Wednesday, February 23, 2011

Queries addressed


1.       Group 1 – E-governance
a.       How is an IT initiative like UID different from an IT initiative taken up by a business? What is the metric of success?
·   IT initiative like UID is more about serving the larger interest i.e. those of common people, each and every resident of India. It’s not like the IT initiatives of any business were the bottom line is always profit and so the cost saving and revenue generation factor is of foremost importance.
·   The success metric of the UID project can be said to be that the different welfare means meted out by the Indian Govt. will reach a larger number of people and will not miss out on the deserving ones. Also the feedback from the Indian citizens that UID has really helped them save a lot of time and money spent on securing various identification documents and made their life easy.

b.      What if one lost his/her UID card? How tedious would it be to apply again & in how many days one would get the card?
·   UID, by default, is not a card. It’s just a number. The provision of the card is left to the discretion of the state. Incase the card is lost; there are minimal chances of misuse since the authentication is biometric.
·   Since the application processes will be subjective to the mechanism chosen by the state, it is not possible to speculate on the time for re-issue of the card. The UID number remains the same and the data is already in the server, so the physical card reissue may not take significant amount of time.

c.       In such a vast population, how to track the identity of a person, because in the existing system the individual can have more than one driving license. How UID would monitor this?
·   In case of UID, during the registration itself, the biometric scans will be compared to ALL OTHER scans already stored in the server for duplicates, thus removing the chances of redundancy/fraud before issue of UID.

2.       Group 3 – Web 2.0
a.       What are the systems in place to check the credibility of given data & how will you register people who have no proof / documents?
·   People with existing documents shall be authenticated on basis of government approved proof of identity/address.
·   Those who do not have any such documents shall have to be authenticated by an “introducer”. These introducers shall be appointed by the government and shall be authorized to authenticate people for the UID registration.

3.       Group 4 – SOA
a.       Citizens have various numbers like PAN number, Passport, etc. So why do you want to do extensive research to give another number? Instead generate these numbers & make them umbrella for all the existing numbers
·   The above mentioned numbers are not exhaustive of the total population set of India. There is a large number of people who do not possess any form of identification. Thus the need for UID is justified.
·   The future scope of UID includes integration of all such cards, bank accounts, properties owned, etc. making UID a unified resource for various purposes.

4.       Group 5 – digital convergence
a.       The basic data has to be collected by government officials. Based on that data UID will work. How does UID ensure that the entry level data is not incorrect? Also, presently, teachers in schools are the surveyors. They are under – compensated. There is even difficulty in getting information from the respondents. How to tackle this issue?
·   The UID handbook has anticipated this issue and we quote this extract
“Since the CIDR will store the biometric of residents, identity fraud will be easier to control. The only form of fraud that may go undetected in the UID system is if a person registers his/her details and biometrics under an entirely different name, with forged supporting documents. However, the person will have to exist under this name across systems, in the lifetime of his/her interaction with the government, private agencies and service providers. Such instances are therefore, likely to be rare.”
·         The UID system does not identify any “surveyors”. The job of registrars has been given to government officials who are already trusted with similar work for existing cards.
·         Getting information from the respondents will not be an issue as UIDAI has released clear guidelines about what documents are required and how the biometrics will be recorded. And the process of registration is voluntary not mandatory. But the access to essential services like cylinders will be available only to those who possess UID number, and thus the government believes the UID number will become universal by 6-8 years.
·         Hope we have addressed your question correctly

5.       Group 6 – cloud computing
a.       What is the sustainability level of this model? Do we have the necessary infrastructure to track the new borns & deaths of existing UID holders? How feasible is it for an NRI to apply for this? The database is going to contain billions of data. How have you secured such huge levels of data?
·    The model is one of its kinds and is really the first one to be at such a huge scale but sustainability surely won’t be an issue with proper support from the citizens of India, the registering agencies, NGOs, Govt. etc if they all work together towards making it a success and carrying it forward.
·   Approximately 60,000 babies are born in the country every day. The UID number will be issued by inserting it into the birth certificate of the infant. The same institutions that record births can be in charge of updating deaths in the UID system. The UID system will not remove a record upon the person's death; it will simply mark it as 'deceased' and hence will render it inactive for the purposes of authentication.
·   UID is targeted only to residents of India, both Indian citizens and foreign nationals residing in India.
·   The question of security has been addressed in the blog in detail.

