Tag Archives | Privacy

UID and Information Security

By on October 12, 2010 in Non-cyber

[It gives me great pleasure to welcome Srikanth to this blog. Srikanth is a Senior Research Associate at the Cyber Strategies Studies team of The Takshashila Institution - Srijith]

The prospect of every Indian having a Unique IDentifying (UID)  number  ushers in a new era in the life of the Indian citizen who applies for one, and the system holds much promise, and much is being staked on the success of this project, both for the citizen and the Government.

However,  if the Government does not have a process in place to speedily address weaknesses and security holes in the system,  there is the potential for practical implementation issues to slow down or even kill the public’s acceptance of the UID system. If the average citizen is inconvenienced and harmed for adopting the UID system with the promise of better service from the Government,  then the life of such a UID scheme may be a lot shorter than envisioned by the Indian Government. Even a much more highly centralized and orderly bureaucracy in China has largely failed to correctly implement a similar Chinese UID system, which increases the odds of failure for the much more chaotic and decentralized system of governance in India, unless the Indian Government structures policies to ensure that the system is secure from criminals and enemy governments.

Because the UID will be central to an Indian’s identity for their entire lifetime, at least in theory,  the opportunities to increase the efficiency and cut down corruption in the system are tremendous,  as are the threats to the privacy of the  citizen.  Crimes such as identity theft are now commonplace in today’s age of  increasing internet usage worldwide, and such crimes happen when criminals come in possession of private details of a citizen/victim, and then proceed to create a new identity with these bits of information. Typically, the UID, along with the date of birth, and one other bit of private information is enough to gain control of another person’s identity. This false identity is then  used by the criminal to procure credit cards or other financial instruments and essentially make the victim pay the bill.   In the face of all this. it seems advisable to consider all the problems  faced in the implementation of similar systems elsewhere, and the manner in which such UID schemes have been compromised.    Furthermore, the reality of rampant criminality in Indian Politics and Bureaucracy makes the problem even more difficult, if the officials in charge of implementing the UID system are themselves compromised.

Has the Government considered building in security into the UID system by creating appropriate policies for the same? Isn’t defensive policymaking a better way to ensure the long-term integrity of the UID system, as opposed to leaving the UID system’s integrity to be dependent to the goodwill of the ultimate implementors of the system in the bureaucracy?   If the UID system is designed to defeat the criminals/corruption in the Indian bureaucracy,  then surely the UID system itself becomes the enemy of the criminal elements of the system. Motivated human beings with the intent and opportunity to compromise the UID system can surely do so with some effort on their part, such as just turning off a crucial device required to automate input into the UID system, or ensuring malfunctioning of necessary devices so that it cannot be used by the public to complete a transaction with the Government or an authorized private organization.

What is the policy to ensure non-leakage of data to people without credentials for it, either within the Government or outside?  When a person in a call center or a bank looks up the private information of a citizen, they must not be able to record sufficient information that they can use after they are no longer authorized to do so.   A disgruntled former employee can use such information to compromise the integrity of the system if they are allowed access to sufficient private information from a citizens UID information.

What is the policy to ensure that banks and other organizations that possess this UID do not leak details to their business partners, or anyone else not authorized to possess such information.  Is there a way to reduce the burden of protecting  UID data to third parties?    The US’s Social Security Number UID system left itself open to abuse and identity theft because the Social security numbers were required to perform a variety of transactions, forcing the citizen to reveal the social security number in too many places.  This points to a need to have strict guidelines on the requirements for a business to demand the UID of any citizen.  Businesses not authorized to possess the UID must use their own identification numbers for their customers and not record the UIDs of citizens.  Another way to reduce abuse is to  mandate that a UID number may never be printed out in any paper form identifying the card carrier. For example,  ensuring that at most the last 4 or 5 digits (or whichever part of the UID number is liable to be more random) of a UID are displayed in public can make the system less susceptible to the whims of a disgruntled ex-employee.

What is the Government’s policy to ensure that the networks in which such data is kept is secure from cyber-attacks? What are the minimum policies required to protect such data from foreign governments which can use such data to cause plausibly deniable mayhem to the system. For example, think of India’s current enemies possessing all the information on a bunch of Indian individuals.  This points to a need to storing such information in a highly secure manner.  Another  obvious way for a criminal to undermine the UID system is by colluding with someone in the govt. with access to this system and authorization to create UIDs — the number used as an identifier for the individual can also be duplicated with new biometric information added to the card and the identity of any individual with an UID needs to be stolen.  What kind of policies need to be instituted to ensure  that such methods of abusing the UID system cannot be pursued?

