UIDAI ക്ക് എല്ലാ നിയന്ത്രണങ്ങളും നഷ്ടപ്പെട്ടിരിക്കുകയാണ്

Kiran Jonnalagadda

00:00
hello and welcome to a special
00:00
discussion on the wire today on the
00:02
security vulnerabilities and the privacy
00:04
concerns in the wider other ecosystem
00:07
while a centralized database that
00:09
contains the personal details of over a
00:10
billion Indians is largely solid as UID
00:13
is linked to every part of our society
00:15
in every way we interact with the Indian
00:18
government an ecosystem has mushroomed
00:20
around it an ecosystem that contains a
00:22
number of stakeholders a number of
00:24
institutions that to put it mildly is a
00:26
bit of a leaky faucet and you know today
00:29
in response to some of these concerns
00:31
the UID I has also rolled out two new
00:33
security measures and we will get it on
00:35
to discussing those but our guest for
00:37
today is Kieran Journal addict whose
00:39
background provides a sort of gives them
00:42
a unique perspective on other as a
00:43
technological system correct me if I’m
00:45
wrong Kieran but in 2006-2007 you worked
00:48
with a team and a company that helped
00:50
computerize the Karnataka PDS system
00:53
which used biometrics yes and your
00:56
attempts were sort of used as a case
00:58
study by the initial ydi team which
01:01
built other and today of course Kieran
01:04
also runs his own company it’s called
01:05
has geek which you know coordinates and
01:08
organises events for the tech community
01:09
and of course he’s been an integral part
01:12
of the internet Freedom Foundation which
01:14
is an online movement that helps fight
01:17
for digital civil liberties current so
01:19
over the last year we’ve seen you know a
01:23
number of very controversial incidents
01:25
you know early last year over 200
01:29
government websites leaked you know by
01:31
one estimate you know over 100 million
01:33
other numbers and the personal details
01:35
over 100 million people and then towards
01:37
the end of the year we had a controversy
01:40
with Airtel payments banks which opened
01:42
up 30 like bank accounts and routed out
01:45
of 990 crores worth of LPG subsidy
01:48
payments you know some of this without
01:50
the consent of the users and of course a
01:53
couple of weeks ago the Tribune ran a
01:54
very explosive story talking about how
01:57
some parts of the other database we’re
02:00
being sold correct unauthorized access
02:04
to the databases it’s all for as little
02:07
as a 500 rupees so okay I mean the
02:09
headline question basically is that
02:13
we have a systemic problem here on our
02:15
hands
02:16
that you know that we there’s no really
02:20
one solution to it or is it a series of
02:22
isolated incidents you know is the you I
02:24
di and the government tries to portray
02:26
it that can be clamped down with better
02:27
execution and implementation um I don’t
02:30
think excuse me is going to fix this I
02:31
think the very design of other is
02:33
problematic so let’s start with where it
02:34
began the very notion of identity is
02:38
essentially a means for an individual to
02:41
prove who they are and that’s a
02:43
fundamental idea that I need to prove my
02:45
identity to someone and so I have a
02:48
document which is given by an authority
02:50
and both of us believe in the authority
02:52
therefore we accept the document and say
02:54
it’s listed but this is the fundamental
02:55
use that I need to prove my identity
02:58
other inverts a model and says the Steep
03:01
needs to ensure your identity and to
03:04
understand this you need to look at
03:05
where it comes from it it comes from the
03:08
operations of the welfare state the food
03:11
in civil supplies departments across the
03:13
country of belonging to state
03:14
governments which provides subsidized
03:17
rations to citizens and have to deal
03:20
with the fact that we are no longer in
03:22
the socialist economy that they were
03:24
conceived it we are now in a market
03:25
economy you can take the same produce
03:27
sell it on the market and get a much
03:29
better rate and so the state running its
03:32
own operational mechanism or the supply
03:34
chain from the production into the
03:36
consumption in competition with the
03:38
market obviously is going to leak all
03:40
the way through the system from the
03:42
beginning to the end of the system the
03:44
supply chain is leaky the consumers are
03:46
very happy to review the system because
03:49
they say this is alternative market
03:50
which is sort of self-correcting all
03:53
right so what you got here is a
03:55
state-level
03:56
bureaucrat looking at this leaky system
03:58
and thinking that the solution is to
04:01
plug the leaks you know and assuming
04:04
that if you can build a water rate
04:05
system and build a moat around your
04:07
entire operation to ensure nobody goes
04:09
in or comes out without authorization
04:11
then you can stop this from breaking
04:13
down some of us is going to look at it
04:15
and say you got this wrong you know you
04:17
need if you think that your problem is
04:18
you can’t compete with the market then
04:20
don’t compete to the market let the
04:21
market on the strong so that’s that’s
04:23
one way to think about it and that’s
04:24
partly what’s come out to the merit
04:25
transfer line of thought but how to run
04:28