6.       Group 7 – RFID & its business impact
a.       Do you think this project is viable when 80% of Indian population lives in rural areas & do not use electronic media on a regular basis? Moreover, even the banks & other government facilities do not have connectivity to the central office. Many do not even have electricity supply.
·   This exercise is to get the entire population of India documented. The problem of technology reach in rural areas is going to be a challenge, but once implemented, the benefits shall lead to development.
·   In cases where connectivity is the problem, the residents will have to be diverted to the nearest centre equipped with enrolment facilities. Once UID is implemented, the need for connectivity will be created, hence leading to development. The 12th 5 year plan already has envisaged a pan-India gigabyte backbone to connect all the government establishments including those in rural areas. The plan is already in execution and it is hoped that this will eliminate the problem of connectivity for UID.

b.      What about people immigrating to and from the country? Who is responsible for data update?
·   As long as a person is an Indian citizen he can always get registered.
·   The registering agencies will update the data but the citizens must take the initiative to ensure that it is being done. The records will be updated every 5 years for children and 10 years for adults.

7.       Group 8 - Mobile & wireless – emerging business models
a.       How credible is the project? How secure will the data be?
·   The project once implemented in its entirety will really be of huge help to all the Citizens, Govt., and Organizations alike, by integration of various services.
·   Every care is being taken to ensure the security of the data and no information will be released. The server will only send a yes or no as authentication response to the data sent.
b.      Is it worth spending crores of rupees?
·   The project was first proposed in 2007 and after a lot of deliberation; the project was approved with a large budget. The government must have analyzed the advantages far outweigh the liabilities given the go. We believe their analysis is reliable enough to agree it is “worth it”.

8.       Group 9 - Google & future directions of IT
a.       India is a big country and there is a lot of movement of people among various states. How does government propose to handle this complication?
·   The UID number once allotted will remain unchanged irrespective of the person’s movement across various states. In case of permanent address change, the citizen has to get his demographic details updated at the registrars so that the database is updated in the CIDR.

b.      If the entire project is voluntary, people, especially the poor ones won’t be willing to go & get registered (as you said), so the entire purpose of inclusiveness is missed. What is the long term implication of a voluntary model?
·   Applications for UID numbers would be voluntary. While the UID team keeps stressing that the UID is voluntary but the fact of the matter is, in time, it will become mandatory as most service providers will require a person to have a UID to access services, moving towards 100% enrolment.
·   In the long term, UID will become a unified resource, approved by all agencies for proof/authentication purposes. It may also be linked to your bank accounts, drivers license etc, providing seamless integration.

9.       Group 10 – Open source movement
a.       What difference is UID going to make in a farmer’s life in rural India? How different it is from a ration card or voter’s ID? What is done to educate them of its services?
·   UID will serve as a single identification for all the farmers and will save him a lot of time and costs in terms of procuring, using & carrying multiple identity proofs for availing varied services.
·   Ration card, voter’s id etc do not give a single identification proof and each of them are required together or separately at different times making the whole process cumbersome and costly while UID can be used universally and will be a single source of identification by itself.
·   The government has actually started enrolments with the rural people. The idea is that once some people start receiving benefits, others will follow suit and register themselves. The acceptance level will increase with time.

10.   Group 11 - e-learning group
a.       When one’s UID is known, to what extent can his data be scrutinised? In other words, how secure/ private is a citizen’s personal data when the system is introduced?
·   The UID number in itself is insufficient to extract any information or avail any service. Only if the biometric authentication is provided, the UID can be used to avail a service. But under no circumstances will the biometric information be discharged.

11.   Group 12
a.       Since majority of the population is in the agricultural sector and what measures have been taken for improvement of finger scan?
·   This is one of the drawbacks of UID that really needs to be addressed since finger prints change with hard labor and as farmers mostly use their hand for all their work, there is high probability of wearing out of finger prints over time. So the biometric information will no longer be valid. A regular update of even the biometric information is thus the only possible solution.

b.      How is SSN (social security number) different from UID?
SSN
·         In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents. The number is issued to an individual by the Social Security Administration, an independent agency of the United States government. The purpose of this number was to track individuals' financial accounts within the Social Security program.
UID
·   The Unique Identification Authority of India (UIDAI), is an agency of the Government of India. The authority will aim at providing a unique number to all Indians, but not smart cards. The authority would provide a database of residents containing very simple data in biometrics.

