UIDAI launched a scheme to provide Unique Identity Numbers to all Indians. The reasons publicly proposed for provision of such an identification was that those the poor and marginalised do not have identities and without identification are prevented from obtaining entitlements and participating in the Indian economy. Other reasons provided by the UIDAI (and by other government agencies) include national security, prevention of leakages, enabling support to school going children, tracing out lost children.
Of course all of the above statements predicate that the UIN is unique and ubiquitous. Inorder that the UIN be unique, the UIDAI decided that fingerprints would be used as the unique identifier as well as the authenticator. Inorder that it become ubiquitous they began building collaborations (MOUs) with various semigovernment and government agencies mandating the use of the UIN. Naturally one would question the logic of doing things in such a roundabout way. Why not make UIN compulsory? Because it turns out that the UIDAI has no sanction to carry out it's activities by passing a bill in parliament, and was constituted as a part of the planning commission. In short it has no legal standing. Yet it began issuing RFPs and documents for various parts of the infrastructure that would be required. Tenders worth Rs.1100 cr have been floated till date. Miniscule compared to the projected cost of Rs.17000 Cr for issue of 200^6 UINs
One would imagine that for such a massive investment a substantial pilot would have been done and there would be huge amounts of data to support all the grand proclamations mentioned in the first para.
Indeed a pilot was done, not on all the stuff given in the first para, but to validate the technology that was going to swallow up the Rs.17000Cr. Talk of putting the cart before the horse.
The pilot was done in 3 states and the sample as per the UIDAI PoC report "The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specializing in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristic of such narrow groups was not overrepresented in the sample data collected."
The reality is that it is this eliminated section that is in dire need of state interventions AND will prove to be the most difficult to accommodate into all the UIDAI's assumptions. Indeed their report attributes longer enrollment times to hard work. But coming back to the sample size of 75000, it is so abysmally low as to be statistically insignificant or (.0000625% )in comparison to our population size of 1.2^9. They would require a sample size atleast 100 times this size to be able to detect failures for the specified FAR/FRR/FNIR/FPIR.
Next they check re enrollment after 3 months and declare it to be a success, inspite of the data graphs showing a significant reject rate. One may note that biometrics, particularly fingerprints vary substantially as time goes by.
The most important piece of any authentication system is that it has to have with-drawable credentials, whenever a compromise occurs. Biometric credentials, by their nature, are non with-drawable. If your biometrics are spoofed, you will be unable to protect yourself.
By now you must have guessed that biometrics are spoofable. Watch the two videos below.
http://www.rediff.com/news/ report/fool-proof-uid-system- for-indians-blah/20110201.htm
http://www.youtube.com/watch? v=0a96L_SphR4
The above are videos by me.
The link below provides substantial details on other techniques.
http://cryptome.org/gummy.htm
The article above, as well as my spoof demo, uses a "low cost" reader, commonly used for single finger authentication. An official from any government body promoting biometrics, will defend their decisions claiming superior technology.
Subsequent to these spoof videos getting circulated, one uidai official made a statement that their readers (1) used sophisticated patented (2) technologies.
1) Turns out that the readers from L1- technology and (afair) all the other vendors use THIS tech (2) to do the job better. This is essentially a technique for measuring texture and flow of sweat through the pores on ones fingers, when it comes in contact with a scanner platen.
As per the developer of the tech it helps by reducing spoof vulnerability to less than ten percent, who also says that “As security systems based on biometrics continue to develop, it is important that people are reassured that their privacy is protected, ” she said. “How confident will someone feel giving his/her fingerprint over a public communication channel, such as the Internet? The technology needs to be solid and reliable and offer adequate privacy protection before biometric security systems will be accepted by the public.”
What she did not say was that this tech also raises the rejects by a huge number. During enrollment by the uidai as much as 10% of the enrollments failed because finger prints could not be recorded at all, and substantially more had to have repeat scans. This is unofficial news from enrolling agents. Officially everything is bliss.
Further, the use of this technique increases the size and cost of the device substantially. Therefore as an authentication device, it will not only incur far more cost, but, will also cause a huge number of authentication failures.
In my opinion It also does not in any way make it more difficult to adapt current spoofing techniques.
The false premise that patented technology, which is therefore secret, enhances security, is thoroughly refuted by all security experts. One does not need to know the mechanism or manufacturing process of a lock inorder that a fake key be built.
I was monitoring the rate of issue of UINS on https://portal.uidai.gov.in/uidwebportal/dashboard.do . The rate of issue was so horribly low that it would have been impossible to complete the task ever. The required rate of issue is 1uin every .185 secs for 1.2^9 population size. The rate was below 1 per sec. AND that site was more down than up, raising the issue of basic technical competence. Probably in response to this data (UIDAI have hired spin doctors to monitor the web and media - they actually issued a tender for the service), one UIDAI official stated that they will use demographic data in addition to biometrics for speeding up de duplication. This after a huge backlog of applications piled up. They could also be using binning and time stamps. Binning means compare index finger to other index finger only and middle to middle etc. + no need to deduplicate applicants that were captured at locations that ere distant from each other, but having similiar time stamps. In a previous statement UIDAI were explicit in stating that they would not disclose demographic data to third parties, yet are doing exactly that by releasing it to the deduplicating agency.
After all of the above shortcuts and games, the current rate of issue is .2 secs for a compare size of 3^6 UINS. That rate is several orders of magnitude slower than .185 per UIN for a compare size of 1.2^9
Even when all of this is quite apparent to everybody, UIDAI officials continue to dodge real issues, instead accusing us of being extremist in our perception of the UIDAI's grand effort, and asking us to take a less critical view. If anything at all we should be taking a far more critical view.