this the other side being the PDS system
04:30
but other was conceived for the PDS
04:33
system for running this supply chain and
04:35
the fundamental problem it attempts to
04:38
chase is to say can you ensure the
04:41
identity of every person in your system
04:44
both within your supply chain and on the
04:46
consumer level and ensure that nobody
04:49
shows up twice Travis okay so in this
04:52
system you’re designing a surveillance
04:55
mechanism and saying that you as the
04:59
state want to ensure oversight over your
05:03
own operations and the citizenry where
05:05
they interact with you
05:06
it starts with this idea that it’s the
05:10
top-level bureaucrat who’s a good person
05:13
and trying to fix the system and
05:14
everybody believe them is suspect
05:17
now this is the imagination under which
05:19
other was created it was never about the
05:20
individual proving that identity it was
05:23
more about the state being able to see
05:25
the individual and so when you started
05:28
the design that looks at it like this it
05:31
changes when the designer of the system
05:33
is the one at the bottom trying to talk
05:36
to the state you know and part of what
05:38
we’re seeing now is for many years it
05:41
was sold as something that the
05:44
technocrats came and built to solve the
05:46
problem in society and since you think
05:48
technocrats are good people you should
05:50
trust it now that it’s become a
05:53
widespread thing and all of us as
05:55
individuals are subject to the
05:57
mechanisms of this operation of being
05:59
surveilled because of the weight is
06:01
designed suddenly we locate isn’t saying
06:03
oh shit what happened here you know what
06:05
is this monster we’ve got on our lives
06:07
and the technocrats have sold story from
06:11
the very beginning saying it’s all about
06:12
plugging the leaks and that’s all they
06:14
will keep saying that it’s all about
06:15
plugging the leaks but it’s not you just
06:17
built the surveillance state mechanism
06:18
that you thought was for other people
06:20
and now it’s on you as well correct
06:22
right so but now what this sort of
06:25
situation that we’ve come to is that
06:26
fine it was designed for a certain thing
06:28
but now it’s being used everywhere yes
06:31
and it’s no longer than the hands of the
06:33
agency you IDI or even the central
06:35
government process so state governments
06:38
are in
06:38
and are there any other you know garment
06:41
associated party that carries out yes a
06:44
central government yeah program so we’ve
06:47
been seeing privacy concerns arising out
06:50
of that yes so for last year you know in
06:53
Parliament the government noted 200
06:55
websites if you know they they thought
06:58
that they would keep it in a secure
07:00
place it was easily available you could
07:01
Google search you idea yes about XM
07:03
Island and yes who who’s at fault here
07:08
when 200 government websites published
07:10
the personal details including the other
07:12
numbers well you really obviously new
07:14
idea and the reason I blamed them is
07:16
that they do not educate their ecosystem
07:17
on how to use this ID you ready a made
07:20
design mistakes because they assumed
07:23
people would not be smart and use
07:25
appropriate technology now this is a
07:26
mistake I made when I was doing the
07:27
stuff that you think of yourself as a
07:30
smart person who is designing a
07:32
technologically sophisticated system
07:33
that you know has obvious flaws that you
07:35
can’t get around because of your design
07:37
limitations but you assume other people
07:39
are not smart enough to break it and
07:40
this assumption that other people are
07:42
not smart enough never really holds up
07:44
because of this value in it it will be
07:46
broken and so what you’ve got here is
07:49
that arrogance that’s now showing in the
07:51
way that’s broken part of the arrogance
07:53
is manifested in the fact that you IDM
07:55
made design mistakes in the design of
07:58
the other number itself this is a
08:00
mistake that has been made elsewhere the
08:03
US banking system has made this mistake
08:04
they continue to have this problem the
08:06
credit card system has made this mistake
08:07
the Social Security network system is
08:09
made this mistake which is that
08:10
fundamentally the other number is a
08:12
private number it is not a secret number
08:14
and in information different zeros could
08:17
you just show so rate of the distinction
08:19
between in information technology if you
08:23
need to identify yourself to some kind
08:25
of electronic system how do you prove to
08:29
it that you are what you claim to be now
08:32
when you use a document the physical
08:35
document is your ID proof as long as the
08:38
other party does not suspect you to be
08:39
forgery you know when you sign a check
08:42
sometimes they say please sign it in
08:44
front of me so I can see that you’re not
08:45
you know carefully copying from
08:47
somewhere else so that is their check
08:48
but when you talk to a purely electronic
08:51
system
08:52
these kinds of chicks are much harder to
08:54
do because the computer by definition
08:57
has a very limited vision about what
08:58
you’re doing you type in something
08:59
that’s all it says it doesn’t know where
09:01
you got that from so one of the