12.   Group 13 – green IT
a.       Implementation of UID project may lead to ‘No Privacy’ at all for individuals. Also middlemen or intermediaries can create ‘Non existing profiles’ or even frauds to claim any incentives. What about utmost poor who cant be reached? How is UID tackling these cases?
·   Privacy issue has been addressed.
·   The “middlemen” are existing government employees who are trusted with most of the government’s administrative work. And the enrolment will be supervised by specially appointed registrars. A person can have only single identity registered with his biometrics and thus if he chooses to register with a wrong name, he has to live with that identity for the rest of his life. However keeping in mind the recent scams by people in high positions, the possibility of fraud cannot be entirely overlooked.
·   The “utmost poor” will have to register out of compulsion created by the fact that they will not be able to get food from ration shop, or jobs via NREGA. The enrolment is free, discounting the opportunity cost of the time and travel incurred in registration.

13.   Group 14 – FINO
a.       The CIDR ensures de-duplication. But is there any system/authentication that bars a person from entering his data more than one time? What is the technology used in CIDR?
·   To avoid duplication of numbers, registrars will send the applicants’ data to the Central Identities Data Repository (CIDR) for de-duplication. The CIDR will perform a search on biometrics for each new enrolment. If the biometric details of a newly enrolled resident already exist in the database, the applicant’s request for enrolment will be rejected, and the registrar will be informed that the said resident has already been allotted a unique identity number.

b.      Every project has two sides – positive & negative. What are the negatives in this project?
·   When The Unique Identification authority of India [UIDAI] was constituted in January, 2009 under the leadership of Nanadan Nilekani, it was hailed by one and all. Praises were written in newspapers, periodicals and journals. The whole media termed it as path-breaking. But a little over a year down the line, the rumblings have started against the UID from different quarters. The questions are being asked about the utility or rather the futility of the whole exercise. An average Indian is grappled with, be it in the form of Passport, Election card, driving license, Ration card, PAN card and what not. UID may replace some of these but not all. Skeptics are questioning the sanctity of UID in a country where almost every I/D can be procured easily by anybody, anywhere. All you need is just about 500/- rupee and you can get a ration card, an election card or driving license even if you hail from Bangladesh or Turkey.

There are lakhs of unscrupulous businessmen who possess more than 2 to 3 PAN cards or even Passports, in effect having more than one identity. What is the guarantee that UID will not meet the same fate and we will not have people with 2-3 ‘Unique’ identities? The incorporation of Biometrics may be a solution but what about the clerk who would happily copy your finger prints or replaces them with somebody else’s for a few hundred bucks.
UID might also be a threat to our internal security System as it might increase the cases of infiltrations from Bangladesh, Pakistan and even of the terrorists in absence of a foolproof system.



Posted by at No comments:

Tuesday, February 15, 2011

Project Risk

The UID project does face certain risks in its implementation, which have to be addressed through its architecture and the design of its incentives. Some of these risks include:

1) Adoption risks:
There will have to be sufficient, early demand from residents for the UID number. Without critical mass among key demographic groups (the rural and the poor) the number will not be successful in the long term. To ensure this, the UIDAI will have to model de-duplication and authentication to be both effective and viable for participating agencies and service providers.

2) Political risks:
The UID project will require support from state governments across India. The project will also require sufficient support from individual government departments, especially in linking public services to the UID, and from service providers joining as Registrars.

3) Enrolment risks:
The project will have to be carefully designed to address risks of low enrolment – such as creating sufficient touch points in rural areas, enabling and motivating Registrars, ensuring that documentary requirements don't derail enrolment in disadvantaged communities – as well as managing difficulties in address verification, name standards, lack of informationon date of birth, and hard to record fingerprints.

4) Risks of scale:
The project will have to handle records that approach one billion in number. This creates significant risks in biometric de-duplication as well as in administration, storage, and continued expansion of infrastructure.

5) Technology risks:
Technology is a key part of the UID program, and this is the first time in the world that storage, authentication and de-duplication of biometrics are being attempted on this scale. The authority will have to address the risks carefully – by choosing the right technology in the architecture, biometrics, and data management tools; managing obsolescence and data quality; designing the transaction services model and innovating towards the best possible result.

