It would not do for people to find out all of a sudden that their bank accounts have been cleaned out, or that your BHIM and Aadhaar data are available for sale on the Internet.
Some people are raising questions about Aadhaar and about Electronic Voting Machines (EVMs). It is hard to dismiss them out of hand even if you make allowances for their vested interests. The reason is that, fundamentally, computer and network security in India is in its infancy. As the country is dragged kicking and screaming into a future with electronic money and electronic identity and electronic everything else, it is pertinent to worry about how things can go wrong.
The objectives behind Aadhaar and the EVM are laudable: it makes sense both to have an unalterable identity mechanism and a way of quickly and accurately tabulating election results. Indeed there is a case for even greater introduction of digital mechanisms into daily activities: for instance, we need land records and medical records to be reliable and portable. So the thrust behind Digital India and India Stack is doubtless, sensible. The devil is in the implementation details.
It would be instructive to look at what has happened elsewhere with the introduction of a unique identifier and electronic voting machines, though their situations may not be entirely comparable. They are different countries with different problems, yes, but certainly one can learn from the experiences of other people.
Electronic Voting Machines have been banned in several American states (and in Germany they have been ruled unconstitutional) because it is evident that there are multiple ways of tampering with them, thus denying a citizen the constitutional right to the vote.
As for identity, the social security number (SSN) was introduced in the US quite some time ago as a way of providing a national worker’s pension. But the SSN soon became used for all sorts of other things, and in effect, it is a de facto unique national id now. Other government agencies such as the income tax authorities as well as businesses began to track data using the SSN as the unique id, and even though it was illegal to do so in the first place, but you have a fait accompli now.
The net result today is that it is possible to construct the entire profile of any US resident these days by just using their SSN: you can track their credit card use, their medical history, their ATM use, and so on. There was a film The Net that shows the nightmare scenario if someone were to delete your SSN from the system: you become a non-person. For all practical purposes, you cease to exist.
Separately, with the arrival of the smartphone, not only the US government but also Google, Facebook, Apple and Amazon know everything about you: where you have been at any time, who you fraternise with, what your interests are, what topics you search for on the net, what you say to whom on social media or phone calls. Everything.
If you were a bit of a pessimist, you might say that the age of the Panopticon has arrived: that the scary future European philosopher Jeremy Bentham imagined, where Big Brother is really watching you and knows what you think.
For privacy advocates, this is a nightmare: imagine if a government were to be malign, and wanted to round up people based on thought crimes – in fact you can do this today. Witness how every time some terrorist is caught, they say he had been watching propaganda videos on YouTube or learning how to assemble bombs from common household chemicals. You leave your digital footprints everywhere, and it is almost impossible to hide from the eye in the sky.
But what is worse is that it is not only governments, but hackers too who know or can know anything about you.
One popular trick these days is ransomware: your computer is locked up by a remote hacker, who refuses to let you access it unless you pay good money. One way of dealing with this is to keep regular backups of all your data on computers or disks that are never attached to the Internet. But that is hard to do because your computers need the regular software updates pushed by the manufacturers.
Beyond that, there is identity theft. By piecing together data about your activities, and especially based on the SSN, it is possible for thieves to create new identities that mimic you: the data is yours, but someone has control of it. Large numbers of people fall prey to this every year in the US, and billions of dollars are stolen. A crook who clones your identity can with little trouble create a new credit card with your SSN, and charge thousands of dollars to it. You, alas, will get the bill. This is so widespread that there is identify theft insurance available now.
Imagine how identify theft might play out in India. Unscrupulous bank employees have already been caught in scams where they clone credit cards, and arrange for the PIN numbers to be sent to addresses they or their friends control: the banks end up absorbing this kind of loss (unless they can bully the consumer into paying for the fraud). But imagine how this would be a nightmare if clever hackers are let loose on millions of unsuspecting and unprepared, often illiterate and gullible users in India. And all their financial information is centred around their Aadhaar numbers.
When BHIM-Aaadhar is made a major mechanism for financial transactions, it should be assumed that there will be continuous and wilful security breach attempts made by hackers. It would not do for people to find out suddenly that their bank accounts have been cleaned out, or that your BHIM and Aadhaar data are available for sale on the Internet.
That brings us to the crux of the matter. It is true that Aadhaar is a high-tech mechanism using fingerprints and iris scans to precisely identify individuals. It may even be that this is superior to other UID mechanism available elsewhere.
But there are several problems: one is that current processes need to be re-engineered, another is that there needs to be a clear idea of ownership of data, and a third is that the data must be stored in a manner that it is unalterable.
The first problem is the hardest. Many of the processes we use in India unnecessarily reveal too much information, and they can be leaky – just the thing that the friendly neighbourhood hackers are looking for. Every process using Aadhaar for authentication needs to be re-engineered end to end to ensure that only information that is absolutely necessary (“need to know”) is revealed, and that too in a secure manner.
