Friday, 12 January 2018

Aadhar Virtual ID Compromised ?




BACKGROUND :


Over the past few months, Aadhar ID has been under attack for the following reasons :


·         Some 200 government web sites hosted personal details of Aadhar holders


·         Airtel goofed up in linking Aadhar ID to beneficiaries of Direct Benefit Scheme


·         Last week , a TRIBUNE journalist revealed that someone has been selling Passwords to UIDAI database for Rs 500 and , over the past 6 months , data of millions of Aadhar holders could have leaked out


·         Some over-zealous government officers have started issuing “ orders “ which require a person to provide his Aadhar ID , in order to ,

#    Appear in an exam

#    Get school admission for his child

#    Get admitted to a hospital

#    Get himself cremated when dead !



·         Supreme Court is asking the government :  “ With such proliferation of Aadhar ID , in the databases of all and sundry , how do you propose to protect the private / personal data of Aadhar holders ? “



GOVERNMENT  RESPONSE  :


Last week , UIDAI came up with the introduction of ( from March 2018 ) a 16 digit Random Number called VIRTUAL ID , behind which the ORIGINAL REAL ID can hide !



HOW WILL THIS  WORK  ?


An existing  Aadhar ID holder ( - of which , by now , there are over 1,000 MILLION ) can log into UIDAI web site , fill up a form ( - including his bio-metric ? ) , enter his CURRENT REAL Aadhar Number ( 12 digit ) and press, “ SUBMIT “


Voila !


UIDAI web server will instantly generate a 16 digit “ Random Number “ called VIRTUAL ID  - which now you can provide to any agency in lieu of the REAL ID !  ( - of course , you will need to write it down in your diary and carry it with you wherever you go , since you are unlikely to remember it easily ! )


Now , no agency can get to know your REAL ID , nor be able to “ access “ your private / personal data which is linked only to your REAL ID and not to your VIRTUAL ID !


And , you can return to UIDAI website again and again and generate / obtain a different VIRTUAL ID , by revoking the earlier generated VIRTUAL ID ( - arrangement to silence those privacy maniacs ? )


Hey  , this seems neat !  So why are some critiques still not happy ?


Could it be for following practical difficulties ?


·         Already millions of those 1000 Million Aadhar holders have given out their ORIGINAL / REAL ID to various Agencies in whose sever databases , these real IDs will remain


·         These means , dozens of banks ( holding some 550 million bank accounts ) and 4 Mobile Service Providers ( serving close to 850 million users ), have such REAL IDs in their databases ( - apart from hundreds of other agencies that you do not even remember having given your Aadhar Number , digitally online or on a piece of paper ! )


·         How many of these persons will take the trouble to find an internet-connected computer, log into UIDAI web site , generate a VIRTUAL ID , note it down in diary and then systematically visit the web site of his Bank / MSP and enter their VIRTUAL ID to link it with their REAL ID  ?


HERE ARE UIDAI ARGUMENTS IN SUPPORT OF VIRTUAL ID :


·         People don’t have to give their Aadhar Number and can authenticate using the Virtual Id


·         Aadhar will not come on the front end device unless the customer gives it by choice


·         Even during activities such as filing for tax returns online, giving the Virtual Id number in lieu of Aadhar will make the transaction go through


·         Virtual ID limits the information available to authentication agencies


·         Citizens will also have the choice for the reverse – which is not to generate their Virtual ID and continue using their Aadhar Number each time


·         Networks of Service Providers will not be able to save the information in any form


·         In case the Service Providers resort to unscrupulous means of retrieving the Aadhar Number, they will be conducting a criminal offence and will be punished by law


Now , not being a mathematician or a software geek , I have following stupid questions , which , I hope the experts ( including those of UIDAI ) may want to answer :


·         Are VIRTUAL ID numbers generated using some Random Number Generator ( such as PRNG =  Pseudo Random Number Generator / TRNG = True Random Number Generator ) ?


·         Do both types of Generators depend upon some software algorithm ? ( - a somewhat deterministic logic )


·         Considering the Aadhar Virtual ID requirement ( viz : generation of data encryption keys ) , is it more likely that UIDAI is using TRNG ?



·         If , given a starting number ( original / real Aadhar Number ) , TRNG generates a “ linked “ RANDOM NUMBER , is it possible to REVERSE this process ?


·         Using BIG DATA  /  DATA ANALYTICS  /  Artificial Intelligence /  MACHINE LEARNING etc , can one figure out the ORIGINAL / REAL Aadhar Number , from its counter-part Virtual Number ?



Over a period of  few months , it is likely that the servers of those Agencies , may have billions of  sets of linked “ Real Numbers / Virtual Numbers “

   
Could such a large enough database ( if some hacker can lay his hand on it ) , be enough for a software geek to design a Neural Network ( backward propagation / forward propagation ) , to reverse the process ?


I am tempted to believe that such a scenario is entirely possible !


Those who have any doubt might want to look up ( on BBC web site ) , last  week’s episode of CLICK , where a software geek gave a demo of a computer , embedded with an improvised  ALEXA ( with speech capability )


A person from the audience was invited on the stage / given a stack of playing cards / asked to pick one at RANDOM ( without showing it to either the anchor or the audience ) and requested to just THINK about that card ( - not think aloud ! )


That person did NOT wear any headset , nor was he,  in any way connected to ALEXA by wires or wirelessly – which was some 15 feet away from him  !


Then he asked ALEXA to tell everybody , what card he was “ thinking about “



ALEXA accurately determined and announced a playing card held by that person !


How long before an Indian Software Geek comes up with ANJANA (- the “ Unknown “  sister of ALEXA ? ) , which will “ read “ the databases of Service Providers , and figure out the REAL Aadhar Number , given the VIRTUAL Number ?


Or , let ANJANA reside on the mobile of each Aadhar holder and just “ read “ his mind which has both the Numbers stored side by side, in the neurons of his brain ?


Privacy  :  RIP  !




13  Jan  2018

www.hemenparekh.in / blogs


  


1 comment:

  1. Anonymous12 January 2018 at 21:11

    Virtual id generated by an algorithm and algorithm is not eternal. Probably millions of people cannot hack. Only one hack these million #UIDAI know only one will hack and not foolproof. But to please some authorities #UIDAI defends it is best

    ReplyDelete