6) Privacy and security risks:
The UIDAI will have to ensure that resident data is not shared or compromised.

7) Sustainability risks:
The economic model for the UIDAI will have to be designed to be sustainable in the long-term, and ensure that the project can adhere to the standards mandated by the Authority.
Posted by at No comments:

Project Execution


One of the unique challenges in executing the UID project is its scale. Due to the size of India's population, the UIDAI is undertaking what is perhaps the largest governance-related exercise in the world. We must ensure that all aspects of the project – enrolment, de-duplication, and authentication – function effectively even as the number of records approaches a billion.
 
Addressing challenges of scale

The UIDAI can expect its enrolment run-rate to have a peak load of one million enrolments per day in the very first year of operation. Every sub-system and component of the UID system will need to scale quickly and significantly. This will include:
  1. The ability to onboard Registrars from different sectors and handle their constituencies of residents.
  2. The legal framework of contracts needs to support the variety and spread of stakeholders as their numbers grow exponentially across the country.
  3. The biometric de-duplication algorithm needs to scale towards checking a fingerprint against everyone of 1.2 billion people to ensure uniqueness.
  4. The authenticating service, which may be used by tens of thousands of points across the country, needs to scale to handle hundreds of thousands of transactions per second.

Posted by at No comments:

Technology architecture of the UIDAI

The architecture has been structured to ensure clear data verification, authentication and de-duplication,while ensuring a high level of privacy and information security. The Central ID Data Repository will be the central database of all residents, containing the minimal set of fields sufficient to confirm identity. The federated set of databases belonging to the Registrars may contain additional information about the resident, and can use the resident's UID as the key.

The key technology components of the UID system are:



  • The UID Server which provides the enrolment and the authentication service. These services will be available over the network for the various Registrars and their authenticating agencies to use. The backend servers need to be architected for the high demands of the 1:N biometric de-duplication as well as the large peak loads from authentication requests.
  • The Biometric sub-system is central to the UID system for enrolling as well as authenticating residents. It is likely that a multi-modal biometric solution will be used to achieve a high level of assurance. The 1:N de-duplication envisioned will be by far the most computing-intensive operation of the UID system. Innovative techniques of hashing, indexing, distributed processing, and in-memory databases using multiple-biometric- modes need to be employed to get acceptable performance.
  • The Enrolment client application will capture and validate demographic and biometric data. This client needs to work in an offline mode in the village setting when there is no internet connectivity, and upload batch files to the server for processing. Alternatively the batch files can be physically transported to the CIDR for uploading The client application will be deployed on a standard enrolment workstation.
  • The Network is a critical aspect of the system, since all UID enrolment and authentication services will be available online. UID services could work over secure WAN networks, the vanilla internet or over mobile SMS channels. It could also potentially work over existing networks such as credit-card POS (point-of-service) devices.
  • The Security design secures all the above components from logical/physical attack. This includes:
    • Server Security – firewall, intrusion prevention and detection systems (IPS, IDS)
    • Network, Client Security –Encryption, PKI etc
  • The Administration system will help administer the UIDAI's operations. This includes
§  Account setup – creation/modification of Registrar, enrolling and authenticating agency accounts.
§  Role based access control –Assign rights over UID resources based on role.
§  Audit trailing – track every access to the UID system.
§  Fraud detection–detect identity theft and cyber crimes using audit trails
§  Reporting and Analytics –Visual decision support tools –GIS, Charting etc
Posted by at No comments:

Sunday, February 6, 2011

SECURITY AND OTHER CONCERNS


What about security concerns surrounding data and access to it, especially since there are plans to have UID online too?
People tend to think that online means access to information on the fly. But that does not mean that any individual can access the data. To give an instance, when it comes to commercial use, any commercial vendor - bank, insurance firms etc – that needs to verify an individual's UID will need to take imprints of fingers and send it to UIDAI asking for authentication. This is online and real-time. However, UIDAI will not send the finger prints or any other detail. It will just confirm the authenticity of the imprints. Hence, the repository is not accessible to anyone. Besides, adequate measures would be built into the tech systems to ensure that the data are being added to the repository according to the set standards.