The above spoof was also demoed in Bangalore, where a Karnataka state IAS official was present. I had categorically asked for provision of a UIDAI scanner and dedup software, for independent public test. The official had promised a meeting with the UIDAI tech team. A year later no such meeting has happened.
All we hear is spin.
Of course all of the above statements predicate that the UIN is unique and ubiquitous. Inorder that the UIN be unique, the UIDAI decided that fingerprints would be used as the unique identifier as well as the authenticator. Inorder that it become ubiquitous they began building collaborations (MOUs) with various semigovernment and government agencies mandating the use of the UIN. Naturally one would question the logic of doing things in such a roundabout way. Why not make UIN compulsory? Because it turns out that the UIDAI has no sanction to carry out it's activities by passing a bill in parliament, and was constituted as a part of the planning commission. In short it has no legal standing. Yet it began issuing RFPs and documents for various parts of the infrastructure that would be required. Tenders worth Rs.1100 cr have been floated till date. Miniscule compared to the projected cost of Rs.17000 Cr for issue of 200^6 UINs
One would imagine that for such a massive investment a substantial pilot would have been done and there would be huge amounts of data to support all the grand proclamations mentioned in the first para.
Indeed a pilot was done, not on all the stuff given in the first para, but to validate the technology that was going to swallow up the Rs.17000Cr. Talk of putting the cart before the horse.
The pilot was done in 3 states and the sample as per the UIDAI PoC report "The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. Therefore, extremely remote rural areas, often with populations specializing in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristic of such narrow groups was not overrepresented in the sample data collected."
The reality is that it is this eliminated section that is in dire need of state interventions AND will prove to be the most difficult to accommodate into all the UIDAI's assumptions. Indeed their report attributes longer enrollment times to hard work. But coming back to the sample size of 75000, it is so abysmally low as to be statistically insignificant or (.0000625% )in comparison to our population size of 1.2^9. They would require a sample size atleast 100 times this size to be able to detect failures for the specified FAR/FRR/FNIR/FPIR.
Next they check re enrollment after 3 months and declare it to be a success, inspite of the data graphs showing a significant reject rate. One may note that biometrics, particularly fingerprints vary substantially as time goes by.
The most important piece of any authentication system is that it has to have with-drawable credentials, whenever a compromise occurs. Biometric credentials, by their nature, are non with-drawable. If your biometrics are spoofed, you will be unable to protect yourself.
By now you must have guessed that biometrics are spoofable. Watch the two videos below.
http://www.rediff.com/news/
http://www.youtube.com/watch?
The above are videos by me.
The link below provides substantial details on other techniques.
http://cryptome.org/gummy.htm
The article above, as well as my spoof demo, uses a "low cost" reader, commonly used for single finger authentication. An official from any government body promoting biometrics, will defend their decisions claiming superior technology.
Subsequent to these spoof videos getting circulated, one uidai official made a statement that their readers (1) used sophisticated patented (2) technologies.
1) Turns out that the readers from L1- technology and (afair) all the other vendors use THIS tech (2) to do the job better. This is essentially a technique for measuring texture and flow of sweat through the pores on ones fingers, when it comes in contact with a scanner platen.
As per the developer of the tech it helps by reducing spoof vulnerability to less than ten percent, who also says that “As security systems based on biometrics continue to develop, it is important that people are reassured that their privacy is protected, ” she said. “How confident will someone feel giving his/her fingerprint over a public communication channel, such as the Internet? The technology needs to be solid and reliable and offer adequate privacy protection before biometric security systems will be accepted by the public.”
What she did not say was that this tech also raises the rejects by a huge number. During enrollment by the uidai as much as 10% of the enrollments failed because finger prints could not be recorded at all, and substantially more had to have repeat scans. This is unofficial news from enrolling agents. Officially everything is bliss.
Further, the use of this technique increases the size and cost of the device substantially. Therefore as an authentication device, it will not only incur far more cost, but, will also cause a huge number of authentication failures.
In my opinion It also does not in any way make it more difficult to adapt current spoofing techniques.
The false premise that patented technology, which is therefore secret, enhances security, is thoroughly refuted by all security experts. One does not need to know the mechanism or manufacturing process of a lock inorder that a fake key be built.
I was monitoring the rate of issue of UINS on https://portal.uidai.gov.in/uidwebportal/dashboard.do . The rate of issue was so horribly low that it would have been impossible to complete the task ever. The required rate of issue is 1uin every .185 secs for 1.2^9 population size. The rate was below 1 per sec. AND that site was more down than up, raising the issue of basic technical competence. Probably in response to this data (UIDAI have hired spin doctors to monitor the web and media - they actually issued a tender for the service), one UIDAI official stated that they will use demographic data in addition to biometrics for speeding up de duplication. This after a huge backlog of applications piled up. They could also be using binning and time stamps. Binning means compare index finger to other index finger only and middle to middle etc. + no need to deduplicate applicants that were captured at locations that ere distant from each other, but having similiar time stamps. In a previous statement UIDAI were explicit in stating that they would not disclose demographic data to third parties, yet are doing exactly that by releasing it to the deduplicating agency.
After all of the above shortcuts and games, the current rate of issue is .2 secs for a compare size of 3^6 UINS. That rate is several orders of magnitude slower than .185 per UIN for a compare size of 1.2^9
Even when all of this is quite apparent to everybody, UIDAI officials continue to dodge real issues, instead accusing us of being extremist in our perception of the UIDAI's grand effort, and asking us to take a less critical view. If anything at all we should be taking a far more critical view.
The above spoof was also demoed in Bangalore, where a Karnataka state IAS official was present. I had categorically asked for provision of a UIDAI scanner and dedup software, for independent public test. The official had promised a meeting with the UIDAI tech team. A year later no such meeting has happened.
All we hear is spin.
No comments:
Post a Comment