police

I have been following the UID space on & off. With several people opposing it off late & comparing it with the now-defunct sytem in UK, I have decided to study it a bit more. Whatever thoughts I have around it, I shall put them as posts. They would mostly be random ramblings & not any structured document. Bear with me. Demographic Data – Big Brother One of the biggest concerns raised is about the Government misusing the demographic data collected (like for example, using this data to target & harm all Muslims in Gujarat, all Tamilians in Bangalore etc). The demographic details that are being collected are: Name, DOB, Gender, Address, Email ID & Phone Number. No religion/caste/mother-tongue details are collected – but critics could argue that certain things can be found out just using the name. Well, point taken. Demographic Data – Other Concerns By going through some of the documents in the UIDAI site, some concerns I get around demographic data being collected are more than this big-brother-targeting business. I am afraid it might just not be effective and what the UIDAI intends to achieve might get diluted. Let me explain. 3rd Party Enrolment & Random Audit Third party registrars do the enrolment on behalf of UIDAI. We know the skill & expertise level of the entry level people in places like LIC. When they collect the details from a resident & verify it, I am afraid there is bound to be a lot of issues. I feel one can easily fool them about the address details & show fake passports / bank passbooks etc to convince them. So, potentially a person can get his UID with correct biometrics but incorrect demographic information. Not to mention of malpractice that may happen within the enrolment agency itself by some unscrupulous employees. UIDAI claims to do ‘random verification’ of the information during its audit. Random? Are you kidding? As a potential user of UID based authentication in the future, how can passport office trust this data without going through physical verification through the police station? Further, post enrolment, UID would send a “letter” to the resident to the address they have provided with their UID number, demographic & biometric details in them. It is not necessary for the person to be there to collect it – anyone can collect. Just the address should be existing. Further chances of misuse. Sending biometric info in a letter More scary is that fact that the biometric info would also be sent across with the letter. Why at all? What if a postman collects all those details and stores those biometric information for his future use. And sells it to people who want to misuse the system through fake gloves with these info etc. I know I am thinking like a C-grade masala movie writer but the point I wish to make is, it can be misused. Other Concerns Then there is this concept of “Introducer” – Since the primary target of UID, the urban poor, might not have address proofs with them, someone with an address proof can “introduce” them (similar to opening a bank account). There can be a lot of fraud happening with this too. There were further bombshells like ‘updating information’ : ” If a service provider authenticating or enrolling a resident finds, through its KYR process that the information provided by the resident (address, name, etc.) does not match with the UID record, or that the biometrics need to be renewed, it can ask the resident to update their information in the UID database. ” So the fictitious resident of ours can enrol with one address (by giving some fake proof), avail of some benefit, go to another service provider, claim the information is wrong and update it there with another address, to claim one more benefit and so on. In short, I wish to say that the demographic information captured (particularly the address) cannot be fool-proof. A sensitive & important thing like passport issuance cannot happen trusting this. Probably SIM card sales can use it [actually it is dangerous if terrorists / non-state actors(!) start using it] for address verification – operators anyway do not like KYC much. Not really for sensitive cases. There were a few fraud scenarios too mentioned but IMHO, they are very very few. I hope a lot more fraud scenarios have been considered too and just not documented. Just as ID proof Instead of dealing with demographics, if it can just be an ID proof, would it not be fool-proof ? One can argue it already has ID proof and places like passport office can use only that part. Point taken, but by removing demographics from it, the critics who argue about big-brother-targeting can also be shut up. For ID proof, all that is needed is biometric info (with photograph if at all). Not even name. Your UID number is your username and your fingerprints are your password. That is all. Thinks like NREGS can immensely benefit with just this, I believe. [Though, in places like PDS, one can get ration cards in multiple states with the same UID since the PDS systems of the states would most likely be not linked. Even with address info, as I said before, I can get it done but it is a bit more difficult, that is all] References : UIDAI Strategy Overview Demographic Data Std UID and PDS