Shown below is the security model for UID: (Source: UIDAI and NIC)


A security breach can occur nevertheless...
Use of any technology brings challenges, and adequate measures need to be taken to counter them.  As an extra security measure, UIDAI has added four digits to the 12-digit number. This PIN-based four-digit identification will be masked. So, at anytime this four-digit number gets changed then everything changes. Over a time there is a possibility that this kind of information when it is shared could be tracked. There will be more than enough people who will try to get more than one UID or will at least try to get. Rules, however, are being set that if someone intentionally attempts to defraud then there will be penalties and other measures built in.

What about privacy issues?
The concern is: who can access this data and where the data will reside. India, in this regard, will need to have a formidable data privacy policy. Privacy forums will need to be formed and this should happen as the roll out takes place. In toto, some cases might need regulatory changes and in the other cases, there will be an outreach programme.

Posted by at No comments:

Security Threats and Fraud

Like any technology, UID comes with a double edge. The task of storing information of the entire population of a country in a database is not without risks. This will open up a whole new spectrum of crimes, in the way the data, if leaked, can be misused.


The level of integration that will happen with other systems like PAN card and IT department, on one hand, will give convenient access to a huge trail of demographic, financial and personal data - Address, Family members, property owned, bank accounts. On the other hand, if the information were to fall in the wrong hands, one can not imagine the number of ways the data can be misused, right from loss of privacy to identity theft and major financial frauds.


By linking an individual's personal, identifying information to a UID, the UIDAI will be creating a transaction identity for each resident that is both verified and reliable. This means that the resident's identity will possess value; and enable the transfer of money and resources.

Basic personal information such as date of birth is used to verify owners of credit card/bank accounts and online accounts. Such information will therefore, have to be protected. Loss of this information risks the resident's financial and other assets, as well as reputation,when the resident is a victim of identity theft.

The Authority will concern itself only with identity fraud. Since the CIDR will store the biometric of residents, identity fraud will be easier to control. The only form of fraud that may go undetected in the UID system is if a person registers his/her details and biometrics under an entirely different name, with forged supporting documents. However, the person will have to exist under this name across systems, in the lifetime of his/her interaction with the government, private agencies and service providers. Such instances are therefore, likely to be rare.
Posted by at No comments:

Monday, January 31, 2011

Are you the one you say you are?

The real test of reliability for the UID system will be during identity authentication. The UIDAI, with its online authentication and biometric check, will be helpful in building the infrastructure and systems necessary to authenticate residents in different parts of the country.

There is no doubt that the UID can provide the strongest form of pre-verification and identity authentication. But to ensure that targeted benefit programs reach intended beneficiaries in line with the pro poor agenda, a clear adoption process must be put in place by introducing the UID at every point of service delivery. 

For this, many service delivery agencies may need to re-engineer their business processes. Agencies will have to adhere to norms and procedures specified by the UIDAI for fingerprint capture and verification, and introduce a robust biometric authentication process at every point of sale.

Two main forms of authentication, depending on the situation and equipment available, are Online and Offline authentication.

Online authentication:
  • Demographic authentication – UID number and demographic information of the UID holder is compared to the information stored in the UID database. The assurance level here is medium.
  • Biometric authentication - Biometrics of the UID holder, his UID and key demographic details are compared to the details in the CIDR (Central ID Data Repository). The assurance level in this case is high.
  • Demographic/Biometric authentication with API (Application Programming Interface): Registrar's backend system makes a programmatic call to the authentication APIs exposed by the UID system to perform authentication. The assurance level here may be medium-high depending on whether the check used demographic or biometric inputs.


Offline authentication: (does not use the authenticating service provided by the UIDAI)
  • Photo match authentication – Low assurance level
  • Comparison of the scanned fingerprint of the cardholder to the biometric stored on the Registrar-issued card. The assurance level here is medium.



Authentication and the UIDAI revenue model

Basic identity confirmation would be free. Here, the authenticator will provide the UID number, name and one other parameter such as date of birth of the person, and the central database will confirm the identity as a 'Yes' or 'No' response.

