By Categories: Editorials, Science

It would not do for people to find out all of a sudden that their bank accounts have been cleaned out, or that your BHIM and Aadhaar data are available for sale on the Internet.

Some people are raising questions about Aadhaar and about Electronic Voting Machines (EVMs). It is hard to dismiss them out of hand even if you make allowances for their vested interests. The reason is that, fundamentally, computer and network security in India is in its infancy. As the country is dragged kicking and screaming into a future with electronic money and electronic identity and electronic everything else, it is pertinent to worry about how things can go wrong.

The objectives behind Aadhaar and the EVM are laudable: it makes sense both to have an unalterable identity mechanism and a way of quickly and accurately tabulating election results. Indeed there is a case for even greater introduction of digital mechanisms into daily activities: for instance, we need land records and medical records to be reliable and portable. So the thrust behind Digital India and India Stack is doubtless, sensible. The devil is in the implementation details.

It would be instructive to look at what has happened elsewhere with the introduction of a unique identifier and electronic voting machines, though their situations may not be entirely comparable. They are different countries with different problems, yes, but certainly one can learn from the experiences of other people.

Electronic Voting Machines have been banned in several American states (and in Germany they have been ruled unconstitutional) because it is evident that there are multiple ways of tampering with them, thus denying a citizen the constitutional right to the vote.

As for identity, the social security number (SSN) was introduced in the US quite some time ago as a way of providing a national worker’s pension. But the SSN soon became used for all sorts of other things, and in effect, it is a de facto unique national id now. Other government agencies such as the income tax authorities as well as businesses began to track data using the SSN as the unique id, and even though it was illegal to do so in the first place, but you have a fait accompli now.

The net result today is that it is possible to construct the entire profile of any US resident these days by just using their SSN: you can track their credit card use, their medical history, their ATM use, and so on. There was a film The Net that shows the nightmare scenario if someone were to delete your SSN from the system: you become a non-person. For all practical purposes, you cease to exist.

Separately, with the arrival of the smartphone, not only the US government but also Google, Facebook, Apple and Amazon know everything about you: where you have been at any time, who you fraternise with, what your interests are, what topics you search for on the net, what you say to whom on social media or phone calls. Everything.

If you were a bit of a pessimist, you might say that the age of the Panopticon has arrived: that the scary future European philosopher Jeremy Bentham imagined, where Big Brother is really watching you and knows what you think.

For privacy advocates, this is a nightmare: imagine if a government were to be malign, and wanted to round up people based on thought crimes – in fact you can do this today. Witness how every time some terrorist is caught, they say he had been watching propaganda videos on YouTube or learning how to assemble bombs from common household chemicals. You leave your digital footprints everywhere, and it is almost impossible to hide from the eye in the sky.

But what is worse is that it is not only governments, but hackers too who know or can know anything about you.

One popular trick these days is ransomware: your computer is locked up by a remote hacker, who refuses to let you access it unless you pay good money. One way of dealing with this is to keep regular backups of all your data on computers or disks that are never attached to the Internet. But that is hard to do because your computers need the regular software updates pushed by the manufacturers.

Beyond that, there is identity theft. By piecing together data about your activities, and especially based on the SSN, it is possible for thieves to create new identities that mimic you: the data is yours, but someone has control of it. Large numbers of people fall prey to this every year in the US, and billions of dollars are stolen. A crook who clones your identity can with little trouble create a new credit card with your SSN, and charge thousands of dollars to it. You, alas, will get the bill. This is so widespread that there is identify theft insurance available now.

Imagine how identify theft might play out in India. Unscrupulous bank employees have already been caught in scams where they clone credit cards, and arrange for the PIN numbers to be sent to addresses they or their friends control: the banks end up absorbing this kind of loss (unless they can bully the consumer into paying for the fraud). But imagine how this would be a nightmare if clever hackers are let loose on millions of unsuspecting and unprepared, often illiterate and gullible users in India. And all their financial information is centred around their Aadhaar numbers.

When BHIM-Aaadhar is made a major mechanism for financial transactions, it should be assumed that there will be continuous and wilful security breach attempts made by hackers. It would not do for people to find out suddenly that their bank accounts have been cleaned out, or that your BHIM and Aadhaar data are available for sale on the Internet.

