Sunday, August 01, 2010

UIDAI Scheme - Or - Compromising my privacy?

What we know / heard from a few sources?

Basic Information:
The UID itself will collect only standard attributes such as name, date of birth, gender, father/mother/spouse/guardians name, address and a photograph. The only unique information is the biometrics (10 fingerprints and both IRIS scans).

Who / Why / Usage
The UID will be given to all residents who are in India and avail services and not just citizens.

The information in the database will be used only for authentication purposes and will not be shared or transmitted. Anyone seeking to authenticate the identity of another person using the UID database – will only get a response in YES or NO.

About working / operations:
The UIDAI is working on a partnership model with a variety of agencies and service providers ( both government and private sector) to enroll residents for UID Numbers and verify their identity. For e.g. Insurance companies, LPG marketing companies, RSBY, MG-NREGA etc. The UIDAI will also engage with Outreach Groups (essentially CSOs) to target, the homeless, urban poor, tribals, differently-abled population of the country etc.

About security:
The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured through encryption, and in a highly secure data vault.

Is your security up to the mark ? What is that secure data vault thing? Please don't use such terms, a layman maybe fooled into thinking "ultra secure" when in reality, you're storing it in the most haphazard manner.


Why do they (government) want a person's mother's name, father's name, and their respective UID numbers ?



Check this out ... the picture shows what info they are going to collect for the card. Add the present/permanent address thing to this mix, you can have one of our residing addresses, you are the government, you either choose permanent or present address, because parting with "everything" or too much of my private information to you - from me, a hacker's perspective... looks like asking to be stabbed !

All I'm saying is ... basically, devil knows who's got access to this DB once it is implemented. That's not all, they do say there may be an option for a person to escape their identity theft mechanisms and create a completely false identity and obtain a UID, d'uh !

Murphy's law folks, if you missed it ... "If anything can go wrong, it will"

Security Model for UIDAI Scheme



Always be prepared for the worst case scenarios, stop deducing cyber crime with just audit trails for a change.

Offences under UIDAI Act - Check out the screenshot



Addition about the IT Act 2000, and consequences if you compromise their DB,"All offences under the Information Technology Act shall be deemed to be offences under the UIDAI if directed against the UIDAI or its database."

Small FAQ I built for the readers,

Q. How will they (government) manage and secure 1.20 billion people's information ?
A. They wish to encrypt information and store it in a centralized DB...

Q. What security design will be implemented for Server and the Network/Client?
A. We have Firewall, IDS, IPS - alphabet soup basically, and Encryption with PKI.

Oh, my! the traditional defense-in-depth approach - Lauds the government. What about being proactive and conducting tests regularly? (Pen test, code review, DB security, red teaming, and compliance for the supporting infrastructure)

Q. Will my information be secure in the database?
A. Well, it depends... lol !
"The UID database will be susceptible to attacks and leaks at various levels. The UIDAI must have enough teeth to be able to address and deal with these issues effectively."

Q. What will the basic information and biometrics be integrated with?
A. Banks, Ration shop, Income Tax Dept, Passports, Credit Card/Debit Card, Online accounts. Precisely, enough sensitive data will be integrated with so-cal best practices to leave you stabbed from a lot of angles.

People who define security should not use the abbreviation for et-cetera (etc). Define and then write a document, because you are dealing with national security and a billion plus populous here. Don't be so naive and clueless by mentioning stuff like "Network, Client Security – Encryption, PKI etc"

From the looks of it, The way in which the government is dealing with our information is haphazard, to say the least.

Cheers,
Kish