09:03
approaches used in information
09:05
technology and this has been over the
09:07
last 50 odd years is to use the
09:10
mechanism of a secret where you say that
09:12
there is a secret that only these two
09:14
parties know and so when the secret is
09:17
exchanged both parties feel assured that
09:18
they’ve got the right person a password
09:22
is an example of a secret a one of the
09:25
things necessary about a secret is that
09:26
the secret is not a secret then it’s no
09:28
good and so you must be able to throw
09:30
away the secret and get a new one and
09:32
this is what you do the password if you
09:33
if you feel the password is compromised
09:35
you change your password the mistake
09:37
that you IDM made is they confused the
09:40
other number with being a secret and
09:43
design the assumption that if a service
09:45
provider has somebody’s other number it
09:47
must mean they’ve given them the service
09:48
because there’s no other way to obtain
09:50
the other number correct at the same
09:52
time you’re supposed to give the other
09:53
number everywhere yes you know so how do
09:56
you give away your number everywhere and
09:58
assume it will be a secret
10:00
they should’ve seen this coming way
10:03
before they made the mistake of thinking
10:05
that people cannot be trusted with
10:07
keeping secrets because they will not
10:09
know how to value a secret effectively
10:11
usernames and passwords are not a new
10:14
problem when you idea started doing this
10:17
in 2009 they were known for like 40 odd
10:20
years yeah so it’s not like it was a
10:23
radical new idea they just decided that
10:25
the entire history of the computer
10:27
industry was not good enough for them
10:28
and then they were smart enough to
10:30
design something better and obviously
10:31
they were not nobody is that smart
10:32
sure but surely some when state
10:35
government websites display this kind of
10:37
information surely there’s some Fault on
10:38
there yes as well well their fault is
10:40
that they did not follow the
10:41
instructions what we do not know is with
10:43
they’re given the instructions in the
10:44
first place correct we do know that the
10:46
other Act specifies that the display of
10:48
your ID numbers is invalid but the other
10:50
ad came much later the leaks were
10:52
already happening correct so what were
10:54
these various parties told about other
10:55
numbers before they Willy the other part
10:58
being that under the RTI they obviously
11:01
the the various government departments
11:02
are required to show that it went to the
11:04
right by
11:04
visually and not on the encourage
11:05
beneficiary now how do you make a public
11:08
display of a beneficiary’s identity in a
11:10
way that does not compromise their
11:12
identity one of the ways to do that is
11:15
can you display only part of the other
11:16
number and say that if you know your
11:19
other number and you see it in this
11:21
public display and you feel that it’s
11:22
incorrect you can go over as a complaint
11:24
saying that hey that’s not me you know
11:26
and you it’s around me because you don’t
11:28
have my number
11:28
that’s true but that requires a mask
11:30
number and they didn’t have a mask in
11:31
standard correct but so today hidden for
11:34
instance so I think they’ve recognized
11:36
that okay I mean for quite some time I
11:39
mean over the last week the idea is
11:40
primary defenses been that oh other
11:41
number even if it’s public it’s okay
11:44
there’s no the other act as you pointed
11:45
out explicitly prohibits that so today
11:47
they come out with you know the concept
11:50
of a virtual ID where it’s one layer
11:53
removed
11:53
yes you know you don’t have to hand over
11:55
your other number to the LPG dealer or
11:58
you know to what they call local au is
12:00
we don’t know who this who they go to
12:02
designate exact but the idea is that you
12:04
can’t there’s no way from the virtual ID
12:05
to detect what you derive what your
12:07
other number is so does that provide a
12:09
sense of security as it falls far too
12:12
short of the problem two aspects to the
12:14
problem you know one is you idea the
12:15
lost control of their ecosystem while
12:18
they design this ecosystem of CIDR plus
12:21
a si plus a UA on or que si plus kua if
12:26
you use a paper or other card anywhere
12:28
none of those systems are in play
12:29
correct any place that accepts a paper
12:31
other card and I think we will find out
12:33
about this in new said you know will
12:35
come out in public or the next few days
12:37
as you discover the extent to which the
12:39
paper other card ecosystem works and
12:41
works in places where it should not be
12:43
used nothing is going to change over
12:46
there your paper other card remains a
12:47
valid identity proof you can cut you
12:49
some vertically in any place it accepts
12:50
a paper other card until the ecosystem
12:52
stops accepting it until that we to use
12:55
it different in term until the ID card
12:58
gets demonetized you know it remains
13:01
valid and if it remains valid anything
13:04
you do the other side doesn’t really
13:05
matter it’s not very the problem is the
13:07
second part is that the design of the
13:08
virtual ID system
13:09
now if the header a since they don’t
13:11
look at what others have done is always
