Filed Under: Identification and Authentication, People

The Indian experiment is not for us

Leave a Comment

[Dave Birch] When it comes to online business in general and online finance in particular, the issue of identification and authentication continues to form a barrier to innovation and efficiency. There are different ways to approach this problem, and one of them is to have the government provide identity infrastructure as a public good designed to benefit the whole economy. Some countries do not have national identity schemes that might form a basis for this kind of cross-sector solution. The UK is one of them. What would it be like to develop one? We have a fascinating case study evolving in front of us. India is engaged in a gigantic experiment to create a national identity scheme for more than a billion people, from scratch. It is called the “Aadhaar” scheme and it involves giving a 12-digit individual identification number to citizens. The numbers are issued by the UIDAI (Unique Identification Authority of India) and they are stored against the citizen’s biometrics. The June 2013 edition of Prospect magazine has a piece on this called “Twelve billion fingerprints”, in which a chap in Mumbai puts a plastic copy of his wife’s fingerprint over his own finger and uses it to fool a biometric reader, thus highlighting some worries about the chosen technology architecture. Nevertheless, the article also notes that the potential benefits to the Indian economy are significant, because businesses of all kinds can use the identity infrastructure to greatly reduce costs.

Market regulator Sebi today said investors can use ‘Aadhaar’ cards as a valid address proof for their accounts with brokerage firms, mutual funds, portfolio managers and other capital market entities. [It] is already permitted as a valid identity proof document in the capital market.

[From Aadhaar OK as investor ID proof: Sebi]

Obviously, for this identification scheme to be of most use to business, there must be a way for banks to validate the identification numbers that are presented by customers. This process is going to be automated.

The Unique Identification Authority of India (UIDAI) is creating software that will interface between banks and the Aadhaar portal so that banks can directly access Aadhaar details.

[From ​Banks to get Aadhaar data – The Times of India]

Given the intimate relationship between social and financial inclusion, one of the most important effects of “identity inclusion” is that the financially-excluded are now given an hand on to the first steps of the financial inclusion “ladder”. It is wrong to think of this first step as a bank account as we so often do in Europe. (indeed, the European Commission are proposing to legislate on the right to a bank account even as I write) because for a great many unbanked people, or for that matter, overbanked people, the first step is a simple prepaid transaction account. India is already taking the obvious next step to integrate identity and money infrastructures by providing just such transaction accounts that can be linked with the Aadhaar scheme.

The pre-paid card, the first in the country based on Aadhaar, will be available in the National Capital Region (NCR) and will work like a mobile pre-paid card that can be topped up in the identified banks [SBI, ICICI, Axis, HDFC, Indian Overseas Bank enabling] any resident with an Aadhaar number to walk into the identified 100 outlets by these banks and open a prepaid account with a card.

[From Soon, get prepaid cards for bank account based on Aadhaar number – Economic Times]

Now, there is of course are risks in system that uses a single centralised database in this way. In the fake fingerprint example given above, the risk is that you can pretend to be someone else. But there’s a much bigger risk. Once you can get a fake entry into the database then you are “behind the wire” so to speak, and your fake identity will never be challenged. This has already happened in the Indian system.

Some have managed to beat the so-called unbeatable Unique Identification (UID) system and got fake Aadhaar numbers generated raising security concerns over UPA’s new UID based governance model.

[From UIDAI cancels 3.84 lakh fake Aadhaar numbers – Hindustan Times]

There are a variety of ways to get on to the database fraudulently but one mechanism that seems to have been exploited right from the beginning is the exception handling. Given any system of this scale, the human factor must come in to play. Since it is not possible to register everyone through the normal channel (e.g., disabled people without fingerprints, people in the witness protection programme, spies and so on) there must be exception channels and these become an attack vector.

Delhi government officials have detected a large number of fraudulent enrolments in the first phase of Aadhaar that ended in February after registering 1.3 crore people in the city. Officials in the Unique Identification Authority of India (UIDAI) said on Monday many people got themselves enrolled without providing their biometric identification. The “biometric exception” clause is essentially meant for rarest-of-the-rare cases, say, for people with high degree of physical disabilities, they said.

[From Fake enrolments in Aadhaar Phase-I spark security fear]

This sort of thing is inevitable in such a scheme. But there’s another problem with centralisation: it creates a “honeypot” for personal data. And, again, the theft of this data is hardly a hypothetical.

