The UID Authority of India (UIDAI) has decided to run its pilot in Karnataka and has rightly put the versatile and energetic e-Governance secretary, Mr M N Vidyashankar  in charge of the pilot project. We hope the pilot will be successful in throwing up the learning points which may drive the project further. Our best wishes to Mr Nandan Nilekani as well as Mr M N Vidyashankar for a successful completion of the project.

This project is of great significance to all the Citizens of India since it will transform all of them into “Netizens” with a “Digital ID” maintained in the data base of the UIDAI. All of us will henceforth be “Information” and in due course we can avail any service from the community only through this “Information Avatar”. As a corollary, we need to remember that if for any reason the UID is corrupted and the data associated with my UID is inaccurate, then we may lose our natural privileges we are entitled to as  citizens of India.

In view of this high stakes for every citizen if India, it is necessary for every Citizen to contribute his views to the UIDAI so that no hasty decision is taken in a matter which can mean the life and death the Citizens of India.

I therefore raise a few concerns through this column and invite others to join me in contributing their views so that these can be addressed at the time of the pilot project being implemented in Karnataka.

I would like to record my views on the following five points

1. UID without a UID Card:

2. Data Association

3. Responsibility for Data Accuracy

4. Responsibility for Data Security

5. Voice of the People

1. UID without a UID Card:

Mr Nandan Nilekani has taken a strategically correct and intelligent decision to keep the issue of “Cards” away from the immediate discussion by declaring that in the first two or three years, the UIDAI will focus only on creating the “Unique Number” and not focus on the instrument that holds the ID such as the “ID Card”. As a result, unnecessary commercial intervention of whether it should be a smart card or some thing else, what should be the technology for it etc is now not the immediate issue.

In view of this vital decision, the UIDs when created will be held only in digital form and therefore there will be a “Virtual UID Card” for every Citizen which will be dynamically created whenever the data base is queried and values returned. If this Virtual UID Card works, then the next task will be easy since it only means a transport of this “Virtual ID Card” to the face of a plastic card with or without memory in the form of a smart card.

Since Mr Nandan has clarified during his TV interviews in the last few days, the UID Card will eventually be having limited data and service related data would be incorporated in other service related Cards.  For example, UID will contain certain data such as  the serial number, name and photograph of the holder . There may also be other associated data such as as the father’s name, mother’s name, data of birth, sex, place of birth, UID of the father, UID of the mother, finger print, and address .

When a decision on the Physical card is taken, it will be necessary to determine if all the UID data has to be placed in the card itself or not. (Naavi’s views in this regard is also captured in the earlier article The National ID Card Challenge for Nandan Nilekani..). Naavi has been an advocate of “ZeMo Cards” which essentially means that the ID Card can be of zero memory and contain only the basic ID parameters and all other data should be accessible through an authorized query of the virtual data base.

The current thinking of the UIDAI is therefore similar to what Naavi has been advocating except that the issue of Card has been completely kept out of the responsibility of the UIDAI and left to the individual service organizations which will use the UID for delivering their services. For example, the NREGS may issue it’s own cards to its members where UID is one of the components. They may use either a Smart Card or a ZeMo card as they deem fit.

This leaves the flexibility which was necessary for the UIDAI to avoid commercial influences on its activity since the Smart Card lobby is a powerful lobby which could have single handedly derailed the UID project. Mr Nandan should be specially congratulated for the master stroke of dividing the two aspects of creating a UID and issuing of the Cards. This may turn out to be the single most important decision at this point of time to take the project forward. May be once the data is created, UIDAI can register itself as a Certifying Authority in India and issue  Digital Certificates under their digital signature which will become a document acceptable in a Court of law as per the provisions of the ITA 2000.

In the absence of the physical card however, the virtual data base becomes critical to the integrity of the system and will be a target of attack for cyber terrorists and data thieves. The security of the data therefore becomes paramount and there is a need for appropriate measures in this regard.

2. Data Association

At present the indications are that the following 12 parameters would be associated with the UID data.

1. Name

2.UID Number of the holder

3.Photograph

4.Right hand fore finger print

5.Name of the Father

6. Name of the Mother

7. UID of the Father

8. UID of Mother

9. Date of Birth

10. Sex

11.Place of Birth

12. Address

It is necessary to debate if all these 12 parameters are required and whether  some more are to be added. It is also necessary to consider if all of them need to be considered as a primary ID parameters or can be classified further as “Primary” and “Secondary”. More importantly, we need to debate if can any of  be considered as the “Root ID parameter”.

While the UID itself will be a Root ID for downstream services available to the Citizen of India, there is a need to recognize one single  “Root UID Parameter” so that in the event of any dispute, the UID would be owned by the person in undisputable control of the “Root ID Parameter”.

For example let us presume that there is an effort to duplicate a UID by a person who is confronted by a law enforcement agency. He may have a UID number (and a card if issued) in his name and address. The only parameter which he cannot duplicate is his “Bio Metric feature”. In the set of 12 parameters chosen by the UIDAI now, the finger print is the only biometric feature which the law enforcement person can check to verify the ownership of the UID. This can be defeated only if the data base itself is hacked and the finger print of the impersonator is planted in place of the genuine fingerprint. This is an issue of the data security which is separately discussed.

