Tuesday, March 8, 2011

247 - s the UIDAI database vulnerable? - Money Life Digital

October 01, 2010
Money Life Digital

UIDAI is trying to create a ‘unique’ database through its ambitious UID number project. But state governments planning to tag numerous details to the UID number and allowing other entities access to the system could leave the database vulnerable to misuse

The Unique Identification Authority of India (UIDAI), the agency assigned with the task of giving a unique identification (UID) to every resident in the country is faced with a situation. Already, some state governments are seeking to add multiple dimensions to the UID number, raising a question mark on the nature and security of the UIDAI database.

The Press Trust of India has reported that the Orissa government has decided to include at least a dozen-odd specifications to the UID number, like ration card number, BPL/APL number (below poverty line/above poverty line), NREGS data (National Rural Employment Guarantee Scheme), driving license number, PAN number, photo i-card number, passport number, kissan and credit card number, LPG consumer number, Rashtriya Swasthya Bima Yojana number (national health insurance scheme), pension ID number and pass book number. How long will it be before other states, say Maharashtra provides a UID number without the biometrics inputs, or Uttar Pradesh adds sub-castes, gotra, or an individual's financial details to the UIDAI database?

Kerala has declared that it will provide the UID number to over 60 lakh schoolchildren in the state under the UIDAI initiative. The UID number, stored in a central database, will give access to a student's profile, complete with biometric data and demographics, including photograph, iris picture and fingerprints. Kerala has selected Akshaya, IT@School and Keltron as enrolment agencies for the work.

KK Anvar Sadath, executive director, IT@School, has been quoted as saying that "while 'Aadhaar' requires information on name, gender, date of birth and address (called KYR-know your residence-details), we will collect other details like class name and admission number from the students. From this database, the KYR fields will be filtered to separate software provided by the UIDAI."

In countries around the world where a national ID card system is being used, these IDs are given only to those above the age of 14 years and not to school-going children between five years and 14 years of age. According to a white paper published by UK-based Information Risk Management Plc (IRM), capturing biometrics of children, particularly those below the age of 16, is problematic. The size of biometric elements like fingerprints and faces change a lot through the adolescent years. Similarly, biometrics being taken of children may lack sufficient features to satisfy the initial enrolment process, giving rise to problems in the biometric system.

Now the UIDAI has opened a can of worms by agreeing to allow access to registrars, like state governments and banks, as well as insurers who will collect individual data for the authority through their know-your-customer (KYC) database. This means that any company may be able to access the huge database (of about 60 crore people expected by the end of 2015) simply by becoming a 'registrar' and using the data for their marketing initiatives. Also, the registrar, whether it is a bank or an insurer, could make it mandatory for customers to have a UID number if they want to continue to receive services.

An IT expert pointed out that such projects could not be run with just one person in control, for how will anybody know whether the system is not being misused? There is a need for implementable laws to check any misuse and this is a flaw with the UIDAI project.

Last heard, the UIDAI had selected three consortia-Accenture, Mahindra Satyam-Morpho and L1 Identity Solutions-to implement the core biometric identification system for the Aadhaar programme. UIDAI has stated that the three agencies would design, supply, install, commission, maintain and support the multi-modal automatic biometric identification subsystem. The three vendors would also be involved in development of multi-modal software development kit (SDK) for client enrolment stations, the verification server, manual adjudication and monitoring functions of the UID application.

Our emails to UIDAI chairperson Nandan Nilekani and managing director RS Sharma remained unanswered till writing the story.