Since the launch of the UID project by UID Authority of India (UIDAI) and the issue of first set of UID cards in Nandurbar district of Maharashtra, UID security has been a top concern. Sunil Chandiramani, Partner at Ernst & Young stresses that such an initiative demands a high level of security, as a single breach could render the whole system useless. Let’s evaluate the various threats to UID security and how they can be managed.
Can a UID number be misused?
The UID project will create a unique number for every citizen of India and build a UID database of individuals, associated with 12 parameters of identity. For the initial two to three years, UIDAI will focus only on creating the ‘unique number’ and not on the instrument that holds the ‘ID card’. A biometric record of each individual’s 10 fingerprints or iris scan will be collected and tagged to his unique 16 digit number (UID). Chandiramani believes that just having a UID is much more secure than having a physical card, which can be duplicated, stolen or misused; however, stealing someone’s biometric identity is not an easy task.
Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants who has issued a draft on ‘Reasonable Security Practices for UID Project’ informed that a UID database would be used by making a query. The query will provide the UID number along with one of the parameters such as name. The answer returned will either be ‘true’ or ‘false’. The users will mostly be service providers who check the ID of a prospective client. According to Naavi, return of false information by the database or its inability to find the match of a genuine query could be security threats. Another important UID security concern is can somebody’s UID number be misused by another individual? Naavi retorts, “If a person has access to someone else’s UID number, it can be misused in all cases where the biometric check is not done.” Chandiramani agrees, “To confirm if a UID number and person are the same, the biometric data should match.”
Securing the central database
UIDAI is expected to build one of the largest centralized database consisting of UID numbers, biometric records, and other personal details. Unauthorized access to UIDAI servers, organized attack from cyber terrorists or cyber warriors, and stealing or leaking of sensitive personal information are some of the prominent security threats to UID centralized database. Naavi suggests strong role-based access control, firewall, intrusion detection system, manpower training, and background check, as critical measures to ensure security of UID centralized database. Chandiramani also informs about strong encryption mechanism that will be deployed by UIDAI during all processes and IT operations. UIDAI is already implementing strong security policies, monitoring mechanism and penalties for security breach.
Naavi further notes that as UIDAI will have a repository of sensitive personal data, it will have to maintain reasonable security practices under the IT amendment act, 2008. “The global standards of data protection and privacy ought to be applied. Many of the security requirements should be at par with National Institute of Standards and Technology guidelines in USA or appropriate derivatives from such standards,” observes Naavi.
Security during transmission
The UID authentication process is expected to authorize an individual by matching the fresh biometric scan with the existing image in the centralized server. If a hacker tries to breach UID security by manipulating data during the transmission, it may directly affect the matching process at the centralized server and a genuine person may be denied services. Naavi informs that according to preliminary indications (subject to confirmation from UIDAI), during the creation of the original database, registrars would capture UID data in a portable media such as an USB drive and bring it to the UID center to upload to the central database through the Internet. “Hopefully, UIDAI will develop an application, which transmits the data in encrypted form so that transmission security can be managed. However, while the data is in the USB drive, it is exposed to the risk of being stolen or modified,” cautions Naavi. Chandiramani suggested that the transmission would happen on a private network for the moment, but will ultimately take place over a secure cloud. Hence, irrespective of the network, you will be able to connect to UIDAI server securely.
There could be serious internal threats to UID security. Chandiramani opines, “Internally, someone could attempt to sabotage the system, crash it or steal some information. Segregation of duties, roles, limited access, audit monitoring mechanism, physical security, and background checks are some key measures to be implemented on this front.”
Naavi points that this could involve corruption and other motivations. This is the most sensitive issue because political considerations could dilute the security to meet various “reservations” involved in selection of personnel.
UID data privacy
As a country, we lack specific laws on data privacy and hence, some feel that we may be ill-equipped to deal with disclosure or leakage of personal information if UID security is weak. Chandiramani mentions that currently UIDAI is capturing limited data (like father’s name, age, DOB and not things like height, weight or cast) and even at the time of authentication, only the UID number is verified. However, he feels that privacy will become a major issue after service providers start tracking a unique ID and tag it to everything to understand a person’s purchase decision. Chandiramani also adds that as this will happen outside the UIDAI environment, it may not be held responsible.
A UID system requires elaborate security, which takes care of technology, law and human resources. Naavi has detailed the requirements in a draft at http://www.naavi.org/cl_editorial_09/edit_sept5_uid_sec.htm