Biometric information from over 14 lakh people has gone missing. This could lead to vital data falling into criminal hands.

[From Biometric information of 14 lakh Aadhar applicants goes missing : Postnoon]

It’s not for me to say whether the benefits of the Aadhar outweigh the risks, since I genuinely do not know. But what I would day is that this architecture is not right for the UK or the USA. The better architecture is to have very strong authentication against a revocable token (e.g., a smartphone) and use different biometrics in the central database purely for the purposes of eliminating duplicates. The central database is there to ensure unique identities, but the transactional authentication is against the token. Without going into all of the reasons why (OK, here’s one: undercover police officers must be able to have two tokens, one for their police identity and one for their undercover identity), the more decentralised option provides simultaneously more security and more privacy. When the UK comes (as it inevitably will) to require some kind of “entitlement card”, then I hope that it chooses that option.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Please follow and like us:

6 thoughts on “The Indian experiment is not for us”

  1. bcsl@blueyonder.co.uk' David Moss says:

    Forget biometrics
    The better architecture is to have very strong authentication against a revocable token (e.g., a smartphone) and use different biometrics in the central database purely for the purposes of eliminating duplicates. The central database is there to ensure unique identities, but the transactional authentication is against the token.

    Quite agree with you about the need for tokens.

    Usual questions about the rôle of biometrics.

    Professor John Daugman raised the question years ago about drowning in a sea of false positives.

    In a population of 1.2 billion there are 719,999,999,400,000,000 unique combinations of two sets of biometrics.

    Suppose, says the professor, that the equipment you use and all the other parts of the system were so fantastically accurate that they threw up only one false positive in a million. In the case of Aadhaar, that would mean 719,999,999,400 false positives/duplicates, all of which have to be resolved before you can prove uniqueness.

    These cases can’t be resolved by computer. It’s the computer that identified them. They need human investigation.

    Since it is impractical to complete 720 billion investigations, i.e. you can’t de-duplicate the database, you can forget using biometrics to establish uniqueness.

    Forget it.

    Add in the Wayman, Possolo and Mansfield paper proving that biometrics as a discipline is statistically out of control – i.e. not a scientific discipline at all – and you find a large hole at the centre of Aadhaar.

    Good enough for India but not good enough for the UK?

    No.

    Not good enough for India either.

    References to Daugman and the others available here.

  2. info@chyp.com' Consult Hyperion says:

    “Why do you even entertain UIDAI’s claims?”

    An interesting debate. Could you be a little more specific about which of the UIDAI’s claims that I have “entertained” David? The blog post makes no reference to any of their claims about false positive or false negatives as far as I can see.

  3. bcsl@blueyonder.co.uk' David Moss says:

    Could you be a little more specific about which of the UIDAI’s claims that I have “entertained” David?

    Of course.

    I was quite specific at the opening of my 16 June comment. Just to remind you:

    The better architecture is to have very strong authentication against a revocable token (e.g., a smartphone) and use different biometrics in the central database purely for the purposes of eliminating duplicates. The central database is there to ensure unique identities, but the transactional authentication is against the token.

    Like the UIDAI, you entertain the notion that biometrics can be used to prove the uniqueness of records on the population register.

    That has implications for FNIR and FPIR whether or not you make them explicit.

  4. info@chyp.com' Consult Hyperion says:

    I see what you mean David. Yes, I do indeed entertain the notion that biometrics can be used to prove the uniqueness of records. A combination of DNA plus one of iris or something similar should do it.

  5. bcsl@blueyonder.co.uk' David Moss says:

    A combination of DNA plus one of iris or something similar should do it.

    Typically fascinating.

    UIDAI have already got iris scans and yet there are doubts about the incidence of false positives. So all eyes on the DNA.

    Problem there is time.

    DNA matches typically take days to perform and you can’t have the whole population hanging around for days while they wait to be registered.

    Lockheed Martin are working on a faster matching process, IntrepID (see what they did there?):

    For human identification, IntrepID S2A-90™ analyzes only the segments of DNA required for identification purposes. The resulting profile, produced in less than an hour and a half, may be matched against other profiles for the purpose of identifying individuals or determining familial relationships among individuals.

