A few events prompted me to start on this blog post.
- A division of the organization I work for, cleared an information security audit recently.
- The government is to ditch the UID (Aadhaar) program.
- Some of my folks were upset about the politicians killing a what-appears-to-be-a-well-intended-program.
This post is about information security and why it is fine to kill the Aadhaar program. (An earlier one is here.)
It took us close to two months to set up enough systems and processes to secure trivial pieces of information. The systems were physically secured, and a very small number of users will have network access to the systems that we secured. The security is to the best of our knowledge and we got it verified using an external agency. The auditors were convinced that our processes were sufficient, primarily because we dealt with no critical data, only code that would eventually move out of our network to the client's network. It is equivalent to locking the vault that contained nothing precious. Our effort to secure it would have been manifold if we had to protect important data or serious intellectual property.
What I learnt in the preparation for the audit and from the auditors is - information security and optimism don't go together. You have to be extremely paranoid when it comes to protecting information.
Having said that, I have serious doubts about the Aadhaar program.
Let me take one aspect of it, namely the API - that is, the programming interface to retrieve information from Aadhaar.
- As per the most recent API documentation, the legal framework to use the API is yet to be done. So, we do not have even a draft definition of compliance by organizations to make use of this API. There are already a handful of organizations like the domestic gas suppliers at Chennai who insist on having a UID if you want a gas connection. Looked like UID will be another card that we would be forced to have.
- Some of the compliance requirements I'd be interested in are:
- What is the physical security that the client organizations must enforce in order to protect customer data?
- Can the client organization hold onto the bio-metric information? As a legitimate client I can have a use-case where I may have to store customer personal information. It should not be allowed, but this is a country were rules are easily bent and twisted beyond recognition.
- What are the credentials for a client to get access to UID data? Who can decide this? RBI? Nandan Nilkeni?
- Who has the authority to ensure that the client organization doesn't store the end customer's personal information?
- If we create such an authority, what will be the frequency of audit or will there be a certification process for the software created by client organization?
- Aadhaar allows for public devices (devices not registered with Aadhaar) to communicate with the system. How can Aadhaar ensure that these devices are secured and no unwanted software is on those devices?
- The API document assumes that by encryption, all communication can be secured. In real life, we have key-loggers, worms, trojans, virus and screen grabbers for regular computers, more advanced card skimming hardware for ATMs and so on. The document appears to ignore all of them.
There could be other issues with the implementation of Aadhaar on legal front as well.
For once, I like the politicians who opposed the program, cutting across party lines. UIDAI doesn't have a legal status to hold people's personal data. I do believe that UID is not the way to address the problems of this country. I am fine with ration card, PAN, voter's card, driving license etc, that were issued for specific purposes.
Right from the idea during NDA regime, this program had enough justified opposition. A very important one is that, no democratic country, has so far had given numbers to all its citizens. If others haven't done it, there is probably a very good reason. Ignoring the reason means - there is probably a different motive for this program.