13:12
problem what they’ve done is very
13:15
similar to what’s called
13:17
a directional ID that is used in the
13:20
open ID ecosystem so open ID once again
13:23
uses this idea of you know unique
13:25
identifiers the open airy ecosystem
13:28
going more than a decade back ran into
13:30
the same problem that if you use a
13:32
universal token across databases
13:35
databases will be merged profiles will
13:38
be built so one of the mechanisms used
13:41
to deal with this problem and Google was
13:43
one of the most public implementations
13:45
and orthey ecosystem is built on this is
13:47
to use separate IDs for every service
13:50
provider so the identity provider uses a
13:53
virtual ID to the service provider which
13:54
is what they store it’s a problem that
13:57
has been tackled and solved it is not
13:59
good enough and they identified the
14:00
problem there then it is still a private
14:02
piece of information it is not a secret
14:04
yeah you need a secret in addition to
14:06
the private piece of information in
14:08
Earth there is a user ID and the ethics
14:11
is token correct this spec misses access
14:14
token yeah so it’s just going to open up
14:17
a new category of problems that you
14:18
forgot about because now you’re passing
14:20
on a virtual ID everywhere in your
14:21
ecosystem instead of the original or
14:23
that number right so now we’ve sort of
14:26
discussed one one actor in this larger
14:28
ecosystem that is state governments who
14:30
ydi it doesn’t really have much control
14:33
over it you know they don’t have of
14:34
course they could try to rein them in
14:35
after the fact but there’s really no
14:37
institutional capacity within the
14:39
organization to sort of oversee the way
14:42
they handle other in general so but
14:45
secondly so last towards the end of last
14:47
year the Airtel payment bank controversy
14:51
erupted where we saw that 30 lakh back
14:54
airtel payment bank accounts were
14:56
created some of which was certainly
14:58
created without user consent no idea has
15:01
penalized Airtel for this and 190 crores
15:04
worth of LPG subsidy payments were
15:06
routed to these bank accounts and here
15:09
also again whose fault is it Hugh areas
15:13
new ideas further confusion so on the
15:18
one hand you have the difference between
15:19
private and secret information on the
15:21
other hand there are three distinct
15:23
concepts that are being confused there
15:25
is identification
15:26
there’s authentication and there is
15:28
authorization let’s say give you an ID
15:30
card
15:31
this ID card may be real and you can
15:33
look at it look at your hologram feel
15:34
convinced that it’s real maybe it’s a
15:36
passport maybe it’s a plan it doesn’t
15:38
matter so what you got here is proof
15:41
that this is a valid ID card it is not
15:44
proof that it is my ID card okay that
15:46
requires something more now typically on
15:48
a photo ID card you just look at the
15:49
photograph and say does it match and you
15:52
have really no hope beyond that but when
15:54
you go from this step of saying valid
15:58
identification to valid authentication
16:00
there is something between this card and
16:02
me that you should be able to verify and
16:03
in the other ecosystem this biometrics
16:05
so you put your finger on the
16:07
fingerprint scanner the fingerprint
16:09
scanner confirms that it’s a stored
16:10
biometric for this person and so on as
16:13
it turns out biometrics are not good
16:14
enough in practice it’s failing
16:15
extensively but that’s it I feel failure
16:17
that’s not a design failure that’s a
16:19
technical failure and so you back it up
16:21
with OTPs what an OTP preusse is I
16:24
happen to have the phone of the person
16:26
this card belongs to no proof that is
16:28
mine but at least there is stolen phone
16:31
will be reported so you have some level
16:33
of hope that it’s not fake or it’s not
16:36
invalid authentication that is still not
16:40
the same as me giving you permission to
16:42
do something just because I prove to you
16:44
who I am is not me signing some blank
16:47
paper saying now do what you want in my
16:48
name and that’s authorization what
16:51
that’s consent you know so it’s it’s me
16:54
authorizing it to do something in my
16:55
name it’s not just consent its consent
16:58
is when you ask me and I say yes or no
16:59
but that’s there’s a difference from me
17:01
saying yes oh no to me saying I want you
17:04
to do something in my name
17:05
yeah in this case there’s also a request
17:07
so authorization you know mixes of both
17:09
of these aspects so what happened with
17:11
Airtel a till is that there was no
17:12
authorization there was only
17:13
authentication and this is the mistake
17:15
that eky C which is the API that you
17:18
idea provides is an authentication API
17:20
it is not an authorization API there is
17:23
no evidence anywhere that I gave you
17:26
permission to open a bank account now
17:28
you can say you showed it to me on the
17:29
screen and I accept it
17:30
but where is this the paper trail for
17:33
that on paper if I put my signature on
17:35
some paper and hopefully it does not a
17:37
blank sheet of paper but it had
17:38
something printed on it that is valid in
17:40
a court of law
17:41
yeah that I signed it therefore is mine