    Still rather a long time to wait. And, of course, we need to see the results of trials before agreeing that IntrepID works. If we first agree that trials demonstrate anything …

    For the moment, I put it to you that we can’t rely on mass consumer biometrics for deduping/uniqueness proofs, nor for transaction verification and so any system the world comes up with e.g. for payments is going to have to work without biometrics. I.e. for the moment, forget biometrics.

  6. bcsl@blueyonder.co.uk' David Moss says:

    Undignified biometrics
    According to UIDAI’s report on identification (p.4), on 31 December 2011 when there were 84 million sets of biometrics on the population register, the FPIR was 0.057%, the FNIR was 0.035%.

    FNIR is the false negative identification rate and FPIR is the false positive identification rate.

    In a security-critical system, or a safety-critical system, you want FNIR to be as close to zero as possible. You want as few impostors as possible. Preferably, no false identities. None. Zero.

    How do you measure FNIR?

    In the field, you can’t.

    Impostors don’t come back after registration and tell you, “ha ha, fooled you”, just to keep the statistics up to date.

    What you do is you use a conventional test to come up with a figure for FNIR, as UIDAI tell us on p.18:

    To compute FNIR, 31,399 known duplicates were used as probe against gallery of 8.4 crore (84M). The biometric system correctly caught 31,388 duplicates (in other words, it did not catch 11 duplicates). The computed FNIR rate is 0.0352%.

    • Why 31,399?
    • What is the FNIR now that the population register has something like 275 million people on it?
    • Messrs Wayman, Possolo and Mansfield tell us that you can do as many tests like this as you like, they won’t tell you how the biometric system performs in the field – biometrics is out of statistical control.
    • All you can say is that when you did that test, that was the result …

    … which is the best the US National Institute of Standards and Technology can manage by way of disbursing their duties under the USA PATRIOT Act – they are bound to certify all biometrics systems before they are deployed for national security. NIST can’t say “yup, that’ll work”.

    They’re truth-telling scientists. All they can say is “that was the number that popped out of conventionally thin air”.

    Your confidence in UIDAI’s FNIR convention may now be a little dented.

    How about FPIR? How many false positives are there in Aadhaar? That’s easy to count. But UIDAI don’t tell us how many false positives have been experienced – which would be convincing. Instead, they do another test (p.18 again):

    An FPIR of 0.057% was measured when the gallery size was 8.4 crore (84 million) and probe size was 40 lakhs (4 million). The false rejects (legitimate residents who are falsely rejected by the biometric system) were a count of 2309 out of the 40 lakh probes.

    (1) Remember, lab tests tell you nothing about field performance. (2) Remember, UIDAI could simply have told us how many false positives there have been, why didn’t they. (3) Remember, they haven’t updated the FPIR figure now that the population register is three times the size.

    There’s a fourth point to consider.

    Alan Gelb and Julia Clark of the Center for Global Development have high hopes of Aadhaar. They expect it to increase “social inclusion” in India. They even think it might help the US. En passant, while making their case, they tell us that:

    UIDAI plans to contain the numbers by eliminating some sources of error unearthed by the initial study, and also by relaxing the [FNIR] if needed to further reduce the [FPIR].

    In other words, UIDAI have got their butcher’s thumb on the scales. They can make the FPIR any figure they like. It’s discretionary. It’s not a scientific measurement, it’s a management decision.

    The FNIR isn’t 0.0352%. They have to relax it, they have to let it go up, in order to keep the FPIR down at 0.057%.

    If they didn’t, the FPIR would go through the roof and they’d drown in a sea of false positives. The only way they can avoid that is to let the FNIR rise.

    To what? God knows. Through the roof? Probably. The population register must be stuffed full of false identities. Never mind. Anything to keep the false positives down and to get some use out of Aadhaar, …

    … which, don’t forget, no-one has yet. UIDAI’s success to date, such as it is, is to have got nearly 300 million records onto their database. No Indian government welfare programs depend on Aadhaar yet. Nor do any private sector systems, such as banking. It’s all jam tomorrow.

    You and Mr McEvoy are super-bright and Consult Hyperion is super-successful. “You didn’t get where you are today” by accepting sales pitches at face value. You wouldn’t put up with any nonsense about relaxing the FNIR from your own staff. Why do you even entertain UIDAI’s claims? Or any other advocate of today’s flaky mass consumer biometrics?

    It’s undignified in a man of your calibre, Dave. Downright undignified.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.