Tuesday, February 21, 2012

How safe is UID?

Snippet from Mr Nandan's interview with Business Today

Privacy is something you trade for convenience. Even when you talk on the phone, you are subjecting yourself to the risk of being overheard -talking on phone could be taken as invasion of privacy. But the fact that I have a cell phone and anybody can reach me anywhere is an empowering thing that I am willing to take the risk for that. When you want to apply for loan, you will share all details of your assets---now that is also confidential information. But you are doing that for the benefit of getting a better loan. The information we collect is name, age, date of birth and sex. This is information that is already available if you have a voter card or a passport.

That says it all! UID is a game-changer for the common man - In Mr Nilekani's own words, UID is set to do the same to common man, what liberalization did to middle class in India!

Anyway, back to the authenticity of the technology of UID used. Security and safety regarding UID can be broadly classified in the following buckets:

(A) Enrollment: Criminals getting enrolled via fake documents
(B) Enrollment: Duplication - Already enrolled residents enrolling more than once
(C) Enrollment: Violation of document verification - KYR
(D) Data Center: Vulnerable to hacking attacks
(E) Authentication: False Rejection Rate
(F) Authentication: False Acceptance Rate

(A) Enrollment: Criminals getting enrolled via fake documents>

Yes this is a strong possibility. But the whole vision and mission of UID is inclusion and what can a UID give you:
  • Creating a bank account - but remember this is a no-frills bank account
  • Getting a SIM card - this is a threat
  • Access to subsidy - Per person subsidy is marginal, and would a criminal / terrorist be interested in subsidy?
  • Other privileges - We don't know what shape this monster will take, if it is tamed it will provide immense benefits to one and all
Overall, UIDAI has created a process for getting people enrolled. Does technology play a role in blocking criminals or people who are a threat to the nation from the UID system - NO! It is the process which has to be made more stringent. Fake documents and id proofs are a common problem in India. That needs to be addressed.
From UIDAI's side, stringent policies and processes for document verification should be imposed

(B) Enrollment: Duplication - Already enrolled residents enrolling more than once >

This is where technology plays a vital role. If someone tries to re-enroll in the UIDAI system, the biometric de-duplication on UIDAI's servers should catch such an imposter.
There was a pilot run by UIDAI for verifying whether biometrics / fingerprint is good enough to detect such anomalies, and the numbers are extremely impressive:

Tests were done with 84M enrolled population

Failure to enrol (FTE):
Every resident gets an Aadhaar number

Biometric FTE:
0.14% = 1.68 M people
De-duplicated using demographic data and checked manually for fraud. The legitimate cases among these are issued Aadhaar number

False Positive Id Rate FPIR:
0.057% = 0.684 M people
At the rate of 1M enrollments / day - 570 cases to be reviewed manually to ensure that eligible people are not denied Aadhaar numbers

False Negative Id Rate FNIR:
0.035% = 0.42M : Number of Duplicates, Worse Case Scenario
0.00018% = 0.0021M : Number of Duplicates Best Case Scenario

All the numbers have been derived from the report published by UIDAI

(C) Enrollment: Violation of document verification - KYR

I have not seen the real action, and I also know for a fact that some of the media articles are exaggerated and misconstrued, but the KYR verification plays a significant role and the registrars and various entities should ensure that the processes are followed-to-the-tee

(D) Data Center: Vulnerable to hacking attacks

The article says it all :)

(E) Authentication: False Rejection Rate

Yet to see the results from UIDAI

(F) Authentication: False Acceptance Rate

Yet to see the results from UIDAI

The enrollments and security aspects from technology perspective have been addressed well by UIDAI. What remains to be seen is how will authentication unfold?

No comments:

Post a Comment