We need to build a “Bridge of Trust” between UIDAI and Security specialists

In the on-going petition in Supreme Court, Aadhaar faces a tough battle against multiple opponents.

The background under which the Aadhaar case has come up for hearing itself suggests that there are some undercurrents of opposition to Aadhaar even within the judiciary. The recent attack by a few Judges on the CJI citing “Threat to Democracy” also looked like having it’s roots in the Aadhaar controversy.

The main reason why Aadhaar is being opposed by a section of the society, is that the way it is being implemented by the Modi Government is choking the people who want to hold black money in benami bank accounts and properties and this is considered an existential threat for them. Such Black money holders are there in all walks of life.

Black Money out of Tax Evasion

There are professionals like doctors and others who have made money from their hard work but has for reasons of their own not accounted it for taxation purpose and therefore accumulated benami wealth. Many businessmen also accumulate black money from their hard work because they have not paid taxes properly. They all have a logic that taxation system is badly structured, it is a disincentive for honest hard work. Politicians applying most of the tax collections for bribing the voters for the next election makes it worse since citizens have no respect for tax and tax avoidance is considered not as bad as other crimes.

If tax compliance is to be ensured Government must lower the incidence of direct income tax or better abolish it all together though the communists will cry on the obsolete principle of “Taxing the Rich”.  Consumption Tax is the best form of taxation and Income Tax at least on individuals can be done away with.

Black Money out of Corruption

On the other hand there are another kind of Black money wealth owners who have accumulated their wealth out of corruption. This includes  corrupt individuals in different walks of life including bureaucrats and Politicians. Compared to the black money owners who have earned honestly but accumulated black money through tax evasion, the corrupt set of people actually generate black money and they should be treated with an iron hand.

Unfortunately our tax system does not distinguish between these two categories of black money holders.

Now, the proposal to link Aadhaar with the Bank accounts and other properties hurt both these categories of black money owners equally and both of them are now up against the Aadhaar.

Current Aadhaar Debate

The current debate in the Supreme Court is on the grounds that Aadhaar violates the Indian Constitution and creates a “Police State”.

The Anti Aadhaar lobby is on a fishing expedition to  find reasons to hold Aadhaar as “Anti Constitutional”. One route they are trying is to say that “Aadhaar violates Privacy” which the Supreme Court has recently held as a “Fundamental Right”. In fact the Puttaswamy judgement is the foundation under which the present Aadhaar trial is being conducted and there is a view that the Puttaswamy judgement was preparatory to scrapping of Aadhaar by the current bench. One explanation for the revolt of the 4 judges is that the CJI frustrated the conspiracy to scrap Aadhaar by changing the bench composition. This allegation cannot be dismissed easily since political parties, Anti Government Advocates and Modi haters were prominently associated with the revolting judges.

Aadhaar Security Critics

While this group of Anti Aadhaar advocates are motivated only by a desire to prevent Aadhaar being used to fight Black money, there are another set of Aadhaar critics who have been unhappy with the security aspects of Aadhaar. This lobby has been criticising Aadhaar because the lack of security could lead to security risks for the users including loss of money in the Banking transactions and loss of identity of biometric is compromised. It is this lobby which opposed the UIDAI contracts being given out to foreign agencies, UIDAI using a foreign Digital Certifying Agency to secure its server etc.  Part of this Security lobby also is concerned with the black money money fight both for or against it.

Some of the security arguments that have been held out by professionals like the undersigned to criticize Aadhaar has been now used by the Pro Black Money lobby to justify their arguments demanding scrapping of Aadhaar.

Just like the undersigned, there are many security professionals who are against Black Money but have been critical of Aadhaar from the security perspective. Some of them have been peeved by the arrogance of the UIDAI authorities in not listening to the security warnings and some times even initiating legal action against ethical reporters of security vulnerabilities. On the one hand UIDAI has been soft on agencies like Airtel who have misused the system and also those who were caught storing bio-metrics and reusing them, they went hard against other non malicious technology specialists who ignorantly violated law out of their “Technology Intoxication”. As a result today there are many security professionals who are in favour of the Government in its black money initiative but are angry against UIDAI authorities and are silently enjoying its predicament.

It is only a few of these people which includes the undersigned who have decided to keep our security differences aside for the time being and join hands for the cause of removing black money and corruption with the efficient use of Aadhaar.

Creating a Bridge of Trust

Unfortunately, UIDAI has no channel of communication with such supporters of Aadhaar. Had UIDAI introduced a “Bug Bounty” program as we had suggested some time back, a lot of security professionals who are critics today would have been friendly and come up with many useful suggestions. Today there is complete lack of trust between security professionals and UIDAI and they are not ready to share their security thoughts with UIDAI. Some of them are afraid that if they admit that they have found vulnerabilities, UIDAI may hoist cases against them and some of them are themselves as egoistic if not more than UIDAI and would not volunteer their suggestions.