17:43
it
17:44
my problem if I did not feel like
17:46
signing it correct the equation
17:48
mechanism does not provide any kind of
17:50
paper trail to prove that this happen
17:52
now in the case of something like Airtel
17:54
where it is so massive and so many lakhs
17:57
of people reported it you cannot draw
18:00
any other conclusion whether it must
18:01
have been fraud but what if it was just
18:03
one contract between two parties who are
18:05
now having a fight over it and saying
18:06
that hey I did not do this UID a as it
18:10
happens has designed something else
18:12
called a sign in which your signature is
18:14
attached to a document and that is proof
18:15
that you accepted the document it is not
18:18
yet informed consent but at least it is
18:19
consent but it will be not use easy and
18:24
in fact nobody in the other eco system
18:26
uses a sign today which is a failure
18:28
that the tech people inside you id8
18:30
decided that they knew what the solution
18:32
was they were going to build a solution
18:33
the policy people did not bother to use
18:35
a solution and so there’s nobody but you
18:38
I needed to blame again but what role
18:39
would you know a banking organizations
18:42
such as NPC I yes should have played so
18:45
when you NPC a has an entirely different
18:47
problem on their hands you know so the
18:49
national payments Corporation of India
18:50
so NPC a runs the other mapper which is
18:54
how another number is connected to a
18:56
bank account as it turns out they don’t
18:58
connect tab a cocoon they only come into
18:59
the bank and the bank then knows which
19:01
account to transfer the money into and
19:03
the way NPC operates there other mapper
19:05
is on a good faith basis any member bank
19:07
can claim to hold an account for a user
19:09
and NPC says sure if you think you know
19:13
this person’s are that number belongs to
19:14
you we’ll send all the money to you they
19:17
don’t verify they depend on the bank
19:19
acting in good faith now a payment
19:21
system acting in good faith is a
19:23
terrible design you know you’d never do
19:25
payment systems in good faith you always
19:26
assume there’s a paper trail proving
19:28
evidence that you’re sending money to
19:29
the right place so they made that design
19:32
mistake over there that they did not
19:34
have any mechanism by which to obtain
19:36
the users content so they just did away
19:38
with it and said no concern required
19:39
trust the bank and it will not fund the
19:42
trust adjuster and so you idea has no
19:45
way of prodding or enforcing or making
19:48
sure NPC does its job or vice versa as
19:51
well they have the authority they have
19:53
authority to yes by the Lord they most
19:55
certainly do what they don’t have
19:58
apparently is the moral authority to
19:59
make the ecosystem follow their orders
20:01
and part of it has to do with the way
20:03
you are a response that you a DA acts
20:06
like a rogue entity that bullies
20:08
everyone does not listen to feedback has
20:11
no option available whatsoever for a
20:13
researcher to inform them there is a
20:16
problem from my understanding of people
20:18
human how to work with them it is still
20:20
a one-way communication even when your
20:22
idea depends on somebody to promote
20:23
other for them and that’s just no way to
20:27
run an organization it’s no surprise
20:28
that everything’s falling apart for them
20:30
so coming coming to our third
20:32
development of course which was the
20:34
Tribune story which we’ve gone into a
20:36
little bit but one aspect of it I want
20:38
to address is the role of enrollment
20:41
operators yes so now the UID I in its
20:45
mission to sign up as many Indians as
20:48
possible turned to private operators yes
20:50
and there’s a business model for them
20:53
they paid them 40 50 rupees per per
20:55
environment for enrollment yeah
20:57
and now it seems this I guess I mean
21:01
looking at the number of operators that
21:02
have been blacklisted the number of
21:05
anecdotal reports that have come out of
21:06
fraud bribery and corruption hmm at that
21:10
level was it a mistake I am I think the
21:15
mistake was in not knowing what they
21:18
were getting into
21:19
well obviously anytime you hire someone
21:21
off the street and say here is the most
21:24
minimum verification I can do on you
21:25
there is no organization affiliation and
21:27
you are in control don’t give them too
21:29
much power yeah and they’re made a
21:31
series of mistakes over the years some
21:34
of which they are fixed but fixed after
21:35
damage was caused to start with
21:37
enrollment agencies used to sell data
21:39
back in the 2009-2010 initial pilot
21:42
phase when the first few enrollment
21:44
operators were also high trust operators
21:46
in that they were the ones proving that
21:47
the system worked and there have been
21:50
multiple reports of the fact that those
21:52
enrollment operators where in fact
21:54
selling the data that they were using
21:55
federal meant everything from paper
21:56
forms to whatever else selling it to
21:58
home selling it to on the black market
22:00
so they would sell the paper forms that
22:02
used to be used they don’t use paper
22:04
forms anymore as a result of this they
22:06
used to sell copies of the local
22:07
