Saturday, October 8, 2011

GLASSHOUSE SEC.RITY Natgrid and privacy

Security is not about collecting information. It is about collecting very narrow and specific information. It is the reason why prevention is so hard. Even if one knows what one is looking for, it requires a constant state of receptiveness and intelligence to discern patterns. Quite obviously computers would fit the bill for being very receptive and could be scaled suitably for looking at EVERYTHING ALLTHETIME. So someone - it has to be a person swayed by sophistry about both computers and security - in the government swallowed that rubbish hook, line and sinker. They decided that snooping on all electronic communications all the time would prevent the type of attacks happening around the country with fair regularity. The government passed various laws that made it mandatory for service providers to record all our communications, including handing over cryptographic keys for services which were encrypted (Blackberry). Bad enough so far. Someone found that getting permissions from various state departments was a pain. Besides each state investigative agency was running their own pawn shop. How wonderful it would be if we could have a central secretariat. Each individual investigative agency need just forward their request to the central secretariat and the secretariat without having to send any request to the service provider - a particularly nice benefit - could then access your communications. Another nice benefit is that if more than one agency were investigating the same subject, they could all be alerted. This secretariat would also be linked to the NPR and 20 (or some such number) other databases, with probably more to follow (CCTNS).
 The secretariat is know as the NATGRID.
NATGRID is not a secretariat, it is a network with a storage backend that links to the above 21 databases. It will have capability to retrieve info and run various heuristics to discover patterns and correlations in the 21 (+) databases. These heuristics will proffer the intelligence in discerning underlying patterns. And here lies the rub.
Besides the obvious-to-all-except-the-government total breach of privacy, any claim to intelligence would have to be taken with a sackful of salt. It is utterly trivial to defeat such heuristics both on a lexical analysis as well as on geographic tracking. Any 2 pence terrorists would be really stupid not to stay under this surveillance radar, and tracking stupid people with "intelligent heuristics" speaks a lot about both the natgrid and our agencies. Methods to fool the system would include using various annoymizing proxies, including a large number of people to whom the suspects send random stuff, using codified words for real communications while asking everyone to include a random collection of explosive sentences, that would bomb the ears and create mayhem in minds of the infidels who kill chicken and massacre forests, etc - You get the drift. We havent even begun to talk of  encrypting your data, setting up fake BTSs, having zombie networks - top level domain nic.in might be a fine place to host one -, using steganography, captcha like devnagiri/indic fonts, or just plain not using data and voice networks. Do all the stuff man-o-man.
So, far from actually being able to detect anything meaningful, it is most likely to send an already overworked and grossly under-trained police force on wild goose chases. It will also set about enabling the means for political victimisation both at a macro level and at the local level by generating fake data.

As it now stands there is no supervision of the natgrid's use. An audit comittee - consisting of it's users IB, RAW and CBI (no it is not a joke) - is the only supervision. Given our investigative agencies penchant for political gamesmanship, one should oppose yet another waste of taxpayers money. While politcalisation and subversion of the police  continues unabated, we come up with these schemes with failure painted  all over it.
Security is about making U the public secure. Treating U and your data as sacrosanct. It's the U missing in the government's security (and other)  policies that is the cause of the problem.

Talking of bypassing supervision: In 1975 we had an exam prelims on economics. Many of us were a bit apprehensive of the subject. One of my classmates named Prithiviraj Dandu marches into the exam hall and starts writing right to left, an entire para. It took some looking at - especially if you did not see him actually writing -  to decipher that it was the answer to a question in the paper. The class supervisior as well as the principal, vice principal and senior supervisors passed by doing their rounds,  looked at the gibberish askance and never found out what it actually was. Hoodwinking humans is easy. Hoodwinking computers is a lot easier. Converting computers to zombies and gaming such systems is even easier. It would be utterly trivial for an inimical neighbour to plant or remove all sorts of data from such centralised, single point shoot-me-in-the-head targets.

 I would strongly recommend that everyone include a random smattering of guns-n-roses, bombs, grateful dead, mayhem, deep purple, nuclear, dirty bumb, man killall, shoot the foobar etc in all communications on the net. 


