one of the challenges, UIDAI should be made accountable for any data loss, errors or theft. The responsibility for data security should be taken very seriously by the UIDAI.

The law of the land provides some protection to the data subjects through the ITA 2000/8 and imposes certain responsibilities to the UIDAI for reasonable security practices to be maintained by UIDAI. If there is no attempt by the Government to shield the UIDAI from the provisions of the existing law, then we may consider that there is a legal structure for data security. It may still be necessary to define the "Reasonable Security Practice" for this service.

IT Acts for Data Security

Apart from the risk of impersonation, the other risk associated with the UID system which is also going to be integrated with many downstream data is the possibility of "Errors" of the data. In view of the criticality of the UID system, it is essential that inaccuracies need to be eliminated at the time of generation and then there should be an expeditious but strong process of correction of inaccuracies.

It must be remembered that UID will be "Information Residing Inside a Computer Resource" and is subject to the provisions of Information Technology Act 2000 (ITA 2000) and the proposed amendments through Information Technology Amendment Act 2008. (ITA 2008).

Any alteration of UID information which is unauthorised and causes wrongful harm is therefore an "offence" under Section 66, 72, 72A of ITA 2000/8 and is also subject to payment of compensation under Section 43 and 43A ITA 2000/8.

The UID authority is also subject to the provisions of Sec 67C since the ultimate owner of the data is that of the data subject and the UIDAI is only an "Intermediary" as per the provisions of ITA 2000/8.

Maintenance of "Inaccurate Data" leading to wrongful loss would constitute lack of "Due Diligence" and could make the UIDAI liable.

One option for the Government is to pass a law making the UIDAI and its staff immune to any legal challenges. This would be perhaps the most likely happening since this is the trend in Government functioning. This would however result in "Authority without Responsibility" and ideally should be avoided.

Responsibility for Data Security

In view of the criticality of the UID operation, the "Reasonable" security practices may have to be substantially stringent. It is necessary to implement globally acceptable principles of data security and privacy protection to meet the requirements.

Some of the specific requirements which can be implemented under this framework for ITA 2008 compliance include

1. Obtaining the consent of the UID holders for inclusion of the data which would be in the form of an application made by the data subject and validated in its electronic form.

* If data is validated on paper and the UIDAI takes the responsibility for digitization then some member of UIDAI should be held accountable for any inaccurate data that may creep in. Such a person has to validate the electronic form of the data with his digital signature and take the legal liability for the inaccuracies.

* A copy of the data as entered in the data base has to be provided to the data subject in print form with appropriate certification under Section 65B of Indian Evidence Act as per established principles of Cyber Evidence Archival.

* As a part of this data validation process, it may be necessary to provide access to the data in the data base to the holder of the UID so that he can verify the data any time and any number of times during the lifetime of the data.

* Though this facility may not be used by many of the UID holders who are not cyber savvy, it is an essential part of Cyber Law Compliance.

* This may require validation of the person making the query. If we need to use "Digital Signatures" for validation, the UID itself may have to also include an "e-mail address" in the minimum as a "Digital Identity parameter".

2. Data has to be encrypted in storage and every element of the data base has to be digitally signed by an officer of the UID.

3. Appropriate audit trail of who accessed the data and what was the hash value of the data accessed before and after the access session etc will have to be captured along with the mode of access, IP address etc and archived in such a manner that they are available for judicial scrutiny when required.

4. The hardware and software used by UIDAI should be source code audited and certified for integrity. Supplies from countries suspected to be preparing for Cyber Warfare against India must be avoided.

Too Early to Speculate

Since the project is still at the design stage, it will take UIDAI a few more months before they arrive at a final structure of the UID project. Since its architecture and design part which includes the software part is being built, the critics should give some time to the UIDAI to complete its development stage and start the final implementation process. It is only when the UIDAI begins its trial phase and enters the implementation stage we can be certain of the design of UID project and pass our comments on the security risks and vulnerabilities.

The critics on their part are justified to express their concerns on security risks and privacy issues. As a matter of fact, no scheme of this scale has been undertaken anywhere in the world. Since the technology envisioned for the UID project is to a large extent untested and unreliable, UIDAI has to weigh carefully the pros and cons of the whole project.

Conclusion

In terms of security and privacy issues, the ambitious plan of UIDAI uniquely identifying 600 million people and later 1.2 billion people is a complex task. It is not only Nilekani's technological acumen and managerial prowess but the collective efforts of UIDAI and other Government agencies that will help deliver a project of this magnitude. The GoI in general and UIDAI in specific should make sure that we have the highest standards of integrity, openness, transparency and process in all stages of UID project.

Implementing and maintaining the UID system will generate high costs along with risks to safety, security, privacy, freedom, and liberty. The UID project should not become compulsory until there is an established judicial overview to ensure that the privacy rights of India’s citizens are not unlawfully violated. It is important that India confront and manage these risks and consider all alternatives before implementing the UID programme nationwide.

On the concerns about UID database being misused by anti-national elements, Nilekani has conceded that there could be errors in authenticating people based on biometrics. One can judge by this statement that the UID project is far from perfect and key lies in mitigating the risks on security and privacy issues.

The concerns mentioned in this article do not necessarily mean that India’s planned UID program is not heading in the proper direction. But they signal a need for oversight to protect the privacy and equality rights of India’s citizens from the inherent security risks of a national database containing sensitive personal and biometric information. Only time will tell how the privacy and security challenges of UID project will be addressed by Nilekani and his team.

—By: R. Manoj
The author is an Assistant Editor at Fanatic Media, Bangalore.
He is also an Independent Researcher, specializing in IT Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com