database as a result of which a device
22:09
has been encrypted since then so the
22:11
idea has
22:11
continuously made mistakes in the
22:13
quality of their software and in their
22:15
trust in their partners realize that
22:17
they could not trust a partner’s and
22:18
tighten the controls and this has been a
22:21
non-stop process and it’s always
22:22
happened after data theft correct the
22:25
other thing that they have done is also
22:27
enrollment operators are affiliated to a
22:29
registrar which is the agency that’s in
22:31
responsible
22:31
there are many agreements with registers
22:33
to give away copies of the data this has
22:35
been a very well-documented process it’s
22:37
called they built what was called the
22:39
state resident data hubs where every
22:40
state could have an official register
22:42
who would then build a database of
22:43
citizens in their states it has led to
22:45
disputes between states in the example
22:48
for instance of Andhra Pradesh in
22:49
Telangana
22:49
where when the state split there was a
22:51
dispute about who also database and it’s
22:53
an ongoing dispute and there’s even
22:56
accusation of spying happening between
22:58
these two states obviously we don’t know
23:00
how that’s happening until we see some
23:02
evidence at some point will compress our
23:04
data in a bit but so with what the
23:07
Tribune story essentially showed was
23:08
that some enrollment operators and we
23:10
still don’t know who who who’s the real
23:12
person behind it that’s the
23:14
investigation is to go where essentially
23:15
some enrollment operators who were
23:17
looking to make money decided to sell
23:18
access to a tool that they only had
23:20
access to yeah and decided to you know
23:23
sell out administrative credentials I
23:26
think it was it was a tool for grievance
23:28
or justice right yes yeah and so I mean
23:31
is this what could they have done I mean
23:34
so and now I know so now the et had a
23:36
report earlier this week stating that
23:38
all 5,000 people who had access to that
23:40
facility
23:41
now that permission has been revoked and
23:43
yes if they want to use the grievance or
23:46
facility they need biometric
23:48
authentication yeah
23:50
but the U idea is defense here so in
23:52
fact in that report there’s an anonymous
23:54
UID a official who sort of a sudden
23:56
suddenly states that you know short
23:58
security is better now but it’s going to
24:00
be an inconvenience who are missing
24:04
there so and this is this is a this is a
24:05
this is a defense that they mount again
24:07
and again that already you know we we
24:10
know there are huge implementation
24:12
problems with other end yes are being
24:14
inconvenience
24:15
yes so
24:16
should they be in convenience mode in
24:19
order to ensure a higher level of
24:20
security I think we need to define
24:22
inconvenience you know so if you look if
24:24
you go back to the design of other it
24:25
was meant to be a top-level bureaucrat
24:28
monitoring everybody below them you know
24:31
all the way down to the bottom of the
24:32
food chain and so if you think of what’s
24:34
happening over here they trusted people
24:38
at a lower level to have access to a
24:41
grievance redressal portal and they
24:43
discover the trust was misplaced and so
24:45
now they’ll revoke the trust and this is
24:47
a blow for them because now there’s
24:49
nobody below them they can trust me
24:51
and so it’s an inconvenience to
24:52
street-level bureaucrat who essentially
24:55
built a system that said I don’t trust
24:57
anyone discovered you can’t run anything
24:59
like this without trusting anyone
25:00
trusted some people but trusted some
25:04
people in a system that was designed for
25:05
mistress discovered well you can’t trust
25:07
them anyway you know you know and now is
25:09
inconvenient the operator who’s had to
25:13
do this well has to put in the
25:14
thumbprint but come on are you saying
25:17
that login and password is an
25:19
inconvenience for people and therefore
25:20
you should not have a login and password
25:22
to get on the website and something that
25:24
is this critical sure yes you need to
25:26
put in things I mean you should have had
25:28
a two-factor authentication they didn’t
25:29
have one biometrics are not two-factor
25:31
they’re not even one factor they’re not
25:32
their private information they’re not
25:33
secrets plus the fact that you can’t do
25:36
biometric authentication on the website
25:38
because there’s no protocol for a web
25:39
browser to take biometric authentication
25:41
you need to build a native app now are
25:43
they going to replace the Greenville NC
25:44
internal website with an app and do this
25:47
is something they built overnight after
25:49
a Tribune leaked not a chance now you
25:51
know so they’re most likely not even
25:52
implementing that biometric
25:53
authentication they’re just doing these
25:55
same things to keep the public happy all
25:57
right – through anonymous resource yes
26:00
what’s that’s how it’s been going
26:02
so again you know some of the people at
26:04
you idea people who are working there
26:05
and people who have worked there yes in
26:07
the past do you think their competency
26:09
should be called into question some of
26:11
them not all of them part of what
26:14
