Saturday, December 10, 2011

Aadhaar, Information Security and Optimism

A few events prompted me to start on this blog post.

  • A division of the organization I work for, cleared an information security audit recently.
  • The government is to ditch the UID (Aadhaar) program.
  • Some of my folks were upset about the politicians killing a what-appears-to-be-a-well-intended-program.
This post is about information security and why it is fine to kill the Aadhaar program.  (An earlier one is here.) 

It took us close to two months to set up enough systems and processes to secure trivial pieces of information.  The systems were physically secured, and a very small number of users will have network access to the systems that we secured.  The security is to the best of our knowledge and we got it verified using an external agency.  The auditors were convinced that our processes were sufficient, primarily because we dealt with no critical data, only code that would eventually move out of our network to the client's network.  It is equivalent to locking the vault that contained nothing precious.  Our effort to secure it would have been manifold if we had to protect important data or serious intellectual property.

What I learnt in the preparation for the audit and from the auditors is - information security and optimism don't go together.  You have to be extremely paranoid when it comes to protecting information.

Having said that, I have serious doubts about the Aadhaar program.

Let me take one aspect of it, namely the API - that is, the programming interface to retrieve information from Aadhaar.
  • As per the most recent API documentation, the legal framework to use the API is yet to be done.  So, we do not have even a draft definition of compliance by organizations to make use of this API.  There are already a handful of organizations like the domestic gas suppliers at Chennai who insist on having a UID if you want a gas connection.  Looked like UID will be another card that we would be forced to have.
  • Some of the compliance requirements I'd be interested in are:
    • What is the physical security that the client organizations must enforce in order to protect customer data?  
    • Can the client organization hold onto the bio-metric information?   As a legitimate client I can have a use-case where I may have to store customer personal information.  It should not be allowed, but this is a country were rules are easily bent and twisted beyond recognition.   
    • What are the credentials for a client to get access to UID data?  Who can decide this? RBI? Nandan Nilkeni?
    • Who has the authority to ensure that the client organization doesn't store the end customer's personal information?
    • If we create such an authority, what will be the frequency of audit or  will there be a certification process for the software created by client organization?
  • Aadhaar allows for public devices (devices not registered with Aadhaar) to communicate with the system.  How can Aadhaar ensure that these devices are secured and no unwanted software is on those devices?
  • The API document assumes that by encryption, all communication can be secured.  In real life, we have key-loggers, worms, trojans, virus and screen grabbers for regular computers, more advanced card skimming hardware for ATMs and so on.  The document appears to ignore all of them.
There could be other issues with the implementation of Aadhaar on legal front as well.

For once, I like the politicians who opposed the program, cutting across party lines.  UIDAI doesn't have a legal status to hold people's personal data.  I do believe that UID is not the way to address the problems of this country.  I am fine with ration card, PAN, voter's card, driving license etc, that were issued for specific purposes.  

Right from the idea during NDA regime, this program had enough justified opposition.  A very important one is that, no democratic country,  has so far had given numbers to all its citizens.  If others haven't done it, there is probably a very good reason.  Ignoring the reason means - there is probably a different motive for this program.  

Saturday, November 12, 2011

Nurturing the goose that lays golden eggs

There is enough and more articles about what ails US and its economy.  Here is my noise.

Every society has its share of skilled, less-skilled and unskilled people.  The split up usually forms a pyramid with unskilled at the bottom and skilled at the top.  US is no exception.  The pyramid may be steep or a gentle slope, but it is a pyramid.

The lower levels of the pyramid is fed by the higher levels.  People at the higher level generate more wealth with their skills, entrepreneurship etc and pay the lesser skilled people for using their less valued skills.  This is well understood and many capitalists do agree on this.

What isn't obvious is, the presence of  the base ensures that the people at the top stay where they are.  That is, the lower levels must exist and be strong so that they can support people at higher level.   The lower levels are not just service providers but are also consumers to keep a number of businesses alive.  In other words, businesses must use their services so that they can stay as consumers.

Here is a small digression here.

Have you heard of ITC's Choupal story?  It is a simple one, where ITC reached out millions of farmers and purchased the produce directly.  Couple of things didn't get the attention they deserved.
  • Through the Choupal, ITC is able to push its  products to the farmers just as they sold their produce to ITC.
  • In the process ITC ensured the low income group is taken care and is part of its market.
When businesses in US focused too much on markets and profits, the less skilled were left out.  
  • When everyone drove a car, public transportation was killed and there are no jobs for the drivers, cleaners and mechanics.  Car services and maintenance doesn't create jobs for unskilled people.
  • Though car manufacturing created jobs, shutting down and lay-offs have left a large workforce out there in the cold.  
  • With washing machines, dishwashers, lawn movers and with every item at Home Depot, more jobs like domestic help, gardener and small time carpenters and masons went away.
  • When manufacturing moved to China and other cheaper locations, jobs at assembly lines were gone.
  • Low technology jobs at call centers moved too, taking away another chunk of jobs.
While all of these made perfect sense for the businesses and the bottom-line, over a period, it eroded the number of jobs of unskilled and semi-skilled.

