You are here: Home / Internet Governance / CIS Comments on Finance Committee Statements to Open Letters on Unique Identity

CIS Comments on Finance Committee Statements to Open Letters on Unique Identity

Posted by Prasad Krishna at Nov 13, 2011 02:40 AM |
We from the Centre for Internet and Society had sent six open letters to the Parliamentary Finance Committee on the UID. The Committee responded through an email on 12 October 2011. Our response to the points raised is reproduced below.

Dear Members of the Finance Committee,

Since January 2011, we have sent six open letters on the Unique Identity (UID) project to the Members of the Finance Committee. The Committee has responded through an email dated 12 October 2011. This letter is in reply to the points that were raised.

Finance Committee: "Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the UID project."

CIS: We disagree with this statement. The UID Bill states that the aim of the project is to provide identification and authentication services. Biometric technology may be useful for identification. The seventh  open letter [1] that we sent to the Committee last week uses basic statistical analysis to demonstrate that the FPIR has to be 10−6 or a thousand-fold greater than the current level mandated by UIDAI procurement policy in order to achieve the project goal of building a national database of unique ID's. SCOSTA based smart card technology is more appropriate for the authentication of individuals because:[2]

  • Authentication will be based on asymmetric keys and perhaps pass-phrase or pin. This is known as public key infrastructure, and will allow a person to protect their authentication factor, and easily replace it if compromised.
  • Authentication through public key infrastructure does not depend on connectivity to a centralized network. This will allow for inclusion of unconnected populations. 
  • Authentication through public key infrastructure establishes mutual trust between citizen and state. Instead of only the citizen being made transparent to the state – the state is also made transparent to the citizens. This will lower the presence of fraudulent institutions and corrupt transactions. 
  • Connection to a centralized server is not required for only the authentication of an individual in a transaction. This will lower the cost of transactions and lower the IT overhead costs. 

Finance committee: "The UID project follows a different approach and has multiple objectives like providing identity to the residents of India, and ensuring inclusion of poor and marginalized residents in order to enable access to benefits and services."
 
CIS: We disagree with this statement. Biometrics do not ensure the delivery of benefits. As mentioned in our third open letter,[3] in every transaction that requires the use of the biometric based UID number, there are four points where corruption is possible and delivery of services will not take place: 
 
  • The technology fails, and does not perform authentication. Lack of connectivity, electricity and non-lab conditions for biometric technology. 
  • The authority fails and delivers a false positive or false negative.
  • The local agency fails to deliver the service after authentication.
  • The biometric fails due to biological changes, and thus the individual is denied benefits. 
 
Finance Committee: "Eliminating the fakes, duplicates and ghost identities prevalent in other databases." 

CIS: We disagree with this statement. Biometrics cannot eliminate fakes, duplicates and ghost identities. The deduplication algorithm only checks for uniqueness of biometric information. This can easily be defeated by a.) presenting a combination of two persons biometrics, b.) presenting the biometrics of foreign nationals collected remotely using the Internet, and c.) modifying biometric information using software tools like image editors. This is not a remote technological possibility since many registrars like banks have financial incentives for creating ghost identities for benami bank accounts. The deduplication algorithm and technology is completely black-box and has not been subject to any independent audit. Ideally research organisations like CIS should be provided legal immunity so that we can conduct independent audits of the deduplication technology and provide evidence for policy-makers. Since the deduplication technology has such a direct impact on the quality of citizenship – we recommend that the Finance Committee include proper independent audit provisions in the draft bill. 
 
Finance Committee: "Provide a platform for authentication in a cost effective and accessible manner." 

CIS: We disagree with this statement. As our first open letter[4] to the Finance Committee notes, biometrics are not appropriate authentication factors. In our opinion the dependency of biometrics on connectivity, deduplication, and centralized storage causes them to be more expensive than smart cards. The onus is upon the UIDAI to demonstrate that biometrics are cheaper than existing systems like magnetic cards used by credit card and debit card companies. If it was truly technologically and economically the better option, surely banks driven by such considerations would have adopted them many years ago.
 
Finance Committee: "UIDAI is not issuing cards or smart cards." 

CIS
: We agree with the statement made and that is why it would be possible to defeat the UIDAI authentication system using fevicol and wax as demonstrated by security expert, Jude Terence D'Souza.[5] 
 
Finance Committee: "Cards can be issued by agencies that are providing services."
 
CIS: We agree with the statement made and that is why the UIDAI cannot claim the benefits of secure authentication. In other words, agencies providing smart cards will have a more secure authentication based on smart cards and sooner or later citizens will stop using the weaker authentication based on biometrics provided by the UIDAI. 
 
Finance Committee: "UID authentication does not exclude smart cards – service providers can still choose to issue smart cards to their beneficiaries or customers if they want to."

CIS: We agree with this statement but that makes the whole project redundant. If service providers are forced to issue smart cards to their customers, they will have to create separate databases of pins and keys for authentication. The service provider will not be able to authenticate users through the UID system. 
 
We are grateful to have received a response from the Finance Committee and look forward to more correspondence with the Committee. We would also be very grateful if the Committee could give us an opportunity to come to Delhi on our expense and testify before the committee on legal, technology and privacy related aspects of the project.
 
Yours sincerely,
Elonnai Hickok 


[1].http://goo.gl/93sl2

[2].http://goo.gl/ZrEQr,http://goo.gl/jHRvq

[3].http://goo.gl/pW3Wi

[4].http://goo.gl/ZrEQr

[5].http://goo.gl/0z22h