Last but not least, there needs to be a well-publicized and well-known means of reporting problems and issues with the UID implementation, so that the citizen can resolve any issues with the implementation of the project speedily.  For example, there may be bugs in the software, or the hardware, or just human errors resulting in inconvenience and pain for the UID card holder.   Under such circumstances, there needs to be a technical support line for people to report problems and provide feedback to the people implementing the UID system.  Information on all of this needs to be handed to people when they receive their UID card — this is important to have a feedback on how the implementation of the system is progressing.    It  maybe a good idea to set up a few call centers, a UID technical support hotline, and a UID customer support hotline — in addition to technical support., this hotline can be used to collect feedback on the overall working of the UID system.  Events that are very likely to happen to a user whose UID card is lost or stolen need to have a proper resolution, else, as in the case of the Chinese UID system, the citizen is likely to fake his or her own identity, or break other laws in order to escape the tyranny of a broken UID system that is not responsive to complaints and feedback.

The Indian Government owes it to the citizen receiving a UID to explain all the pitfalls of revealing the UID to the wrong people, and precautions and pitfalls of using the UID, along with a technical support line.  Maybe all of this is already being done, and if so kudos and a Thank You to Mr. Nandan Nilekani and the developers, implementors, and programmers of the Indian UID system.

Added Later:  The India UID Web Page has links  to a lot of details on the security aspects of the UIDAI (UID Authority of India).  The following links are scanned copies of newspaper articles on the security of the UID database, as explained by Mr. Nilekani, and the overall tight security envisioned by the UIDAI.

Comments { 7 }

RIM, Skype, Google and DoT

By on July 7, 2010 in Surveillance

In the last few days several media reports have been carrying articles to the effect that according to an alleged “internal Government note” the Department of Telecom (DoT) of India will ask Research in Motion and Skype to make their content “readable”.

“DoT will call the representatives of Research In Motion (manufacturer of Blackberry devices) and Skype and ask them to ensure that the content going through the telecom service providers is in readable format. They have to ensure that this is implemented within 15 days failing which services that do not allow lawful interception on a real-time basis would be blocked/banned,” said an internal Government note. (source)

While all noise that ensued has been on the basis of a leaked note that may or may not exist (none of the reports really say who has seen this mysterious note), this author has reasons beyond the article to believe that such steps are indeed being discussed and acted on.

For those who ask whether there is international precedence on government laws and actions along same lines, look no further than the US. The Communications Assistance for Law Enforcement Act (CALEA) forces telcom providers operating in the US to provide similar support to the government. This applies to VoIP based providers too. According to the FCC website:

All facilities-based broadband Internet access providers and providers of interconnected VoIP service have until May 14, 2007 to come into compliance with CALEA. In the May 12, 2006 Commission order, the Commission found that section 107(c)(1) may not be used by entities seeking extensions for equipment, facilities, and services deployed on or after October 25, 1998 (the effective date of the CALEA section 103 and 105 requirements).

The question of whether the DoT has any legal standing in this matter is to an extent answered by the IT (Amendment) Act 2008. Amended Section 69 now reads:

(1) Where the Central Government or a State Government or any of its officers  specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India,  security of the State, friendly relations with foreign State or public order or for preventing  incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provision of sub-section (2), for reasons to be recorded in writing, by order direct any agency of the appropriate Government to intercept, monitor or decrypt  or cause to be intercepted, monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

sub-section (3) clarifies further:

(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to–

(a) provider access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

(c) provide information stored in computer resource

The term “computer resource” is defined as follows:

(i) “computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

(j) “computer network” means the interconnection of one or more computers through—
(i) the use of satellite, microwave, terrestrial line or other communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers whether or not the    interconnection is continuously maintained;

(k) computer resource” means computer, computer system, computer network, data,computer data base or software;

(l) “computer system” means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

In addition, s.118 of the IPC has been amended to recognize the use of encryption as a possible means of concealment of a ‘design to commit [an] offence punishable with death or imprisonment for life’.

It is not sure however, whether applications like Skype can be held accountable when it operates in a pure p2p manner and does not use the PSTN (which forces a central server into the picture). But the government could argue that the end peer should log all the encryption keys used in a session at the peer, thus allowing the agencies to retrieve it.

The other point that needs clarification is whether one can enforce one part of the Act without having mechanisms in place to enforce another. Sub-section (2) of section 69 states:

(2) The procedure and safeguards subject to which such interception or monitoring or  decryption may be carried out, shall be such as may be prescribed.

I am no lawyer, but as a layman (a) I have no idea what that means and (b) I don’t know whether such procedures and safeguards have indeed be “prescribed”.

Update (08/07/2010): I have been told by someone who knows a lot more about legals things than me that indeed, the safeguards are a prerequisite for the actions considered under the section. The question of whether such procedures and safeguards are in place is still an open one.

Communications Assistance for Law Enforcement Act

Comments { 1 }