Here is my less than 2 cents worth wisdom for a turn around:
  • Opportunities must be created at less skilled service oriented industries.
  • Any concession on taxes must be given to sustainable service industries.
  • Funding on public transportation can create jobs and might even work out during these days of high fuel costs.
  • Tax benefits for payments toward domestic services may encourage the middle class to outsource work to local unskilled workforce.

Tuesday, April 26, 2011

In defense of private schools

Yesterday my son brought a note from school, a petition of protest against some of the items in the RTE act. A half-truth report of it can be found here. I chose to sign it though I have a slightly different opinion on some of the items in the note.

The key areas where I agreed and decided to sign the petition are as follows:

- "The government (read politicians and bureaucrats) can push an ineligible (in terms of discipline, brain development) student to a school". I am so sure that the politicians will make a killing with this clause. In many schools, the school management used to gain in admitting such students. That's taken away and creates a channel in the guise of legality for people to make money. My son's school doesn't come under this category. So, I agree with their point.

- "The school doesn't have the right to take action against a student." In a healthy system, action against indiscipline must be allowed, more so in schools where discipline is important. If this clause is true with RTE, then RTE will prevent creation of any respectable organizations.

- "The local education officers can decide on the curriculum and academic programs." This is one of the dangerous clause. We do not have a system where reasonable, honest and non-dogmatic persons are appointed as local education officers. Again, if this is true about RTE, we will have many warped minds dictating the curriculum.

I am all for education for all, equal opportunity and all nice things. But RTE appears to be a half-baked attempt that will be available only on paper.

On the points I disagree are:

- "The teachers may have to spend extra time with a few kids who aren't real up to the standard." This is the case even now, where some kids need extra attention.

- "The cost of education will go up if the school admits students from poorer background." I believe wealthier people have a responsibility towards not so well-off people. I sponsor 3-5 kids' education every year for over 6 years now. Sponsoring a few more kids is good, will be glad to do so.

But the question is - why doesn't the governments that have been around for over 60 years, collecting education cess for the past 6 years aren't able to give quality education? What happens to the 2% you pay on top of your service tax, income tax and other taxes? I haven't found an answer yet.

May be, I should look for RTI to know more about RTE.

Friday, March 25, 2011

Forgery, Kotak and warnings on Aadhaar (UIDAI)

Here is a blog to state my experience with one of the large insurance companies - Kotak and what it means to all of us, when you sign up for Aadhar.

Last December, some of my relatives and I signed up for a few insurance products with Kotak through a common agent. One of my relatives found out that his signature was forged in the illustration acknowledgement form. On review, we found out that it was not a single account, but almost all our accounts had forged signatures. A short digression to explain what this illustration acknowledgement is.

When you sign up for an insurance with returns, the insurance company gives an illustrative return that gives an approximate gains / losses you would get. Typically this form is prepared, sent to you for signature and added as the last section in your insurance document (a big book). At Kotak, someone decided to take a shorter route, signed for all of us and prepared the book.

In January 2011, when we took it to the notice of Kotak's branch manager at Chennai Cenatoph Road branch, he accepted the problem and said that the employee who did that had been fired already. We decided to limit our next set of actions to lodging a complaint with Kotak, get an acknowledgement with details on the issue, inquiry and resolution. Our aim is to ensure that the system takes corrective action, penalize the wrong-doers and record it so that such things do not recur.

So, I promptly emailed their Client service desk ( for which I got no response till now. I waited for over a month and escalated it to the grievance redressal system. I promptly got an automatic response that assured a real response in two weeks. Three, four weeks have elapsed and no one at Kotak seems to take a note of emails published on their web-sites.

Now, this shakes my trust on our financial institutions in general and Kotak in particular. I would try to close my accounts at Kotak, but doing so without incurring any penalty could be difficult.

What does it got to do with Aadhar (UIDAI)?
With Aadhaar, your financial institutions get access to your information - your UID number, signatures, finger-prints etc. Criminals and ambitious executives can make use of this information to sign up for services that you were not aware of and may just stop short of stealing money from your bank account. In effect, they can put you in a lot of discomfort and score a few points within their organization, get a promotion, leave and what not.

The problem is not with the criminals or the ambitious executives, for they always existed, but the organizations that do not give enough importance to security and customer grievance redressel. In effect, you as an individual will have to run from pillar to post to get your problem fixed, while it becomes relatively easy for someone to misuse your information.