The reason why we may think of segregating the ID data into “Primary” and “Secondary” is that some of the ID parameters can be kept out of the Primary data base and can even be kept offline. While the primary database has to be accessible on the Internet and despite the authentication mechanisms used or DRP strategies, they are still amenable to hacking attacks. The secondary data base however can be kept away from the Internet and in multiple formats so that the data in the secondary data base can be used for verification when the primary data is disputed.

For example, we may collect multiple biometric features say

1.Left hand thumb print scan

2.All fingers scan

3.Hand geometry scan

4.Iris scan, etc

If the technology vendors prefer the forefinger (index finger) because the finger print readers are more easily operated with the fore finger than the thumb, it can be used as the primary biometric print but the remaining biometric features can be considered for the secondary data base.

This procedure will provide for “Multi Factor Biometric Authentication” of a person.

We must however admit that the “Left Hand Thumb Impression” is an age old tradition in India and given an option it should be considered more suitable than the forefinger. It is necessary for us to remember that there is a finger print indexing system presently in use which appears to have been successful. It is found in the index of “Nadi Grantha” used by the Nadi Astrologers who sift through thousands of files with the Right Hand Thumb impression of males and left hand thumb impression of females. The visual examination by a human can usually provide a short list of 15 to 20 files from the thousands available. With a computerized scanning of the finger print perhaps the accuracy can be far better. This indicates that finger prints in general and the thumb prints in general have the potential to index millions of records and with no other supporting parameter, it should be possible to zero in on a document solely with the finger print index.

If the index is run on multiple levels with multiple finger prints, the accuracy should be good enough for UID system where we need to pick one document out of a billion document based only on the finger prints obtained from a person.

Since there are already a host of property documents where the left hand thump impressions are recorded, it may be perhaps good if the left hand thumb impression is made the primary ID parameter and other 9 finger prints be accepted as secondary and tertiary finger print references. This will also counter the problem of some of the labour class people not having clear finger prints.

Similarly, we can make the name more reliable as an ID parameter by adding the names of the father, grand father and the great grand father of a person to the name field. While the Primary UID data base may contain the actual name with the initials used by the person, the secondary data base may contain the expansion of the initials, name of the father, name of the grand father and name of the great grand father. It is possible however that some may not have the names of the grand father and great grand father available in which case the fields may have to be left as “Unknown”. The three generation  father-link is a tradition and if it is anachronic for the current generation, we can record the names of the female members of the earlier generation also. This would almost mean recording the family tree in the secondary data base. Though this would be a little cumbersome, there may be a useful cross reference/verification possibility to establish any attempts at entering false data into the UID system.

Also, while the date of birth is one of the parameters used, extending it to the time of birth (as known and declared by the person) would make it more specific. This is also more suited for the secondary data base while “Age” (as on the date of the issue of the card) alone can be added to the primary data base.

It is obvious that in such a system the Card holder will primarily enter the data into the record and some of them have to be accepted as the declaration of the person even though they may not be independently verifiable. Most of these non verifiable data will be in the secondary data base and will be useful as verification parameter in case of disputes.

Out of the 12 parameters indicated for inclusion in the UID data base, “Address” is one parameter which is subject to change. It is therefore not suitable as part of the ID document. It is better that it is removed from the database. If required, it can be part of the secondary data base and used as “Registered Address at the time of first creation of the data”.

Out of the other parameters, Photograph is also subject to change over the period. If present, it can be a source of misinterpretation. A serious consideration has to be given to discuss if this has to be considered as part of the primary data base or to be pushed to the secondary data base.

The  UID of the father and mother  are also parameters more ideally suited for the secondary data base.

The primary data base may have to contain the UID issue date as a reference for the photograph and the age of the person.

Since the UID data is in digital form and may have to be accessed by the subject online with the use of a digital signature, it may be useful to include an “E-Mail ID” as an additional ID parameter perhaps in the secondary data base.

In summary

(a) We need to maintain a Primary UID data base and a Secondary UID data base with some parameters captured in the primary base and some in the secondary data base with different storage and access controls.

(b) We may consider making LTM as the primary biometric ID to be incorporated in the Primary UID data base and the other finger prints and probably the Iris scan also to be recorded in the secondary UID data base

(c) We may record the names of grand father and great grand father to expand the name and maintain the same in the Secondary UID database

(d) We may record the time of birth in the date of birth field and maintain it in the secondary UID data base.

(e) Address has to be removed from the UID data base. e-mail address to be added to the secondary data base.

(f) The  parameters required for the Primary data base are Name with initials,  Sex, Age, UID number, photograph and finger print, date of issue. Amongst these, the name, sex and age is not confidential. The photograph may be substituted by an impersonator but the finger print remains an unalterable mark of the original ID holder. If and when the ID card has to be issued, it may contain only these 7 parameters.