Monday, October 3, 2011

RTI reply UIDAI style

                       No. F-12013/44/2011 /RTI-UIDAI
                             
  Government of India
  Planning Commission
  Unique Identification Authority of India
  2nd Floor, Tower-I, Jeevan Bharati Building,
  Connaught Circus, New Delhi - 110 001.
  Dated: 2 ^September, 2011
To
       Ms Sahana Sarkar
       No. 194, 2nd 'C' Cross
       Domlur 2nd Stage
       Bangalore - 560071
Subject:     Applications under RTI Act, 2005 .
       Please refer to your RTI application dt 30.06.2011 received in this
office on 08.07.2011. In this context, parawise reply is as under:
Question 1: Please provide us all such mathematical algorithms and values
             of all such statistical variables which are necessary for
             calculating probable errors in the process of de-duplication or
             identifying duplicates by the Aadhaar System using biometric
             inputs.
Reply      : The following definitions for calculation of biometric errors in the
             de-duplication system are being used :
             "False Positive identification" A team applying to de-
             duplication transactios only. An incorrect decision of a biometric
             system that an applicant for a UID has previously been enrolled
             in the system, when in fact they have not.
             "False Positive Identification Rate (FPIR)" A term applying to de-
             duplication transactions only. The ratio of number of false
             positive identification decisions to the total number of enrolment
             transactions by un-enrolled individuals.
             "False Negative Identification" A term applying to de-
             duplication transactions only. An incorrect decision of a
             biometric system that an applicant for a UID, making no
             attempt to avoid recognition, has not previously been enrolled
             in the system, when in fact they have.
             "False Negative Identification Rate (FNIR)" A term applying to de-
             duplication transactions only. The ratio of number of false
             negative identification decisions to the total number of
             enrolment transactions by enrolled individuals.

The above is not an algorithm. It is the definition of terms for a  final permitted statistical error that the UIDAI will accept as valid from the vendor. The reply to the next query clarifies this.
Two separate queries were needed one for iris and one for finger prints.
You will also have to ask Is demographic data being used in de duplication. If yes, what data? why is this data being used when one of the uidai objectives was to remove incorrect data widespread in documents which are now used as proof for issue of adhar or in it's abscence not verified at all. (one may point out huge numbers of UINs having the address of a single NGO).
Are all fingerprints of an applicant compared with all fingerprints in the database or only index to index, middle to middle etc. If the latter is true what is the logic for not doing the former.                                                                
                             
Question2: Please provide the value of all statistical variables being used for
           the purpose of de-duplicaiton, e.g. FPIR, FNIR, FMR, FNMR, etc.
           Please note that this request is not limited to the aforesaid
           variables, and all variables being used for the purpose of de-
           duplication are requested.
Reply     : The biometric service providers have to meet the following
           accuracy SLA's for FPIR and FNIR.
           FPIR<0.1% (of non-duplication enrolments)
           FNIR< 1% (of ONLY duplicate enrolments)

Question 3: If the value of the statistical variables being used for the
           purpose of de-duplication is going to be changed during the
           various phases of implementation, you are requested to provide
           the value of these variables for all such phases of
           implementation.
Reply      :UIDAI has specified SLA for FPIR and FNIR. In addition volume
           allocation to each BSP is dependent on FPIR & FNIR. BSPs is
           dependent on FPIR & FNIR. BSPs may internally to set best
           FPIR & FNIR.

How are they monitoring the above. This is a perfect incentive for vendors to falsify data

Question 4: Please provide the number of new enrollments and the number
           of duplicates identified by the Aadhaar project on a monthly
           basis (since inception, till date).Please provide this information
           broken state-wise and month-wise if such records are available.
Reply:     The information on monthly enrolments is provided in the
           Aadhar Portal. A total of 2.59 crore enrolments has been
           completed as of 17th August, 2011. Enrollments rejected as
           residents were duplicates. The number is 2005 (verified as on
           17th August 2011). Break up may not be possible as requested.

Question5: Please provide the number of new enrollments and the number
           of duplicates identified by the Aadhaar project, state-wise, on a
           monthly basis (from inception, till date).                         
Reply:     Information provided in Question No. 4 above.

Question6: If a false positive match is found, what is the established
           operating procedure?
           a. What will the (operator) do?
           b. What will the UIDAI do?
Reply:     If a False Negative Identification were to be found the Aadhar
           would not be issued for the second enrolment.

The answer does not make sense. The query is about false positives.

Question7: If a false negative match is found, what is the established
               operating procedure?
                     a. What will the (operator) do?
                     b. What will the UIDAI do?
Reply:       Investigation is an ongoing process.

What do they investigate? is there a mechanism for field visits?. do they have human fingerprint matching experts.

Question8: For the number of duplicates identified till date, please provide
               the percentage of cases which have been successfully
               investigated till date.    Please provide the breakup of the
               reasons for the duplications (eg. Number of duplicates because
               of false positives, number of duplicates because of clerical
               errors, number of duplicates due to criminal intent of enrolling
               individual etc.)
Reply :       Investigation is an ongoing process.

