A recent deal for the purchase of biometric scanners from a US-based company, which has worked closely with American intelligence agencies, raises serious questions on the security of data in the Aadhaar project
Could the Aadhaar project, touted as a critical requirement for development, turn into a threat to the country's national security and sovereignty?
It was recently reported that L-1 Identity Solutions, a US-based company which is now being bought by a French company, has been given a $25 million order for biometric scanners. This was among the deals announced by the White House during the visit of president Barak Obama to India a fortnight ago. In fact, president Obama, for the same reason, also blessed the Unique Identification Authority of India (UIDAI) with a visit to the innovation forum event in Mumbai where he even had a chat with UIDAI's tech head.
In the case of any other commercial deal this would not have raised eyebrows. But it is the background of L-1 Identity Solutions that raises questions. L-1 has close ties with US intelligence agencies. Read what a report says about L-1: "I will start by mentioning that Louis Freeh (former director of the US Federal Bureau of Investigation), Admiral Loy (former head of the Transportation Security Agency), George Tenet (former director of the Central Intelligence Agency), Frank Moss (former program manager for the State Department's E-Passport program), and many others who previously held key positions in the federal government, all
joined Viisage/L-1 as members of the Board of Directors or as paid employees of Viisage/L-1. It must be really sweet to sign off on contracts worth millions of dollars, tens of millions or more in fact, and then turn right around and go on the payroll of the same company that you awarded the contracts to. Sure, Tenet, Freeh and the others may not have had to sign the actual contracts but certainly they are responsible for knowing who the contracts went to when they were in charge of their respective agencies and departments.
"L-1 dominates the state driver's license business. L-1 also produces all passport cards, involved in the production of all passports, provides identification documents for the Department of Defense and has contracts with nearly every intelligence agency in our government. To a large extent it is fair to say that your personal information is L-1's information. L-1 is the same company that thinks our political party affiliation should be on our driver's license along with our race. L-1 has a long history starting with its taking over Viisage Technology. It was a great sleight of hand, Viisage morphing into L-1 while Viisage was under investigation by our government," the report said.
Tenet, the former CIA director who was later on the board of L-1, was accused of passing on false information concerning Iraq's WMD (weapons of mass destruction) capabilities which led to the Iraq war. In the new world of surveillance that is emerging, L-1 is turning out to be very powerful, a multi-national giant which can potentially have control over countries. How, some skeptics might ask. Is this one more bogey by the activist lobby? Recently, L-1 has bagged orders from France as well as China.
UIDAI has been professing open standards. But the contract to L-1 is a slap in the face of its professed policy. By now, it is clear that UIDAI does not keep the promises it makes, so this does won't surprise anyone.
In the absence of a thorough audit of source code-the only way in which one can be sure-a backdoor can be easily inserted in any of the biometric scanners. This backdoor can not only transfer biometrics data to the vendor's database and to UIDAI's database, but it can also shut down the scanner at will. So, if the UIDAI project goes through and the biometric scanners and UIDAI's infrastructure becomes ubiquitous to the point that every financial transaction in the country requires a biometric scanner, it doesn't require a scientist to tell us that this is equivalent to handling the nation's economy in the hands of foreign companies. The danger posed to the nation's economy is no less than that from foreign companies controlling our telecom infrastructure.
In the case of telecom, after a lot of noise, some action is being taken. It is another matter whether the action taken is good enough or not. But no amount of charisma on the part of the UIDAI chairman can fix this problem which could affect the sovereignty of the nation.
The only way out is to ask all vendors of biometric equipment to open their source code and subject it to thorough audit by experts. That is how countries such as China would handle similar situations. Recently, China asked Microsoft to reveal its source code and Microsoft complied. The US too secures its own nationalistic interests properly. Sometime back the US stopped the sale of Tipping Point, a US security company, to a Chinese firm on the grounds of securing national interests.
Further, there could well be a vendor lock-in. L-1 has been on a buying spree, taking over smaller biometric companies. It is quite possible that it buys off other biometric vendors of UIDAI, resulting in a virtual monopoly, which could lead it to hike the prices for upgrades. What checks and balances has UIDAI got to ensure that this does not happen? More important, will the checks and balances, if any, stay or will they be dropped as time passes, for UIDAI's statements cannot be trusted as evidenced from its past actions.
Coming to the Unique Identification Number (UID), there has been misinformation by UIDAI that the social security number (SSN) of the US is equivalent to the UID in India. This is not the truth. The SSN does not have your biometrics, it is just a number.
The US is trying to introduce something called the Real ID, which has biometrics, and this is being stiffly resisted by Americans. As of 2008, over 20 legislatures in the US had passed resolutions (or legislation) opposing the implementation of the Real ID Act. Eleven of those legislatures had gone further, by passing laws specifically prohibiting compliance with Real ID. What is sauce for the goose may not be sauce for the gander. Will the Indian authorities wake up and investigate this critical aspect before it is too late?
(The author has a B Tech from IIT Bombay, and a PhD from Columbia University, New York. He currently runs a start-up, Teknotrends Software Pvt Ltd that does cutting-edge work in the area of network security).