03 UID and security

Will the UID enhance security or end up gutting security?

This scheme is touted as a panacea for security. It is here that it is at its most flawed. Keeping all the data together is a criminals dream. It provides them just one (or a very, very limited) server or database to crack, and they get a master key. No matter how much is invested in keeping this data secure, it will always be hacked or leaked. For the record, in just eight months of 2009—10, China hacked into the computers of the Indian Prime Minister’s Office (PMO) not once but multiple times. They have also hacked into the ‘high security’ Indian embassies in Kabul, Moscow and Dubai, United Arab Emirates, and at the High Commission of India in Abuja, Nigeria. Confidential information taken from Indian embassies include assessments of Indian relations with West Africa, Russia, former Soviet republics and the Middle East. Computers used by the Indian Military Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the 21 Mountain Artillery Brigade in Assam and three air force bases were compromised, and computers at two Indian military colleges were also taken over by the spy ring. Why the Pak Cyber Army hacked Vijay Mallya’s website is beyond me.

Even the security conscious US war department found close to 91,000 of its classified pages on the whistleblower site Wikileaks in August 2010, not very different from the Vietnam war papers landing up at the New York Times in 1971. The Abu Ghraib Prison torture pictures found their way to the internet.

The data storage faces the physical threats of yesteryear. Even in this ‘old world’ data security UIDAI itself has been found wanting. It has just a handful of employees. All are handpicked. Yet, within days of refusing to share their plans and stonewalling any request under right to information (RTI)—so much for good governance, transparency, accountability—their plans landed up on the Swedish website. When Nilekani cannot even safeguard his own data, with his handful of handpicked people, how does he hope to secure the data of the nation?

Since the data is sensitive and is an access point for many different benefits, it will need backups in case of crashing or physical corruption of data. Commercial email has up to seven backups to prevent data loss, so the government databases will probably need up to ten different back ups, in ten different locations. This makes it all the more difficult for database management, since the data has to be wiped clean in all. The data has to be secure in all these locations, and be fire proof, terrorist proof, earthquake proof, with 100% uptime.

The physical security of the database is the lesser risk. In addition, it will have the cyber threats. Since it is to be used, at the very least, as a referral database, access will need to be public. So it will be accessible over the public data cables rather than the relatively more secure dedicated backbone.

Coming from a technocrat, the scheme is even worse for its deeply flawed assumptions regarding technology. Section 38 of the draft NID Bill has a long list of crimes, which if intentionally done, could result in a Rs 10 billion fine. Virtually all of that is possible by anyone using Microsoft operating systems—for instance 38(c) [knowingly] introduces or causes to be introduced any virus or other computer contaminant—since they are known security issues in these ubiquitous Microsoft products.

To understand the power of the code-breaker and the computing power that is available to the hacker, current practice in banking is a good guide. Even ten years ago, the advice was to change the password every six months. It was reduced to two weeks. At the moment, for regular banking transactions, the bank gives one time passwords, valid for 15 minutes, from the same computer from which it was requested. That is the small window that they believe that the password will be secure. For high value transactions, it is even more. It is this superior computing power that will be used against the UIDAI database—and the hacker has to get it right just once.

Encryption is not the solution either. As Bruce Schneier warns us Encryption doesn't reduce the number of secrets that must be stored securely; it just makes them much smaller. Storing encrypted keys becomes as important as storing the unencrypted data was. Historically, the reason key management worked for stored data was that the key could be stored in a secure location: the human brain. People would remember keys and, barring physical and emotional attacks on the people themselves, would not divulge them. In a sense, the keys were stored in a ‘computer’ that was not attached to any network. And there they were safe. This whole model falls apart on the Internet. Much of the data stored on the Internet is only peripherally intended for use by people; it's primarily intended for use by other computers. And therein lies the problem. Keys can no longer be stored in people's brains. They need to be stored on the same computer, or at least the network, that the data resides on. And that is much riskier.

The new German ID cards have somewhat similar features—the face, two fingerprints and a six digit number. They are easily hacked too, as demonstrated on German TV.

Nilenkani seems to be following the Edgar Hoover American model of quantity rather than the Scotland Yard model of quality. Edgar Hoover got so enamoured of fingerprinting that he corralled citizens of New York to get their fingerprints… and wanted the FBI to retain those fingerprints forever… just like Aadhaar. He even got a 10 year old visitor to the FBI fingerprinted… just like Aadhaar. The much more efficient British Scotland Yard purges the fingerprints of those who have not committed a crime in 10 years, and demotes from their active list those who have not been convicted of a crime for two. So the scheme fails even in basic criminology.