You, the customer do not have a lot of options when financial institutions insist on UID for opening an account. You can at least inquire if the organization has enough checks and balances to prevent misuse of your information.

To add to the risks, Aadhaar publishes API - that is a programming interface for accessing your data. Who knows who will get hold of your information and what will they do with it!

Feel free to add your comments on such problems and your opinions on Aadhaar.

Sunday, January 9, 2011

Ayodhya Court Verdict - A step in the right direction

[From my other blog]

I'm not an expert on legal matters, nor do I understand the existing facts and figures on Ayodhya. It is beyond my ability to comprehend complex language and history.

But I believe the judgement is a step in the right direction. The problem is not as much that of the ownership of the land, as much a conflict of perceptions. Whatever we have as documented evidence are perceptions of the Hindu, Muslim or the left. Our history, archeology and even evolution are in a way perceptions in their own ways. There is no such thing as truth for everyone sees the history the way he or she wants to.

Don't underestimate the power of these perceptions. It can be so powerful that we might end up with a totally divided society if these perceptions are left to themselves or allowed to strengthen. I'm saddened by the lack of wisdom on the part of neutral parties in understanding the importance of perception. It is a challenge for any administration to maintain normalcy when people hold on to their perceptions. In a way, banning of bulk SMS at the time of verdict was a right step.

There are two or more parties (I'll include the so-called neutral people who want to go by the documented information) who hold their own perceptions. It hasn't been easy for anyone to get these parties closer to resolve the issue as they carried their baggage of perceptions. The warring parties did not have a bigger heart, the political leadership lacked the integrity to find a solution.

The judges took it upon themselves to resolve the crisis. They may not have the authority, but they have shown wisdom to understand the situation and come up a solution that will pave the way for a total solution. They have acted a lot more mature than the armchair analysts and activists.

The division of the property may not be perfect or to the satisfaction of the BMAC, but the court allows for appeal. It is still possible that BMAC and the Hindu parties may get a more sensible and resolve it by the time the supreme court decides.

It is important that all parties unload the ghosts of the past - from the days of Rama to Babar to 1949, 87 or 92 in seeking a solution. With perceptions coming closer there is a possibility of an extraordinary exhibition of Muslim brotherhood or Hindu acceptance.

If there is an appeal and the supreme court goes purely by books and reject this verdict, that'll be very unfortunate. A decision based on "hard" facts may sound right legally, but can't be so for the country.

Corruption in recent times: A psycho-somatic explanation

[From my other blog]

Why do we see the powerful as the most corrupt? Here is an attempt to explain it in a neutral, pseudo-psychological way:

For the sake of ease of reading, I am using a masculine gender, no respect or disrespect intended. I start with three basic premises:

As a social animal, everyone holds onto an identity naturally. This identity can be that of caste, race, ethnicity, belief system or even ideology. This is what binds individuals to the rest. Some of these are fixed and some are not-so-fixed, allowing for new identities to be used for binding.
Man is programmed to protect this identity. Wars - ethnic, racial or ideological are effects of this urge to protect this identity.
The most insecure tend to become the most powerful. The reason is simple. With their paranoia, they are better suited to protect this identity. They get the ideas and energy to strengthen this identity because of their paranoia.
Now, let's see how this insecurity manifests in physiological and psychological spheres. In physiological space, insecurity reflects as lust - an urge to leave more copies of the individual before he gets destroyed. This explains why kings had wives and maintained harems. In psychological space, this reflects as greed for wealth, territory and power. This greed usually resulted in benefits for that society. (The neighboring kingdoms may be destroyed, enemies with different ethnicity or religion were butchered and so on.)

Things were clear black and white until democracy and pluralistic societies arrived. The ancient societies accepted warfare and amorous behavior of the rulers. It is like giving them the room to be their natural self.

With the advent of democracy, the insecurity itch of the ruling class remained, but there is no way to scratch it with laws against polygamy and no-war pacts. There is more set back to the identity - they can't be extreme right wingers to be rulers. They have to work out healthy co-existence with ethnic, linguistic and religious minorities living in their territories. So, identifying with one group will be counter productive when it comes to elections. (We also see non-democratic countries continue to start wars on the basis of religion, ethnicity or ideology.)

The lust and greed remain as they are the results of a more basic insecurity. The lust gets some avenues with changing social conditions that allowed for divorces, casual flirting etc. The greed remains. The greed that once served the society stops at the individual as the identities that he were once part of, have weakened. The individual tries to address the high insecurity with wealth accumulation. He strengthens his position by sharing this wealth with his nears and dears. The identity has shrunk from a big society to his family. If the avenues for the lust are shut (because of age, physical and social conditions), the greed fills in that space.

I've refrained from naming any powerful person - Indian or otherwise and would like the readers to correlate this article to their favorite ones.