Hi Friends,

Even as I launch this today ( my 80th Birthday ), I realize that there is yet so much to say and do. There is just no time to look back, no time to wonder,"Will anyone read these pages?"

With regards,
Hemen Parekh
27 June 2013

Now as I approach my 90th birthday ( 27 June 2023 ) , I invite you to visit my Digital Avatar ( www.hemenparekh.ai ) – and continue chatting with me , even when I am no more here physically

Friday, 12 January 2018

Aadhar Virtual ID Compromised ?




BACKGROUND :


Over the past few months, Aadhar ID has been under attack for the following reasons :


·         Some 200 government web sites hosted personal details of Aadhar holders


·         Airtel goofed up in linking Aadhar ID to beneficiaries of Direct Benefit Scheme


·         Last week , a TRIBUNE journalist revealed that someone has been selling Passwords to UIDAI database for Rs 500 and , over the past 6 months , data of millions of Aadhar holders could have leaked out


·         Some over-zealous government officers have started issuing “ orders “ which require a person to provide his Aadhar ID , in order to ,

#    Appear in an exam

#    Get school admission for his child

#    Get admitted to a hospital

#    Get himself cremated when dead !



·         Supreme Court is asking the government :  “ With such proliferation of Aadhar ID , in the databases of all and sundry , how do you propose to protect the private / personal data of Aadhar holders ? “



GOVERNMENT  RESPONSE  :


Last week , UIDAI came up with the introduction of ( from March 2018 ) a 16 digit Random Number called VIRTUAL ID , behind which the ORIGINAL REAL ID can hide !



HOW WILL THIS  WORK  ?


An existing  Aadhar ID holder ( - of which , by now , there are over 1,000 MILLION ) can log into UIDAI web site , fill up a form ( - including his bio-metric ? ) , enter his CURRENT REAL Aadhar Number ( 12 digit ) and press, “ SUBMIT “


Voila !


UIDAI web server will instantly generate a 16 digit “ Random Number “ called VIRTUAL ID  - which now you can provide to any agency in lieu of the REAL ID !  ( - of course , you will need to write it down in your diary and carry it with you wherever you go , since you are unlikely to remember it easily ! )


Now , no agency can get to know your REAL ID , nor be able to “ access “ your private / personal data which is linked only to your REAL ID and not to your VIRTUAL ID !


And , you can return to UIDAI website again and again and generate / obtain a different VIRTUAL ID , by revoking the earlier generated VIRTUAL ID ( - arrangement to silence those privacy maniacs ? )


Hey  , this seems neat !  So why are some critiques still not happy ?


Could it be for following practical difficulties ?


·         Already millions of those 1000 Million Aadhar holders have given out their ORIGINAL / REAL ID to various Agencies in whose sever databases , these real IDs will remain


·         These means , dozens of banks ( holding some 550 million bank accounts ) and 4 Mobile Service Providers ( serving close to 850 million users ), have such REAL IDs in their databases ( - apart from hundreds of other agencies that you do not even remember having given your Aadhar Number , digitally online or on a piece of paper ! )


·         How many of these persons will take the trouble to find an internet-connected computer, log into UIDAI web site , generate a VIRTUAL ID , note it down in diary and then systematically visit the web site of his Bank / MSP and enter their VIRTUAL ID to link it with their REAL ID  ?


HERE ARE UIDAI ARGUMENTS IN SUPPORT OF VIRTUAL ID :


·         People don’t have to give their Aadhar Number and can authenticate using the Virtual Id


·         Aadhar will not come on the front end device unless the customer gives it by choice


·         Even during activities such as filing for tax returns online, giving the Virtual Id number in lieu of Aadhar will make the transaction go through


·         Virtual ID limits the information available to authentication agencies


·         Citizens will also have the choice for the reverse – which is not to generate their Virtual ID and continue using their Aadhar Number each time


·         Networks of Service Providers will not be able to save the information in any form


·         In case the Service Providers resort to unscrupulous means of retrieving the Aadhar Number, they will be conducting a criminal offence and will be punished by law


Now , not being a mathematician or a software geek , I have following stupid questions , which , I hope the experts ( including those of UIDAI ) may want to answer :


·         Are VIRTUAL ID numbers generated using some Random Number Generator ( such as PRNG =  Pseudo Random Number Generator / TRNG = True Random Number Generator ) ?


·         Do both types of Generators depend upon some software algorithm ? ( - a somewhat deterministic logic )


·         Considering the Aadhar Virtual ID requirement ( viz : generation of data encryption keys ) , is it more likely that UIDAI is using TRNG ?



·         If , given a starting number ( original / real Aadhar Number ) , TRNG generates a “ linked “ RANDOM NUMBER , is it possible to REVERSE this process ?


·         Using BIG DATA  /  DATA ANALYTICS  /  Artificial Intelligence /  MACHINE LEARNING etc , can one figure out the ORIGINAL / REAL Aadhar Number , from its counter-part Virtual Number ?



Over a period of  few months , it is likely that the servers of those Agencies , may have billions of  sets of linked “ Real Numbers / Virtual Numbers “

   
Could such a large enough database ( if some hacker can lay his hand on it ) , be enough for a software geek to design a Neural Network ( backward propagation / forward propagation ) , to reverse the process ?


I am tempted to believe that such a scenario is entirely possible !


Those who have any doubt might want to look up ( on BBC web site ) , last  week’s episode of CLICK , where a software geek gave a demo of a computer , embedded with an improvised  ALEXA ( with speech capability )


A person from the audience was invited on the stage / given a stack of playing cards / asked to pick one at RANDOM ( without showing it to either the anchor or the audience ) and requested to just THINK about that card ( - not think aloud ! )


That person did NOT wear any headset , nor was he,  in any way connected to ALEXA by wires or wirelessly – which was some 15 feet away from him  !


Then he asked ALEXA to tell everybody , what card he was “ thinking about “



ALEXA accurately determined and announced a playing card held by that person !


How long before an Indian Software Geek comes up with ANJANA (- the “ Unknown “  sister of ALEXA ? ) , which will “ read “ the databases of Service Providers , and figure out the REAL Aadhar Number , given the VIRTUAL Number ?


Or , let ANJANA reside on the mobile of each Aadhar holder and just “ read “ his mind which has both the Numbers stored side by side, in the neurons of his brain ?


Privacy  :  RIP  !




13  Jan  2018



  


1 comment:

  1. Virtual id generated by an algorithm and algorithm is not eternal. Probably millions of people cannot hack. Only one hack these million #UIDAI know only one will hack and not foolproof. But to please some authorities #UIDAI defends it is best

    ReplyDelete