Subodh Sharma talks about the effectiveness of virtual IDs
Pratap Vikram Singh | January 16, 2018
The UIDAI has introduced two measures to strengthen the security of Aadhaar: a 16-digit virtual ID (VID) in place of Aadhaar number for authentication, and a ‘limited KYC’ feature in which agencies (other than those provided by the law) will receive a VID and not Aadhaar number of the user.
The move came after yet another expose of an unauthorised access to Aadhaar database in which demographic data of Aadhaar card holders were being sold on WhatsApp, as reported by The Tribune. Although a huge number of Aadhaar numbers have already been seeded with different databases, the virtual IDs, if applied carefully, will contain the damage. The VID is a kind of masking of the sensitive Aadhaar info. This solution, also called ‘tokenisation’, was discussed by three faculty members of the computer science department of IIT Delhi in a paper in the Economic and Political Weekly in September 2017. In an email interaction with Pratap Vikram Singh, Subodh Sharma, speaking on behalf of the trio of authors also including Shweta Agrawal and Subhashis Banerjee, talks about the effectiveness of virtual IDs, the key technological changes and safeguards necessary for secured use of Aadhaar. Edited excerpts:
Some experts call virtual ID and minimum KYC measures of the UIDAI as a ‘too little too late’ response.
The concept of virtual IDs, in our opinion, is a good idea. While it is hard to quantify statements such as “too little”, we feel that the other measures such as minimum KYC are necessary. Whether the measure is “too late” will depend on how effective and simple UIDAI’s migration plan is to replace the old Aadhaar numbers that have already been linked with the new virtual ones. The process can be problematic for the poor and the underprivileged if the migration is not executed with extreme care.
What are the fundamental technological weaknesses in Aadhaar system?
No public report is available presenting facts on the efficacy of biometric false ‘accept’ and false ‘reject’ rates; ditto for biometric deduplication.
In our opinion, it appears that the use cases for service delivery using Aadhaar are inadequately analysed (so it appears from the PDS exclusion reports).
Insofar as privacy and security are concerned:
(1) As we discuss in our paper, the model of using biometrics as a password (single factor) for authentication and authorisation is conceptually flawed. Biometrics should only be used for identity verification, that too under adversarial oversight.
(2) Using a single identifier (Aadhaar number) for all applications can create a vulnerability to orchestrate correlation attacks. This attack can possibly (if done well) be mitigated by virtual ids.
(3) The access control architecture appears vague. No clear and crisply defined online protocol for how data can be accessed and under what authorisation, how is it to be checked, and tamper-proof recording of access and authorisation trails and online audit. Hence, vulnerability to insider attacks.
(4) It appears that the peripheral services such as web-pages and mobile apps (m-Aadhaar) are poorly structured and poorly audited.
How does Aadhaar as a single digital identifier make individuals vulnerable? What is the solution you propose?
The digital identifier can be used to join databases, and mine personal information across multiple domains to profile individuals. Aadhaar is not the only global digital identifier with this vulnerability, mobile numbers and PAN also are. In fact, well before Aadhaar, the Indian private enterprises have started using mobile numbers as a unique id. Most databases, be it with banks and insurance, income tax, mutual funds, airlines, railways, hospitals and even small shops, have personal digital records indexed by mobile numbers. So, perhaps, mobile numbers require virtualisation more than Aadhaar does. Virtual ids, for all such unique identifiers, can be a solution. All you need is that if somebody, say an airline, calls your virtual mobile number, the real one should ring. Only a central authority needs to know the mapping. Ditto with Aadhaar.
Can you explain in plain language how cryptographically embedding Aadhaar ID into AUA-specific IDs makes the system safer from privacy and data protection perspective? Can you explain why it is needed and how it can be resolved?
In the current proposal there is no mention of cryptographic embedding. UIDAI will securely (hopefully) maintain a mapping between the global id and the various virtual ids. This way, if there is a need to join databases, say for some legitimate data analytics, then the UIDAI will have to facilitate it (there will have to be a mechanism for doing that). An alternative would have been to cryptographically hide the global id in the virtual ids, so that authorised entities with valid keys could link the virtual ids themselves (but still not be able to reconstruct the global id). That would have been another way to do the virtual ids.