3. Responsibility for Data Accuracy

Apart from the risk of impersonation, the other risk associated with the UID system which is also going to be integrated with many downstream data is the possibility of “Errors” of the data. Today, many of the Voters find that the information about their name, sex and age on the Card are incorrect and make them ineligible to exercise their franchise. The reason for such inaccuracies is that the system for “Correction” is too complicated and once a clerical error gets into the system, they tend to remain.

In view of the criticality of the UID system, it is essential that inaccuracies need to be eliminated at the time of generation and then there should be an expeditious but strong process of correction of inaccuracies.

It must be remembered that UID will be “Information Residing Inside a Computer Resource” and is subject to the provisions of Information Technology Act 2000 (ITA 2000)  and the proposed amendments through Information Technology Amendment Act 2008. (ITA 2008).

Any alteration of UID information which is unauthorised and causes wrongful harm is therefore an “offence” under Section 66, 72, 72A of ITA 2000/8 and is also subject to payment of compensation under Section 43 and 43A ITA 2000/8.

The UID authority is also subject to the provisions of Sec 67C since the ultimate owner of the data is that of the data subject and the UIDAI is only an “Intermediary” as per the provisions of ITA 2000/8

Maintenance of “Inaccurate Data” leading to wrongful loss would constitute lack of “Due Diligence” and could make the UIDAI liable.

One option for the Government is to pass a law making the UIDAI and its staff immune to any legal challenges. This would be perhaps the most likely happening since this is the trend in Government functioning. This would however result in “Authority without Responsibility” and ideally should be avoided.

We hope that Mr Nandan Nilekani would not like UIDAI to be protected from public scrutiny through such protectionist policies.

4. Responsibility for Data Security

Data Security will remain to be the biggest challenge in the UID project and multiple strategies are required to be adopted for the purpose.

The law of the land provides some protection to the data subjects through the ITA 2000/8 and imposes certain responsibilities to the UIDAI for reasonable security practices to be maintained by UIDAI.

If there is no attempt by the Government to shield the UIDAI from the provisions of the existing law, then we may consider that there is a legal structure for data security. It may still be necessary to define the “Reasonable Security Practice” for this service.

In view of the criticality of the UID operation, the “Reasonable” security practices may have to be substantially stringent. It is necessary to implement globally acceptable principles of data security and privacy protection to meet the requirements.

Some of the security practices required for data security and privacy protection of the UID system may be constructed with the IISF 309 suggested by Naavi.org.

Some of the specific requirements under this framework for ITA 2008 compliance includes

1. Obtaining the consent of the UID holders for inclusion of the data which would be in the form of an application made by the data subject and validated in its electronic form.

If data is validated on paper and the UIDAI takes the responsibility for digitization then some member of UIDAI should be held accountable for any inaccurate data that may creep in . Such a person has to validate the electronic form of the data with his digital signature and take the legal liability for the inaccuracies.

A copy of the data as entered in the data base has to be provided to the data subject in print form with appropriate certification under Section 65B of Indian Evidence Act as per established principles of Cyber Evidence Archival.

As a part of this data validation process, it may be necessary to provide access to the data in the data base to the holder of the UID so that he can verify the data any time and any number of times during the lifetime of the data.

Though this facility may not be used by many of the UID holders who are not cyber savvy, it is an essential part of Cyber Law Compliance.

This may require validation of the person making the query. If we need to use “Digital Signatures” for validation, the UID itself may have to also include an “E-Mail Address” in the minimum as a “Digital Identity parameter”.

2. Data has to be encrypted in storage and every element of the data base has to be digitally signed by an officer of the UID.

3. Appropriate audit trail of who accessed the data and what was the hash value of the data accessed before and after the access session etc will have to be captured along with the mode of access, IP address etc and archived in such a manner that they are available for judicial scrutiny when required.

4. The hardware and software used by UIDAI should be source code audited and certified for integrity. Supplies from countries suspected to be preparing  for Cyber Warfare against India must be avoided.

5. Voice of the People

As some one who is working on Netizen Welfare for over a decade, the undersigned would like to make a strong demand with the Government of India as well as Mr Nandan Nilekani himself that the UIDAI should establish appropriate systems and procedures which would ensure that Netizens are protected against the inefficiency and malicious intentions of the staff of UIDAI. Even if they tend to be honest, they  may be used by others to inconvenience honest Netizens.

This requires constitution of an “Ombudsman” and ” UID Dispute Resolution Board”. Such a UID Dispute Resolution Board should not  be solely constituted out of Government servants (eg: Proposed Review Committee under ITA 2008 for Section 69/69A/69B issues) and must consist of Netizen Activists and Netizen Interest bodies such as Digital Society of India or Cyber Society of India.

Whether UIDAI will be a typical Government project with  authority without responsibility or a true PPP with the reputation of people like Nandan Nilekani at stake would be determined by how the UIDAI responds to this demand  by Netizen activists to be part of the dispute resolution mechanism.

Comments are Welcome at naavi@vsnl.com

Naavi

Aug 30, 2009

Be Sociable, Share!