So we can be assured that they are clueless. To test you will have to get about 10% of the people issued UINs and ask them to re register. Then investigate the false accepts. 10% does not mean 10% of 5 people. It means that they will have to get 10s of lakhs of people to re register. No half measures. Feeding already captured data is precisely what you don't want to do.

2.    If you are not satisfied with the reply, you may appeal to the Appellate
Authority, UIDAI within 30 days from the receipt of this letter. The address
and contact number of the Appellate Authority is given below:-
       Shri Ashok MR Dalwai
       DDG & Appellate Authority
       Regional Office, UIDAI
       Khanija Bhavan, No. 49, 3rd Floor
       South Wing, Race Course Road
       Bangalore - 01
       P h - 080-22341622
                                                                 (Ashish Kumar)
                                             Assistant Director General & CPIO
                                                           Tele : 011-23752677

Sunday, October 2, 2011

Rub 78 paise of salt in your wounds to stay above the poverty line.

That's what the planning commission's prescription of Rs.32/- per person per day amounts to. We saw several defences of this prescription. The defenders were using planning commission data, personal info on slalries they pay to maids etc.
The secretaries of the planning commission are by any standards a clever lot, and are quite aware of the ground realities. Why then would they make such comments, that too in a court of law. Moreover why would others defend them. To me it seems our bureaucrats and our middle class have lost touch with the other 80% of India. The one that carries the burden of the middle class on it's shoulders. They, or rather we have not only become inured to the exploitation, we now see any granting of rights to this underclass as an impediment to our profligate ways.
The average daily wage earner earns about Rs.100~150 a day in most urban areas. The lower limit is in city regions that are predominantly residential. The upper limit is in predominantly commercial regions of the city. Now a person from one locality can't just go to a commercial area and solicit work. He will face immediate opposition if not violence. He might be able to enter such a higher paying area if he has a close family member or friend / well wisher, sufficiently well connected in that area. None of them enjoy any perks like leave. So every day that is an holiday, means no wages. In many cases, the nature of work requires the worker to be at a designated place  early. Any disruption in transpaort effectively kills his chances of work. Given our creaking infrastructure, it translates to atleast a days wage loss in a month on account of public holidays, another days loss for transport breakdown, 4 sundays, and for a substantial number reduced opportunity on Saturdays. That makes 6.5 days of no wage in a month. Thus monthly wage is between Rs.2350/- `3525/-.  Rs.78.33/- per day at the lower end.
But that is not the end of the story. Every family member has to pull their weight. So the wife works too. As do the kids at the innumerable roadside joints. The women earn approx the same as the men but put in longer hours - 12 hours, not counting their own house work - mainly as domestic help. The kids earn about 30 to 45% of the minimum figure. A family of 4 thus earns Rs.5700/- pm. or Rs.47.5 a day per head.
Is this money sufficient. Absolutely not. The first casualty is children education. Next is health of the women. And god forbid that some ill luck befalls any of them.
It is a very hard run to stay in the same place.

Uinique identity, biometrics and all that jazz

UIDAI launched a scheme to provide Unique Identity Numbers to all Indians. The reasons publicly proposed for provision of such an identification was that those the poor and marginalised do not have identities and without identification are prevented from obtaining entitlements and participating in the Indian economy. Other reasons provided by the UIDAI (and by other government agencies) include national security, prevention of leakages, enabling support to school going children, tracing out lost children.
Of course all of the above statements predicate that the UIN is unique and ubiquitous. Inorder that the UIN be unique, the UIDAI decided that fingerprints would be used as the unique identifier as well as the authenticator. Inorder that it become ubiquitous they began building collaborations (MOUs) with various semigovernment and government agencies mandating the use of the UIN. Naturally one would question the logic of doing things in such a roundabout way. Why not make UIN compulsory? Because it turns out that the UIDAI has no sanction to carry out it's activities by passing a bill in parliament, and was constituted as a part of the planning commission. In short it has no legal standing. Yet it began issuing RFPs and documents for various parts of the infrastructure that would be required. Tenders worth Rs.1100 cr have been floated till date. Miniscule compared to the projected cost of Rs.17000 Cr for issue of 200^6 UINs
One would imagine that for such a massive investment a substantial pilot would have been done and there would be huge amounts of data to support all the grand proclamations mentioned in the first para.
Indeed a pilot was done, not on all the stuff given in the first para, but to validate the technology that was going to swallow up the Rs.17000Cr. Talk of putting the cart before the horse.
The pilot was done in 3 states and the sample as per the UIDAI PoC report "The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specializing in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristic of such narrow groups was not overrepresented in the sample data collected."