In your paper you point at the need for demarcation between identity verification and authentication. Giving an example of Aadhaar-enabled service delivery, can you explain the importance of their separation?
Ideally identity verification should happen at the service provider’s premise, where there is a genuine interest in verifying the identity and the service provider will not collude with the person whose identity is being verified (adversarial oversight necessary to ensure that the person does not present a false plastic finger with somebody else’s fingerprint embedded on it). Consider, for example, a bank. The bank should produce an authentic biometric device, the person’s biometrics should be encrypted by the device and sent to UIDAI for verification along with her virtual id, and both the bank and the person should receive independent acknowledgements, directly from the UIDAI, about the outcome of the verification. That would be a correct identity verification protocol. This should only be done once in a while.
An example of an incorrect protocol is: A person walks up to a mobile telephone service provider’s officer to procure a SIM card, she gives her fingerprints to a device; the operator tells her that the verification has failed and asks her to put her fingers on the device again, she receives no communication from UIDAI, the operator issues a SIM in her name and sells it to somebody else. In effect she would have signed a blank paper authorising the agent to issue a SIM in her name! Ditto with withdrawal of money, PDS, etc.
Can you explain the possibility of insider leak of information from within UIDAI? How can it be addressed?
Consider the following scenario: some powerful entity can suddenly decide that SSS [the authors, Shweta, Shubhshis and Subodh] are bad people and influence insiders in UIDAI to access our personal data illegally without warrants, or put a tab on us. One or more insiders may use their privileged access rights illegally. Most attacks on protected databases happen through insiders – remember Snowden! Insider leaks are not only a concern with UIDAI but also with other bureaucracies like airlines and banks.
The only way to ensure against insider leaks is to have strict access control protocols in place to make unauthorised accesses, even by insiders, impossible.
Aadhaar is often criticised for a possibility of its use as a surveillance tool. Do you agree?
[It] can certainly become one without checks and balances. But the criticism is perhaps too broad and vague.
On one hand, there are claims about Aadhaar leading to huge savings which run in several thousand crore rupees. On the other, it is criticised for violation of privacy and exclusion in service delivery. Does the benefit outweigh the risk?
We cannot comment on the “savings” – there’ve been many loose statements on this already and we will not add to the noise. Risks can be mitigated with a proper design, and intuitively a unique verifiable identity appears to be a very useful tool for governance. The real benefit may come in digitisation of health records and in data analytics – econometrics, epidemiology, etc.
What are the other reforms and redressals required to strengthen the unique digital identity system?
Careful analysis of the use cases and taking special care not to cause exclusion or distress. Keep in mind the huge deficit of cultural capital in the country.
(The interview appears in the January 31, 2018 issue)
How much time do Indians spend talking on phone? It is on average 761 minutes per month, according to a new report from the Telecom Regulatory Authority of India (TRAI). The telecom regulator released its report, titled ‘The Indian Telecom Services Performance Indicators: July-Septemb
Renowned cardiologist Dr Ramakanta Panda has said that the pandemic has exposed the inadequacy of existing healthcare systems and it is wrong to draw comparisons with Korea, a country with the population equal to that of a single Indian state. While speaking to Kailashnath Adhikari, MD, Gove
The committee of experts appointed by the supreme court to deliberate with the stakeholders on the new farm laws held its first meeting here Tuesday, with one of its members saying that all stakeholders, including individual farmers, will be heard. Hearing a petition on the farm laws enacted
The nationwide vaccination campaign launched Saturday, the largest such exercise in the world, has started setting new benchmarks, with vaccines administered to 2,24,301 beneficiaries in the first two days. “India has vaccinated the highest number of persons on Day1 under its COVID19 v
The Maharashtra government has announced a spending of Rs 2,500 crore annually to develop infrastructure of state-owned distribution company Mahavitaran (MSEDCL). Out of the total amount, Rs 1,500 crore will be spent on energisation of conventional agriculture pumps and Rs 1,000 crore
India on Saturday began the massive vaccination drive against Covid-19, as prime minister Narendra Modi paid tributes the ‘corona warriors’. “Such a vaccination drive at such a massive scale was never conducted in history. There are over 100 countries having less than 3 cro