Monday, March 26, 2018

Fixing Aadhaar

It is an academic discussion whether any country or society needs something like Aadhaar or not. There are pros and cons of having a single identity system. I am not going into merits or demerits of a system like Aadhaar here. What I want to discuss here are the methods to secure a system like Aadhar.

How should we view the Aadhaar number? The closest equivalence that I can see here is a username to any website. Should the username be secure or not? Making username secure does make it harder for somebody to hack into the account. This is one of the reasons why in case of a failed authentication, we want the developers not to disclose what was wrong, was it username that was wrong? or the password that was wrong?

Another way to look at the Aadhaar number would be a credit card number. The credit card number, on its own, is not sufficient to do any transaction but it is a big piece of the credit card transaction puzzle.

As we have observed in past weeks, there is a case to be made that Aadhaar data center is probably secure but for it to be useful, it has to be connected to the internet. It is this part of the puzzle that completely breaks the Aadhaar architecture.

Aadhaar expects its third-party partners to capture the Aadhaar number and OTP and send it over to UIDAI server for identity verification. This leaves them completely open to misuse by third-party partners. Given that UIDAI has not really shown great foresight in security audit of their partners and has no way to make sure that the partner systems are secure, they really can't depend on their partners (government and private) to secure the system. Any system is as secure as the weakest link in the network. So if a state government has a spreadsheet with Aadhaar details in an open directory all the security of UIDAI data center is just useless. Any malicious user is not going to try to breach the strongest parts of any system, they will go after weakest parts of the system.

I don't really know the details of Aadhaar architecture, but my guess is that at top level following things are happening.

The problem lies in the fact that Aadhaar number is captured by the third party and UIDAI depends on them to handle it properly. To get control over this problem, the best way is to move the capturing of Aadhaar number to the UIDAI server. This problem has been solved in FinTec domain by companies like Visa and Master. The secure information is only captured by UIDAI server and the third-party is just informed of success or failure.

This small modification will at least take the burden of securing Aadhaar system from the hands of third-party. They are only concerned with one information whether the person's identity is verified or not. The persistent verification id can solve that problem.
This does not mean that this makes the system completely secure. A large system like Aadhaar should have their complete source code in public domain so that security researchers can review it and notify changes. Source codes don't implement security, security is implemented by certificates and encryption keys.

Wednesday, March 21, 2018

Why it is the time to leave Facebook

I am not one of those naysayers who believe in completely getting out of Social Media. Social media is a double-edged sword, you are letting go of some of your privacy in return for connectivity that you might not achieve otherwise. When I sign up with a Social Media Platform, I expect them to safeguard my data with some seriousness. It is because of that specific concern, I have decided to single out Facebook here. Facebook seems to have following two specific issues.

  1. As a technology platform, it just seems to be badly designed. Something as fundamental as "friends permission" should not be part of any platform which wants to be a serious player in a business that is primarily about access to ones' personal data. For the uninitiated, friends permission was the feature in the Facebook API where Facebook will share your data with a third party even if you have not explicitly given permission to share this data. If any of your friends have given the permission to share data, your data could also be shared. 
  2. As a company, it is clear that Facebook has very little interest in being on the side of its users. If anytime they need to make a call where they have to forego some revenue to safeguard the privacy of a user, they will lean on the side of revenue.
What is Cambridge Analytics issue

Facebook's friends permission concept was allowing data of people to go to third parties who had not authorized third-party themselves and was relying on terms of service and settings that people didn’t read or understand to safeguard themselves against any legal action. Global Science Research was run by Cambridge University psychologist Aleksandr Kogan who built an app for a personality test for Facebook Users. The app automatically downloaded data from friends of people who took the quiz for academic purposes. 
The app had only about a quarter of a million users who took a paid quiz but they were able to download the data for close to 50 million Facebook users by using friends permission feature of the API.
Facebook takes a 30% cut from the revenue of any app in return for allowing access to friends permission.

The I have done nothing wrong argument or I have nothing to hide
This is an argument that I hear from my friends often, why worry if you have done nothing wrong. It automatically means that if you are worried about online privacy, you must have done something wrong. 
Daniel J. Solove stated in an article for The Chronicle of Higher Education that he opposes the argument; he stated that a government can leak information about a person and cause damage to that person, or use information about a person to deny access to services even if a person did not actually engage in wrongdoing, and that a government can cause damage to one's personal life through making errors.
Schneier also argued "Too many wrongly characterize the debate as 'security versus privacy.' The real choice is liberty versus control.
Closer to home, Supreme Court of India recently said:
 Explaining why it is necessary to enshrine right to privacy as a fundamental right as opposed to a statutory right, Justice Rohinton Fali Nariman said, "Statutory law can be made and also unmade by a simple Parliamentary majority. In short, the ruling party can, at will, do away with any or all of the protections contained in the statutes mentioned hereinabove. Fundamental rights, on the other hand, are contained in the Constitution so that there would be rights that the citizens of this country may enjoy despite the governments that they may elect... The recognition of such right in the fundamental rights chapter of the Constitution is only a recognition that such right exists notwithstanding the shifting sands of majority governments." 
If we agree that privacy is a right, then the burden of proving its utility doesn't lie on me but on the person or entity that wants to infringe on it and frankly, Facebook has not made a very good case.

All these philosophical arguments aside,  in this busy life, one has to look at return on investment on time spend on any activity. When it comes to Facebook, there are absolutely zero returns on time spent on it. It looks more and more likely that my life will be better without Facebook in it.