The need of the hour for UIDAI is therefore to construct a bridge of trust between itself and the security specialists so that there is a flow of positive security ideas from the good intentioned critics to UIDAI.

Recently Justice B N Srikrishna conducted a series of public consultation programs through out India to gather public opinion on the proposed Data Protection Act. During these discussions he had to face lot of brickbats only because of Aadhaar. There were many citizens and security professionals who were commenting on the Data Protection law citing  Aadhaar related issues. It was heartening to note how Justice Srikrishna was humble and patient in listening to all critics and trying to take the essence of the suggestions made out during the interactions. He was not only able to extract valuable suggestions but also create a bridge of trust with the public that he is doing his best to come up with reasonable suggestions for the drafting of the complicated data protection law which people expect to protect “Privacy” which no body is willing to define.

UIDAI must take a leaf out of Justice Srikrishna and learn some PR lessons of how to bridge a friendly relationship with the community.

In this direction I suggest that Aadhaar authorities need to hold open house discussions in different cities of India on a regular basis and listen to the criticisms and suggestions from the community of academicians and security professionals. At the same time, they should open up a channel of communication with the public to hear out their grievances and suggest amicable resolution. This public interaction could be through the web and include a Bug Bounty program as well so that whistle blowers who have valid suggestions.

In the recent days, I have found many respectable security professionals express a view in private discussions that “Let the Government suffer, they will learn a lesson” and recommending that no vulnerability should be reported and Government will learn the lesson when hackers exploit them.

I feel that this indicates a dangerous turn of events when honest persons turn away from their duties to the nation to report vulnerabilities to the Government.

Today’s news report that  a hacker’s group in Kerala has generated a valuable counter terrorism cyber operation in which they have identified a number of “Sleeping Terrorist Cells” promoting terrorism in India. It is also reported that when these hackers (ethical hackers) tried to draw the attention of the security agencies, they did not get the response that they anticipated.

This is a very sad state of affairs where honest citizens who want to help the Government are left to feel that they are unwanted by the authorities.

This feeling is not new and most of us have experienced it in the past. Some journalists often complain about the Lutyen’s lobby operating in Delhi and often acting against the interests of the country. There is a similar lobby of Security experts in Delhi who are close to the decision makers in the current Government also who ensure that Government is not provided the right kind of advise on security matters.

Mr Modi needs to ensure that this “Lutyen’s Lobby of Cyber Security” is recognized and disbanded and in its place encourage development of a voluntary group of  “All India Cyber Security Advisory committee” whose suggestions reach the right ears in the Government. I suppose the Government would be intelligent to distinguish “Vested Interests” from “national Interests” and ensure that the right flow of valid Cyber security suggestions reach the Government.

This “All India Cyber Security Advisory Committee” which can operate as a virtual committee should be part of the Cyber Security Infrastructure of the Government. One off shoot of this suggestion that can be tried in this direction is for UIDAI to invite suggestions from the public on how to secure Aadhaar both through a virtual committee as well as through open houses.

Time is now ripe since UIDAI is now considering revamping the system with the introduction of

a) Virtual Aadhaar ID

b) Use of face recognition

as additional parameters of use. Both have important security implications and any system which is introduced now should be made as robust as possible. We consider that presently most of the Aadhaar data base has already been compromised and there is no way the compromise can be rectified. However, if some thing can be salvaged it is necessary that we use the two new parameters of Virtual ID and Face recognition in such a manner that at least in future compromises does not happen.

I am sure that UIDAI would not like to discuss the security issues in the public and it is not recommended also. But there is no problem in inviting suggestions from the public and use as much of it as possible so that the system would be secure.

It is for this reason that the “Bridge of Trust” has to be built between UIDAI and the information security community.

Will UIDAI authorities come down from their pedestal, take a cue from Justice Srikrishna and start talking to their critics?

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

1 Response to We need to build a “Bridge of Trust” between UIDAI and Security specialists

  1. Firdaus Lalkaka says:

    Suggestions:
    (1) A robust system of reporting should be set up by UIDAI to enable every Aadhar Card holder to know exactly who, when, where and for what purpose his Aadhar Information was sought to be verified.
    (2) The UIDAI should send out a SMS as well as an email to the Aadhar Card owner whenever any request for verification is sought and generate an OTP for acknowledging such verification. This will substantially reduce unauthorised verification requests from being generated with intent of “misuse”.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.