The Aadhaar (http://uidai.gov.in) technical team organized their first developer seminar in Bangalore couple weeks back to give a first glimpse of aadhaar internals to the techies. Seclore's technical team was, of course, there for the session and notes from the session follow.
For the uninitiated audience, Aadhaar is a "Unique Identity" project of Government of India. Under this project, every citizen of India will get a unique identity which will be stored centrally. This is similar to the Social Security Number in United States. However, in this case, this central database will also store the person's biometric information (10 finger prints and 2 iris) which can be used for de-duplication and authentication.
When we first thought of the scale of the project, we were awe struck. 1200000000 (don't count the zeros - it is 1.2 billion) people's identities need to be stored and validated through the Aadhaar system along with the mammoth task of making sure that there is no duplication using the biometric matching. Nothing of this scale has been attempted before. The problem is further complicated by India's demographic diversity, dominant illiteracy and telecom access in remote parts. The Aadhaar team has got itself the mother of all project management challenges.
We were however struck by the simplicity of the "product definition". The team has defined the "Aadhaar" boundary so clearly that it has kept them out of all the messy problems while still making it very useful. This is one the main reasons why this project has been delivered so fast i.e. Less than 2 years.
Aadhaar is primarily about validating the user identity in a YES / NO manner. This can however prove immensely useful. There is already a lot of innovation around this in years to come and we will find applications that we can not even imagine today. Some of the most obvious applications are to enroll new customers in bank, financial institutions as well as making the public distribution system more efficient. More interesting applications will emerge by correlating some of the completely disparate systems e.g. your search patterns correlated with your airline check-in information might throw some buying suggestions for the city you are traveling to. Aadhaar can act as a universal glue to connect all these disparate systems together and allow applications to correlate various information.
Few other examples of this can be the way your medical information is stored and shared or the way your personal financial data is managed. There can be central repositories that store and manage access to such personal information.
One obvious concern is the security of all this information as it flows from one entity to another .. e.g. If my medical information is released to some hospital that I want to consult with, what happens after the information is given out. How will this information get secured throughout it's lifecycle ? What if I no longer want to consult with that hospital ? How will it put the controls of access to such information in the hands of the real owner ? While Aadhaar kind of systems can make the information more fluid, it also increases the possibility of information breach or misuse. A solid framework needs to be put in place for this.
Information Rights Management (IRM) can provide the framework that can enable sharing of the information while keeping the citizen fully in control of his/her information. Individuals may be able to share information with other individuals while ensuring that the information can not get mis-used. One big advantage of using the Aadhaar authentication is that there is almost zero chance of spoofing. One can not share his/her Aadhaar ID with someone else as there can be biometric authentication required.
However, the IRM system needs to have certain characteristics -
1. Integration friendliness with Aadhaar : It should be integrable with any external authentication system like Aadhaar including two factor authentication mechanism. This is very important since Aadhaar needs - in most cases - biometric validation. In many cases, applications may mandate regular userid/password alongwith Aadhaar authentication as the third factor. IRM systems that are heavily dependent on specific authentication platforms like LDAP systems will not work here.
2. Integrability with Applications : In most cases, the IRM system will not work in isolation. It will have to work alongside innumerable applications that will be developed around Aadhaar. These could be simple document repositories or records management systems or complex reporting systems for bank transactions etc. There should be a easy mechanism for these third party applications to be able to integrate with a central IRM infrastructure.
3. Support for most of the common file formats : It should support most of the commonly used file formats including MS Office, Open Office, PDF, images etc. Different applications may be storing data in different formats and the IRM systems needs to work across all these. e.g. some medical systems use image formats extensively to store all the imaging information.
This problem is so stark that these questions were raised right in the conference by multiple members in the audience. This is one area where I think the Aadhaar team needs to really think hard and include this framework as a part of their core infrastructure. It can make information sharing not just seamless but equally secured !
Aadhaar is not good enough, we need Aadhaar ++ i.e. Aadhaar plus a solid information security framework.
Posts
0 comments:
Post a Comment