A recent newspaper report drew attention to the UIDAI subcontracting its database work to a startup MongoDB, specifically drawing attention to the fact that MongoDB is being funded by a Venture Capital firm that is overtly linked to the CIA, and that using MongoDB leaves the Aadhar database vulnerable to backdoor access by the CIA. The article has the following claim: “The risk exposure because of CIA involvement (could be that) if MongoDB is a data controller, then secret courts and secret court orders could be used to get access to the UID data”. While this claim could be true in an alternate universe, such claims expose a lack of knowledge about the way of software development is funded and implemented in reality.
However, there could be merit in the idea of licensing the source code of the software from MongoDB — assuming that MongoDB is willing to part with it — if there are fears of any backdoors in the software. It should be noted that possessing software source is hardly a protection against future releases having vulnerabilities, and will also increase the licensing fee, not to mention that the Indian government or the UIDAI is unlikely to possess the expertise required to read and understand the code — any complicated piece of software such as a scalable database such as MongoDB cannot be understood easily by anyone other than the developers, and possessing the source may just ensure a false sense of security. This may be counterproductive in taking the UIDAI’s resources away from doing what’s actually necessary in protecting the UIDAI’s databases.
With respect to In-Q-Tel’s investment in MongoDB, the In-q-tel website clearly states that it invests in various tech companies such as MongoDB to further its own projects as a means of funding them and ensuring long-term support for any software delivered by MongoDB to the CIA. MongoDB is unlikely to execute special projects for the CIA without adequate funding for the same, which is a better explanation for such investment in MongoDB. It is hardly in their interest to buy software from a startup company and the find themselves at a loss should the startup collapse at some point in the future, which is more than likely given that the failure rate of startups is known to be more than 95%.
CIA is likely to be concerned about its own secrecy and security if it considers using MongoDB than be involved in some conspiracy to add backdoors to access the UID database, not least because accessing the UIDAI database does not mean access to all the data of all the institutions that use the Aadhar as a a means of authentication — this has been explained in sufficient detail in earlier posts on this blog. Like any other software vendor, MongoDB has multiple corporate customers, all running the same version of software delivered by MongoDB to all its customers.
Secondly, access to the UIDAI databases are protected by authentication/security layers of code that have nothing to with the database. This means ‘backdoors’ in databases are useless unless MongoDB also provides the security layers of the UIDAI databases — databases are backend entities that exist to store data and provide a means of accessing. This is usually separated from the authentication mechanisms used to provide access to the databases deliberately, since they are orthogonal functions in any software product.
Coming to the Aadhar card and the UIDAI using MongoDB’s services, it is a matter of solving the problems of scalability associated with Aadhar — building a database that performs well at high loads is essential to ensure that Aadhar is usable as more and more people and organizations start using the UIDAI’s authentication services. Currently, the response times is reported to be around 500 milliseconds for authenticating a request — if the UIDAI databases are not scalable, then response times are likely to increase non-linearly as the load on the UIDAI servers increase, and this could very well make the UIDAI unusable and a liability for all its customers.
While there is a lot of paranoid fear mongering questioning the motives of the UIDAI signing up for MongoDB’s technology and fear that this move will expose the UIDAI database to foreign government, the reality is that this is just a technical decision required to ensure good quality of service to UIDAI’s customers, i.e., the banks and various institutions that will pay the UIDAI a fee for using their authentication services. It is another matter that the UIDAI does not find such expertise among Indian companies to build massively scalable databases — this should be a matter of larger concern for Indian citizens. India can hardly be expected to be strategically independent in the long term if all of the local infrastructure is completely dependent on foreign technology. Furthermore, the UIDAI only stores biometric information and the rest of the information filled in the application form for the Aadhar card. Most of this information is currently obtained from visa applicants to foreign countries, without the CIA resorting to building backdoors in MongoDB software to acquire such information.