Secondly, it is not clear who owns the information; maybe the Aadhaar Act has clear rules about this. But the working assumption is that all the data belongs to the government (and that it is not merely the custodian of private data). On the contrary, it must be absolutely clear that the data belongs to the individual, and that he/she must be in control of how much of it is revealed. For instance, if one wants to reveal his/her medical or financial history to some corporation, it should be based on informed consent.
The third problem may have a general solution: blockchain. Although there are concerns about the physical security of devices using blockchain, by integrating that technology into the (orthogonal) technology of identity management, it may be possible to create solutions so that important data is guaranteed to be inviolate.
As for Electronic Voting Machines, speaking strictly from a technology perspective, they are not as safe as we may believe. It would be necessary to have full control of the chips and firmware on them to be confident that EVMs are not being messed with. Researchers in 2010 showed how they could be fixed up with radio-aware chips, which could be manipulated with a mobile phone to activate, say, a Trojan Horse programme that deletes itself after use and transfers say 40 per cent of all votes polled to a specific candidate.
Today, EVMs follow a sort of ‘security by obscurity’, and the voter-verified paper audit trail (VVPAT) terminals with printouts are only a partial solution. But they can be made far more secure. In fact, if sufficient safeguards are inserted, including multi-factor authentication, internet voting could be introduced, so that non-residents and expatriates can also exercise their franchise. The belly-aching by certain parties is just an excuse, but the dangers of EVMs may be real.
Recent Posts
[wptelegram-join-channel link=”https://t.me/s/upsctree” text=”Join @upsctree on Telegram”]2021 WEF Global Gender Gap report, which confirmed its 2016 finding of a decline in worldwide progress towards gender parity.
Over 2.8 billion women are legally restricted from having the same choice of jobs as men. As many as 104 countries still have laws preventing women from working in specific jobs, 59 countries have no laws on sexual harassment in the workplace, and it is astonishing that a handful of countries still allow husbands to legally stop their wives from working.
Globally, women’s participation in the labour force is estimated at 63% (as against 94% of men who participate), but India’s is at a dismal 25% or so currently. Most women are in informal and vulnerable employment—domestic help, agriculture, etc—and are always paid less than men.
Recent reports from Assam suggest that women workers in plantations are paid much less than men and never promoted to supervisory roles. The gender wage gap is about 24% globally, and women have lost far more jobs than men during lockdowns.
The problem of gender disparity is compounded by hurdles put up by governments, society and businesses: unequal access to social security schemes, banking services, education, digital services and so on, even as a glass ceiling has kept leadership roles out of women’s reach.
Yes, many governments and businesses had been working on parity before the pandemic struck. But the global gender gap, defined by differences reflected in the social, political, intellectual, cultural and economic attainments or attitudes of men and women, will not narrow in the near future without all major stakeholders working together on a clear agenda—that of economic growth by inclusion.
The WEF report estimates 135 years to close the gap at our current rate of progress based on four pillars: educational attainment, health, economic participation and political empowerment.
India has slipped from rank 112 to 140 in a single year, confirming how hard women were hit by the pandemic. Pakistan and Afghanistan are the only two Asian countries that fared worse.
Here are a few things we must do:
One, frame policies for equal-opportunity employment. Use technology and artificial intelligence to eliminate biases of gender, caste, etc, and select candidates at all levels on merit. Numerous surveys indicate that women in general have a better chance of landing jobs if their gender is not known to recruiters.
Two, foster a culture of gender sensitivity. Take a review of current policies and move from gender-neutral to gender-sensitive. Encourage and insist on diversity and inclusion at all levels, and promote more women internally to leadership roles. Demolish silos to let women grab potential opportunities in hitherto male-dominant roles. Work-from-home has taught us how efficiently women can manage flex-timings and productivity.
Three, deploy corporate social responsibility (CSR) funds for the education and skilling of women and girls at the bottom of the pyramid. CSR allocations to toilet building, the PM-Cares fund and firms’ own trusts could be re-channelled for this.
Four, get more women into research and development (R&D) roles. A study of over 4,000 companies found that more women in R&D jobs resulted in radical innovation. It appears women score far higher than men in championing change. If you seek growth from affordable products and services for low-income groups, women often have the best ideas.
Five, break barriers to allow progress. Cultural and structural issues must be fixed. Unconscious biases and discrimination are rampant even in highly-esteemed organizations. Establish fair and transparent human resource policies.
Six, get involved in local communities to engage them. As Michael Porter said, it is not possible for businesses to sustain long-term shareholder value without ensuring the welfare of the communities they exist in. It is in the best interest of enterprises to engage with local communities to understand and work towards lowering cultural and other barriers in society. It will also help connect with potential customers, employees and special interest groups driving the gender-equity agenda and achieve better diversity.