The government is likely to sort out differences between the home ministry and Planning Commission over data collection for UID cards this week.
The Nandan Nilekani-led UID project has been touted as the world's largest, most advanced, biometric database of personal identities. And many believe, according to reports, that the UID is meant to be more secure than the US' Social Security Number (SSN).
In the absence of a coherent privacy law, Indian CISOs aren't buying that. "Even SSNs have been misused by criminals for years. The flaw of any personal identification project is that when you input data into a database, there must be an assured mechanism in place. Fingerprints have inherent inaccuracies as a proof of identification and retina scans make data storage requirements much higher," says security and privacy expert Deepak Rout. "If you don't provide enough security, then chaos is inevitable."
Though reports suggest that Nilekani has said that use of UID cards will be voluntary, it becoming mandatory cannot be ruled out. When all transactions will get linked to a single number, the same may be used by various state agencies to monitor citizens' activities. This may interfere with an individual's right to privacy. "Even if owning an Aadhaar card is made compulsory, I'll stay out of it as long as I can," says Rout.
Pawan Kumar Singh, CISO at Tulip Telecom agrees. "I am still insecure with the idea of entrusting my data to the government. Would I go for a UID card? No, thanks. The government may lay down stringent rules but where is the enforcement mechanism? UIDAI's security policy will remain like our constitution--on paper--if citizen awareness is not brought up." Singh believes that India isn't ready to consolidate its entire citizens' personal data on a single card.
Both Singh and Rout have reason to worry. In October last year, the UID project saw its first victim of privacy breach. A citizen from Maharashtra lodged a complaint stating that his address proof was compromised. The incident raised concerns on the vulnerability of personal data being collected by UIDAI. And that's just one of the many instances of security breaches.
Even those close to the UID project are raising questions on the loopholes that may exist in the project. Sanjay Deshpande, CEO and CIO at Uniken Technologies--a security firm that was involved in initial talks with the UID project team--says that UID could be vulnerable to insider attacks. "How are they (the government) going to ensure that the systems aren't vulnerable to insider threat? How trustworthy are the people handling a citizen's personal identity? Also, are the biometric devices used by the government foolproof? You might have heard of losing your e-mail ids and passwords at an Internet café owing to malicious software in public computers. How is the government ensuring that the data capture device by itself is not malicious?" asks Deshpande.
Application level security is another major concern. "My problem as an Indian citizen--once the UID project starts collecting biometric data everywhere--is how would we prove our disassociation with a wrong UID and a crime we have not committed?" asks Deshpande.
While the cabinet decides the fate of the government's ambitious UID project, it seems like Indian CISOs have already written its destiny. The question now remains -- Do you trust the government with your data?
For any queries, you can contact the author at: [email protected]