Chargeable authentication services can be of two types:
  • Address verification - The agency will submit the UID, name and address of the resident to the CIDR, which will confirm the address. As a result, the agency will not have to do physical address verification.
  • Biometrics confirmation - Services such as issuing a credit card or granting a loan need the confirmation of the resident's identity which involves the submission of photographs and other documentation. In the proposed transaction with the UID Authority, the agency can send the scanned photograph or fingerprint together with other demographic details to confirm the identity of the person.


    Posted by at 1 comment:

    Making A Billion strong Database


    Updating UID details:

    From time to time, the information that the CIDR holds on the resident may also become outdated and hence the database has to be updated regularly. For e.g., biometric data changes and will be updated every five years for children and every ten years for adults. Fields that are susceptible to change could be the 'present address' field, as well as the resident's name (after marriage). There might also be an error in the fields that occurred during enrolment into the UID. The service provider can make the process more refined by making the update a prerequisite for further availability of benefits. Enrolling agencies and Registrars can serve as points where the resident can update their UID fields. The resident will have to submit their new information at these updation points with the required documentary evidence. This may also include a biometric authentication prior to processing the request.



    Reaching Critical Mass in Enrolment

    The issuance process of the UIDs is expected to start August 2010 to February 2011, expected to reach a critical mass of about 200 million in two to three years. Until this point, the UIDAI will have to focus on generating demand from both Registrars and residents. However, once the critical mass is achieved, it will generate a network effect that drives demand and accelerates adoption among service providers and residents. And as more service providers across the country mandate UID to dispense their services and benefits, adoption will ramp up rapidly. In four years, the UIDAI estimates that it will issue 600 million UID numbers.


    Tracking Enrolments

    It is expected that the UIDAI will launch a GIS-based visual reporting system to track trends and patterns across India as and how the project is rolled out. The GIS system will show all UID enrolments by state, as well as by Registrar. The system will also be able to drill down with in states and into districts.

     

    Reaching A Sustainable Steady State In Enrolment

    A challenge for full enrolment is registering the approximately 60,000 babies that are born in the country every day. Over the next several years, the UIDAI expects to enrol close to the entire Indian population. Once that goal is achieved, enrolment will reach a steady state, where only births (and deaths) as well as immigrants need to be recorded. There are however, some challenges in registering new births. First, since their biometrics is not stable, they have to be re-scanned at a later age. The child's biometrics need to be taken at around 5 years of age, and updated in the UID system every 5 years until the age of 18. Until the time the biometric of the child stabilizes, any one of the parents/guardian will need to provide their biometric information for authentication. Second, names are often not given in India at the time of birth registration.

     

    The Uid in The Birth Certificate

    One way to ensure that the UID number is used by all government and private agencies is by inserting it into the birth certificate of the infant. Since the name is a mandatory field in the UID database, it is essential that the child be given a name before applying for the UID number. This would ensure that the UID can also be allotted at birth.

     


    Recording Deaths

    The UID system will not remove a record upon the person's death; it will simply mark it as 'deceased' and hence will render it inactive for the purposes of authentication.
    Posted by at 1 comment:

    Enrollment


    A critical aspect of the UID enrolment process is that enrolment will not be through a mandate, but will be demand driven. The momentum for the UID will come from residents enrolling in order to access the benefits and services associated with it.

    The Enrollment Process:
    The enrolment process for the UID number will begin with a resident submitting his/her information to the enrolling agency with supporting documents. To make sure the poor are not excluded, the UIDAI has prescribed guidelines for applicants without documents.

    The enrollment agency verifies an individual’s document as per the procedure laid down by DDSVP Committee Report. This information is then submitted through the registrar to the CIDR. A de-duplication check is run there using the demographic and biometric information before enrollment to avoid duplication.
    A letter with a tear away portion or a card will be issued to the resident containing the UID number, name, photograph, 2D barcode of the finger print etc. using both English and the local language of the state as done by the Election commission of India.


      
    Enrollment Costs:
    This includes the registrars or agencies enrolling cost and also the cost to the people coming to enroll like forgoing the days wage, travel expenses etc. The Registrars have the option here of charging for the cards they issue residents to offset enrolment costs.

    Ensuring clean enrollment data from the registrars:
    The UIDAI will periodically carry out a process audit of the information that comes in from the Registrars, to ensure data quality and that agencies are following guidelines recommended by the UIDAI.

    Posted by at No comments:
    Subscribe to: Posts (Atom)