happens you know whether you have
26:15
competed in Torun competent people is
26:17
the organization structure that you put
26:18
them in and if you put them in a
26:20
structure where they do not have
26:21
authority to do things then they’re
26:23
going to quit in frustration or they
26:25
just going to resign to the
26:27
inconvenience and not do the best work
26:29
that they can
26:30
and everything I’ve seen suggests that
26:32
they had some compute and people no
26:34
doubt about that
26:35
but they also put them in a structure
26:36
they just would not allow them to do the
26:38
right thing
26:39
and it’s no surprise what came out at
26:41
the end of it right so but you are are
26:44
you are you proponent if so online that
26:47
I’m there’s a sizable section of people
26:49
online who say that the only solution
26:51
now is to destroy the other no I
26:53
disagree with them and there are
26:56
pragmatic reasons to disagree and the
26:58
ref reservatol reasons to disagree but
27:00
what should be done now well so let’s
27:02
let’s look at this right one of things
27:05
that happens with infrastructure is that
27:07
you can’t simply destroy infrastructure
27:09
especially one that is so widespread and
27:12
widely controlled it’s like saying that
27:14
you don’t like the highway system so
27:16
you’re going to destroy it that’s great
27:18
but how are you going to do that how are
27:20
you going to go to every single part of
27:21
your highway system and destroy it and
27:23
say what you are going to bomb the roads
27:25
take it all so if you try to dismantle
27:28
infrastructure and we’ve seen this
27:30
happen in other societies you know you
27:33
look at Russia the communist structured
27:35
fell apart they were no longer the
27:38
Communist Empire that they had
27:39
originally started off as being but that
27:41
what you do with the institutions you
27:44
have built under that commune structure
27:45
they don’t disappear what they do
27:48
instead is become controlled by a new
27:50
class who now the oligarchs and that’s
27:52
exactly what’s going to happen here that
27:54
you say destroy other and you even if
27:56
you manage to pass a court order to say
27:58
turn this thing off what’s going to
28:00
happen is that every piece of this vast
28:02
empire that you areas built is now going
28:04
to go underground controlled by someone
28:06
else and it’s just going to make it much
28:08
worse so that option is just off the
28:10
table now what you’ve got instead is
28:13
that if you’re going to dismantle it how
28:15
do you dismantle it in a way that does
28:16
not cause damage you know and one of the
28:19
ways to approach this is to say that
28:20
every other idea that you had was
28:23
something you controlled that it’s a
28:25
driving licence or a pan card or a
28:26
passport it was your property and you
28:28
could use this anywhere until an
28:30
authority decides we revoke it under
28:31
whatever sections have a replica burn
28:33
under the law and those have been
28:34
contested there’s a long history of
28:36
contesting the validity of ID and the
28:37
ownership of ID and so on so the legal
28:40
systems are well established the
28:42
Institute
28:42
understanding is well-established those
28:44
are already acceptable everywhere keep
28:45
using them do not destroy them try for
28:49
instance in their order demanding eky
28:52
see or at least not try but devotee
28:54
when do what he made an ordinary
28:55
demanding eky see four mobile operators
28:57
mr. arashiyama made a public statement
29:00
saying that we have pulled mobile
29:01
operators please throw away your
29:03
existing ID proof after you do EQI see
29:05
now this is terrible mobile companies
29:08
first several classes of customers all
29:11
of their postpaid customers and
29:13
high-risk prepaid customers have done
29:14
physical address verification by
29:16
themselves so that the address they have
29:19
in their database is a billing address
29:20
it’s where this in the bill it’s where
29:22
they go to collect money in case the
29:23
bill is not paid so they know for a fact
29:25
that the address is valid the address on
29:28
an other card is unverified you just
29:30
uploaded some document somebody sitting
29:32
behind a computer decide to accept your
29:33
document nobody came to your door to
29:34
visit you if you replace a verified
29:37
address with an unverified address you
29:39
are reducing the quality of your
29:40
compliance I’m not increasing it yeah
29:43
and this is true anywhere other issues
29:46
that adding other is fine if you are
29:49
only adding it using only other and
29:52
remove what you had before is reducing
29:54
the quality of your system so if you
29:56
want to dismantle other start with this
29:57
and see nothing that you currently have
29:59
should be invalid for those who find
30:02
other convenient sure go ahead keep
30:04
using it sure yeah but do not force it
30:07
on people who don’t want it who don’t
30:08
trust it and do not take away anything
30:09
else it works even if we wanted to shut
30:12
down the central database now which is
30:13
not possible
30:14
yeah there is what we call state
30:17
resident data hubs yes I strongly feel
30:20
and there’s lot number of people express
30:22
this concern this is this is the next
30:23
sort of controversy yes in the making
30:27
