[Dave Birch] When it comes to online business in general and online finance in particular, the issue of identification and authentication continues to form a barrier to innovation and efficiency. There are different ways to approach this problem, and one of them is to have the government provide identity infrastructure as a public good designed to benefit the whole economy. Some countries do not have national identity schemes that might form a basis for this kind of cross-sector solution. The UK is one of them. What would it be like to develop one? We have a fascinating case study evolving in front of us. India is engaged in a gigantic experiment to create a national identity scheme for more than a billion people, from scratch. It is called the “Aadhaar” scheme and it involves giving a 12-digit individual identification number to citizens. The numbers are issued by the UIDAI (Unique Identification Authority of India) and they are stored against the citizen’s biometrics. The June 2013 edition of Prospect magazine has a piece on this called “Twelve billion fingerprints”, in which a chap in Mumbai puts a plastic copy of his wife’s fingerprint over his own finger and uses it to fool a biometric reader, thus highlighting some worries about the chosen technology architecture. Nevertheless, the article also notes that the potential benefits to the Indian economy are significant, because businesses of all kinds can use the identity infrastructure to greatly reduce costs.
Market regulator Sebi today said investors can use ‘Aadhaar’ cards as a valid address proof for their accounts with brokerage firms, mutual funds, portfolio managers and other capital market entities. [It] is already permitted as a valid identity proof document in the capital market.
Obviously, for this identification scheme to be of most use to business, there must be a way for banks to validate the identification numbers that are presented by customers. This process is going to be automated.
The Unique Identification Authority of India (UIDAI) is creating software that will interface between banks and the Aadhaar portal so that banks can directly access Aadhaar details.
Given the intimate relationship between social and financial inclusion, one of the most important effects of “identity inclusion” is that the financially-excluded are now given an hand on to the first steps of the financial inclusion “ladder”. It is wrong to think of this first step as a bank account as we so often do in Europe. (indeed, the European Commission are proposing to legislate on the right to a bank account even as I write) because for a great many unbanked people, or for that matter, overbanked people, the first step is a simple prepaid transaction account. India is already taking the obvious next step to integrate identity and money infrastructures by providing just such transaction accounts that can be linked with the Aadhaar scheme.
The pre-paid card, the first in the country based on Aadhaar, will be available in the National Capital Region (NCR) and will work like a mobile pre-paid card that can be topped up in the identified banks [SBI, ICICI, Axis, HDFC, Indian Overseas Bank enabling] any resident with an Aadhaar number to walk into the identified 100 outlets by these banks and open a prepaid account with a card.
Now, there is of course are risks in system that uses a single centralised database in this way. In the fake fingerprint example given above, the risk is that you can pretend to be someone else. But there’s a much bigger risk. Once you can get a fake entry into the database then you are “behind the wire” so to speak, and your fake identity will never be challenged. This has already happened in the Indian system.
Some have managed to beat the so-called unbeatable Unique Identification (UID) system and got fake Aadhaar numbers generated raising security concerns over UPA’s new UID based governance model.
There are a variety of ways to get on to the database fraudulently but one mechanism that seems to have been exploited right from the beginning is the exception handling. Given any system of this scale, the human factor must come in to play. Since it is not possible to register everyone through the normal channel (e.g., disabled people without fingerprints, people in the witness protection programme, spies and so on) there must be exception channels and these become an attack vector.
Delhi government officials have detected a large number of fraudulent enrolments in the first phase of Aadhaar that ended in February after registering 1.3 crore people in the city. Officials in the Unique Identification Authority of India (UIDAI) said on Monday many people got themselves enrolled without providing their biometric identification. The “biometric exception” clause is essentially meant for rarest-of-the-rare cases, say, for people with high degree of physical disabilities, they said.
This sort of thing is inevitable in such a scheme. But there’s another problem with centralisation: it creates a “honeypot” for personal data. And, again, the theft of this data is hardly a hypothetical.
Biometric information from over 14 lakh people has gone missing. This could lead to vital data falling into criminal hands.
It’s not for me to say whether the benefits of the Aadhar outweigh the risks, since I genuinely do not know. But what I would day is that this architecture is not right for the UK or the USA. The better architecture is to have very strong authentication against a revocable token (e.g., a smartphone) and use different biometrics in the central database purely for the purposes of eliminating duplicates. The central database is there to ensure unique identities, but the transactional authentication is against the token. Without going into all of the reasons why (OK, here’s one: undercover police officers must be able to have two tokens, one for their police identity and one for their undercover identity), the more decentralised option provides simultaneously more security and more privacy. When the UK comes (as it inevitably will) to require some kind of “entitlement card”, then I hope that it chooses that option.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers