CIS Comments on Finance Committee Statements to Open Letters on Unique Identity
Dear Members of the Finance Committee,
Since January 2011, we have sent six open letters on the Unique Identity (UID) project to the Members of the Finance Committee. The Committee has responded through an email dated 12 October 2011. This letter is in reply to the points that were raised.
Finance Committee: "Comparison between SCOSTA and the UID project are not valid since SCOSTA is fundamentally a standard for smart card based authentication and does not work for the objectives of the UID project."
CIS: We disagree with this statement. The UID Bill states that the aim of the project is to provide identification and authentication services. Biometric technology may be useful for identification. The seventh open letter [1] that we sent to the Committee last week uses basic statistical analysis to demonstrate that the FPIR has to be 10−6 or a thousand-fold greater than the current level mandated by UIDAI procurement policy in order to achieve the project goal of building a national database of unique ID's. SCOSTA based smart card technology is more appropriate for the authentication of individuals because:[2]
- Authentication will be based on asymmetric keys and perhaps pass-phrase or pin. This is known as public key infrastructure, and will allow a person to protect their authentication factor, and easily replace it if compromised.
- Authentication through public key infrastructure does not depend on connectivity to a centralized network. This will allow for inclusion of unconnected populations.
- Authentication through public key infrastructure establishes mutual trust between citizen and state. Instead of only the citizen being made transparent to the state – the state is also made transparent to the citizens. This will lower the presence of fraudulent institutions and corrupt transactions.
- Connection to a centralized server is not required for only the authentication of an individual in a transaction. This will lower the cost of transactions and lower the IT overhead costs.
- The technology fails, and does not perform authentication. Lack of connectivity, electricity and non-lab conditions for biometric technology.
- The authority fails and delivers a false positive or false negative.
- The local agency fails to deliver the service after authentication.
- The biometric fails due to biological changes, and thus the individual is denied benefits.
CIS: We disagree with this statement. Biometrics cannot eliminate fakes, duplicates and ghost identities. The deduplication algorithm only checks for uniqueness of biometric information. This can easily be defeated by a.) presenting a combination of two persons biometrics, b.) presenting the biometrics of foreign nationals collected remotely using the Internet, and c.) modifying biometric information using software tools like image editors. This is not a remote technological possibility since many registrars like banks have financial incentives for creating ghost identities for benami bank accounts. The deduplication algorithm and technology is completely black-box and has not been subject to any independent audit. Ideally research organisations like CIS should be provided legal immunity so that we can conduct independent audits of the deduplication technology and provide evidence for policy-makers. Since the deduplication technology has such a direct impact on the quality of citizenship – we recommend that the Finance Committee include proper independent audit provisions in the draft bill.
CIS: We disagree with this statement. As our first open letter[4] to the Finance Committee notes, biometrics are not appropriate authentication factors. In our opinion the dependency of biometrics on connectivity, deduplication, and centralized storage causes them to be more expensive than smart cards. The onus is upon the UIDAI to demonstrate that biometrics are cheaper than existing systems like magnetic cards used by credit card and debit card companies. If it was truly technologically and economically the better option, surely banks driven by such considerations would have adopted them many years ago.
CIS: We agree with the statement made and that is why it would be possible to defeat the UIDAI authentication system using fevicol and wax as demonstrated by security expert, Jude Terence D'Souza.[5]
CIS: We agree with this statement but that makes the whole project redundant. If service providers are forced to issue smart cards to their customers, they will have to create separate databases of pins and keys for authentication. The service provider will not be able to authenticate users through the UID system.