could you see reviews we’ve never heard
30:28
of their certainty it’s before yeah
30:30
describe it okay so this is something
30:31
that came out of the battle between the
30:34
National Public Register and other UI da
30:37
and NPR whether to bigger entity
30:39
projects that were conceived by
30:42
different branches of the government the
30:43
Home Ministry was to the Planning
30:44
Commission and they built up in parallel
30:48
the built up with ideas about which one
30:51
was supposed to do which part you idea
30:52
was supposed to only issue numbers NPR
30:54
was supposed to do the enrollments
30:55
and eventually it got to the point where
30:57
they merged because they became
30:59
competing projects now but as a result
31:02
of their history running in parallel
31:03
there have been agreements between the
31:05
two parties in various states which have
31:08
resulted in what’s now called state
31:09
resident data hubs where every state
31:11
would be enrolling agency under the NPR
31:13
and would then enroll into the UI da but
31:16
also keep a copy of the data themselves
31:17
right now these things are not covered
31:22
under the other act act do they contain
31:23
biometrics yes several states contain
31:26
biometrics Tamil Nadu has even a law
31:28
that mentions biometrics a government
31:29
offer is not a law there’s a government
31:31
order that mentions access to biometrics
31:33
from I saw deeds cannot occur that’s as
31:35
far as I know and the police for sure
31:36
does Cuza raj does rajasthan does and
31:39
there are about 11 or 13 of these states
31:42
which have SRD inches not all of them
31:44
have biometrics some do they’re
31:47
collected at the time of enrollment into
31:48
other so they have them there is nothing
31:53
in the other Act that governs in a
31:55
certain th the term is not mentioned
31:56
even once it’s not in the regulations
31:58
some states have their own other acts
32:01
but those will not override a central
32:03
other act and some states have nothing
32:05
at all so they just operating on the
32:06
basis of government orders so this is an
32:08
entirely unregulated area of the other
32:10
ecosystem that will blow up if it’s not
32:13
examined and controlled and but the you
32:15
idea has no say in what what conduct
32:18
officials get to access it I don’t know
32:19
how many states have come up with
32:20
legislation that do govern their owners
32:22
I’m aware of only one I think Rajasthan
32:24
but they may be APB is most likely to
32:27
have one I’m not aware of it but have
32:28
not been reading the law so I think I
32:29
should find someone who is follow up on
32:31
the law regarding these things right so
32:33
in your assessment you IDI needs to rein
32:35
in its ecosystem yes so today they
32:38
announced we already discussed virtual
32:39
IDs yes the next security buffer as core
32:44
is unique ID tokens the idea is that is
32:48
part of much Larry’s correctly it says
32:50
it’s a second piece of the same
32:52
immigrant right yeah and I mean so for
32:55
some operators you know so now that
32:57
Trust as you put it has now sort of
32:59
taken back this is a better way to
33:02
reintroduce trust on that’s a good step
33:06
this is a current organization for the
33:08
fact that they are
33:08
you did this you know despite everything
33:10
that’s falling apart LM sort of
33:11
renegotiates the terms and conditions
33:13
between you I di is ecosystem yeah
33:15
you’re hopeful I’m hopeful but it just
33:17
learn enough it’s like one step out of
33:19
100 okay it’s it’s a long way to go to
33:22
make this system trustworthy this is
33:24
what they should have done on day one
33:25
and they’re doing it now after
33:27
everything is falling apart
33:29
it’s going to get much worse before they
33:31
do the next step which is I mean they
33:32
need to eliminate paper cards they need
33:34
to stop having other numbers at all and
33:36
ensure that everything is virtualized
33:37
there is no other number that anybody
33:39
can access anywhere thankfully this this
33:43
brings us to the end of our discussion
33:44
thank you thank you yeah and please do
33:47
keep an eye out for the wire for our
33:48
future news and analysis


wordpress.com നല്‍കുന്ന സൌജന്യ സേവനത്താലാണ് ഈ സൈറ്റ് പ്രവര്‍ത്തിക്കുന്നത്. അതിനാല്‍ അവര്‍ പരസ്യങ്ങളും സൈറ്റില്‍ കൂട്ടിച്ചേര്‍ക്കുന്നു. അവരുടെ വരുമാനം അതാണ്. നാം പണം അടച്ചാലേ അത് ഒഴുവാക്കാനാവൂ.

ലാഭേച്ഛയില്ലാതെ പ്രവര്‍ത്തിക്കുന്ന ഒരു സ്വതന്ത്ര ജനകീയ മാധ്യമമാണ് നേരിടം. പരസ്യങ്ങളെ ഒഴുവാക്കി, വായനക്കാരില്‍ നിന്ന് ചെറിയ തുകള്‍ ശേഖരിച്ച് പ്രവര്‍ത്തിക്കുന്ന ഞങ്ങള്‍ക്ക് താങ്കളുടെ സഹായം ആവശ്യമാണ്. അതിനാല്‍ ജനകീയ മാധ്യമത്തിന്റെ നിലനില്‍പ്പ് ആഗ്രഹിക്കുന്ന താങ്കള്‍ കഴിയുന്ന രീതിയില്‍ പങ്കാളികളാവുക.

wordpress.com നല്‍കുന്ന സൌജന്യ സേവനത്താലാണ് ഈ സൈറ്റ് പ്രവര്‍ത്തിക്കുന്നത്. അതിനാല്‍ അവര്‍ പരസ്യങ്ങളും സൈറ്റില്‍ കൂട്ടിച്ചേര്‍ക്കുന്നു. അവരുടെ വരുമാനം അതാണ്. നാം പണം അടച്ചാലേ അത് ഒഴുവാക്കാനാവൂ. അതിനാല്‍ ജനകീയ മാധ്യമത്തിന്റെ നിലനില്‍പ്പ് ആഗ്രഹിക്കുന്ന താങ്കള്‍ ദയവ് ചെയ്ത് സഹായിക്കുക.
Advertisements

ഒരു മറുപടി കൊടുക്കുക

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  മാറ്റുക )

Google+ photo

You are commenting using your Google+ account. Log Out /  മാറ്റുക )

Twitter picture

You are commenting using your Twitter account. Log Out /  മാറ്റുക )

Facebook photo

You are commenting using your Facebook account. Log Out /  മാറ്റുക )

w