That brings us to the crux of the matter. It is true that Aadhaar is a high-tech mechanism using fingerprints and iris scans to precisely identify individuals. It may even be that this is superior to other UID mechanism available elsewhere.

But there are several problems: one is that current processes need to be re-engineered, another is that there needs to be a clear idea of ownership of data, and a third is that the data must be stored in a manner that it is unalterable.

The first problem is the hardest. Many of the processes we use in India unnecessarily reveal too much information, and they can be leaky – just the thing that the friendly neighbourhood hackers are looking for. Every process using Aadhaar for authentication needs to be re-engineered end to end to ensure that only information that is absolutely necessary (“need to know”) is revealed, and that too in a secure manner.

Secondly, it is not clear who owns the information; maybe the Aadhaar Act has clear rules about this. But the working assumption is that all the data belongs to the government (and that it is not merely the custodian of private data). On the contrary, it must be absolutely clear that the data belongs to the individual, and that he/she must be in control of how much of it is revealed. For instance, if one wants to reveal his/her medical or financial history to some corporation, it should be based on informed consent.

The third problem may have a general solution: blockchain. Although there are concerns about the physical security of devices using blockchain, by integrating that technology into the (orthogonal) technology of identity management, it may be possible to create solutions so that important data is guaranteed to be inviolate.

As for Electronic Voting Machines, speaking strictly from a technology perspective, they are not as safe as we may believe. It would be necessary to have full control of the chips and firmware on them to be confident that EVMs are not being messed with. Researchers in 2010 showed how they could be fixed up with radio-aware chips, which could be manipulated with a mobile phone to activate, say, a Trojan Horse programme that deletes itself after use and transfers say 40 per cent of all votes polled to a specific candidate.

Today, EVMs follow a sort of ‘security by obscurity’, and the voter-verified paper audit trail (VVPAT) terminals with printouts are only a partial solution. But they can be made far more secure. In fact, if sufficient safeguards are inserted, including multi-factor authentication, internet voting could be introduced, so that non-residents and expatriates can also exercise their franchise. The belly-aching by certain parties is just an excuse, but the dangers of EVMs may be real.


 

Share is Caring, Choose Your Platform!

Recent Posts

  • Darknet

    Definition:

    Darknet, also known as dark web or darknet market, refers to the part of the internet that is not indexed or accessible through traditional search engines. It is a network of private and encrypted websites that cannot be accessed through regular web browsers and requires special software and configuration to access.

    The darknet is often associated with illegal activities such as drug trafficking, weapon sales, and hacking services, although not all sites on the darknet are illegal.

    Examples:

    Examples of darknet markets include Silk Road, AlphaBay, and Dream Market, which were all shut down by law enforcement agencies in recent years.

    These marketplaces operate similarly to e-commerce websites, with vendors selling various illegal goods and services, such as drugs, counterfeit documents, and hacking tools, and buyers paying with cryptocurrency for their purchases.

    Pros :

    • Anonymity: Darknet allows users to communicate and transact with each other anonymously. Users can maintain their privacy and avoid being tracked by law enforcement agencies or other entities.
    • Access to Information: The darknet provides access to information and resources that may be otherwise unavailable or censored on the regular internet. This can include political or sensitive information that is not allowed to be disseminated through other channels.
    • Freedom of Speech: The darknet can be a platform for free speech, as users are able to express their opinions and ideas without fear of censorship or retribution.
    • Secure Communication: Darknet sites are encrypted, which means that communication between users is secure and cannot be intercepted by third parties.
    •  

    Cons:

    • Illegal Activities: Many darknet sites are associated with illegal activities, such as drug trafficking, weapon sales, and hacking services. Such activities can attract criminals and expose users to serious legal risks.
    • Scams: The darknet is a hotbed for scams, with many fake vendors and websites that aim to steal users’ personal information and cryptocurrency. The lack of regulation and oversight on the darknet means that users must be cautious when conducting transactions.
    • Security Risks: The use of the darknet can expose users to malware and other security risks, as many sites are not properly secured or monitored. Users may also be vulnerable to hacking or phishing attacks.
    • Stigma: The association of the darknet with illegal activities has created a stigma that may deter some users from using it for legitimate purposes.