The reality is that it is this eliminated section that is in dire need of state interventions AND will prove to be the most difficult to accommodate into all the UIDAI's assumptions. Indeed their report attributes longer enrollment times to hard work. But coming back to the sample size of 75000, it is so abysmally low as to be statistically insignificant or (.0000625% )in comparison to our population size of 1.2^9. They would require a sample size atleast 100 times this size to be able to detect failures for the specified FAR/FRR/FNIR/FPIR.
Next they check re enrollment after 3 months and declare it to be a success, inspite of the data graphs showing a significant reject rate. One may note that biometrics, particularly fingerprints vary substantially as time goes by.

The most important piece of any authentication system is that it has to have with-drawable credentials, whenever a compromise occurs. Biometric credentials, by their nature, are non with-drawable. If your biometrics are spoofed, you will be unable to protect yourself.

By now you must have guessed that biometrics are spoofable. Watch the two videos below.

http://www.rediff.com/news/report/fool-proof-uid-system-for-indians-blah/20110201.htm

http://www.youtube.com/watch?v=0a96L_SphR4

The above are videos by me.

The link below provides substantial details on other techniques.

http://cryptome.org/gummy.htm

The article above, as well as my spoof demo, uses a "low cost" reader, commonly used for single finger authentication. An official from any government body promoting biometrics, will defend their decisions claiming superior technology.

Subsequent to these spoof videos getting circulated, one uidai official made a statement that their readers (1) used sophisticated patented (2) technologies.

1) Turns out that the readers from L1- technology and (afair) all the other vendors use THIS tech (2) to do the job better. This is essentially a technique for measuring texture and flow of sweat through the pores on ones fingers, when it comes in contact with a scanner platen.
As per the developer of the tech it helps by reducing spoof vulnerability to less than ten percent, who also says that “As security systems based on biometrics continue to develop, it is important that people are reassured that their privacy is protected, ” she said. “How confident will someone feel giving his/her fingerprint over a public communication channel, such as the Internet? The technology needs to be solid and reliable and offer adequate privacy protection before biometric security systems will be accepted by the public.”

What she did not say was that this tech also raises the rejects by a huge number. During enrollment by the uidai as much as 10% of the enrollments failed because finger prints could not be recorded at all, and substantially more had to have repeat scans. This is unofficial news from enrolling agents. Officially everything is bliss.

Further, the use of this technique increases the size and cost of the device substantially. Therefore as an authentication device, it will not only incur far more cost, but, will also cause a huge number of authentication failures.

In my opinion It also does not in any way make it more difficult to adapt current spoofing techniques.

The false premise that patented technology, which is therefore secret, enhances security, is thoroughly refuted by all security experts. One does not need to know the mechanism or manufacturing process of a lock inorder that a fake key be built.

I was monitoring the rate of issue of UINS on https://portal.uidai.gov.in/uidwebportal/dashboard.do . The rate of issue was so horribly low that it would have been impossible to complete the task ever. The required rate of issue is 1uin every .185 secs for 1.2^9 population size. The rate was below 1 per sec. AND that site was more down than up, raising the issue of basic technical competence. Probably in response to this data (UIDAI have hired spin doctors to monitor the web and media - they actually issued a tender for the service), one UIDAI official stated that they will use demographic data in addition to biometrics for speeding up de duplication. This after a huge backlog of applications piled up. They could also be using binning and time stamps. Binning means compare index finger to other index finger only and middle to middle etc. + no need to deduplicate applicants that were captured at locations that ere distant from each other, but having similiar time stamps. In a previous statement UIDAI were explicit in stating that they would not disclose demographic data to third parties, yet are doing exactly that by releasing it to the deduplicating agency.

After all of the above shortcuts and games, the current rate of issue is .2 secs for a compare size of 3^6 UINS. That rate is several orders of magnitude slower than .185 per UIN for a compare size of 1.2^9

Even when all of this is quite apparent to everybody, UIDAI officials continue to dodge real issues, instead accusing us of being extremist in our perception of the UIDAI's grand effort, and asking us to take a less critical view. If anything at all we should be taking a far more critical view.

The above spoof was also demoed in Bangalore, where a Karnataka state IAS official was present. I had categorically asked for provision of a UIDAI scanner and dedup software, for independent public test. The official had promised a meeting with the UIDAI tech team. A year later no such meeting has happened.

All we hear is spin.