Dear Friends :
Is there any possibility of what I describe in my
following blog ?
With Regards,
hemen
parekh
(
M ) +91 - 98,67,55,08,08
Aadhar Virtual ID
Compromised ?
BACKGROUND :
Over the past few months, Aadhar ID has been under
attack for the following reasons :
·
Some 200 government web sites hosted personal details of Aadhar holders
·
Airtel goofed up in linking Aadhar ID to beneficiaries of Direct Benefit
Scheme
·
Last week , a TRIBUNE journalist revealed that someone has been selling
Passwords to UIDAI database for Rs 500 and , over the past 6 months , data of
millions of Aadhar holders could have leaked out
·
Some over-zealous government officers have started issuing “ orders “
which require a person to provide his Aadhar ID , in order to ,
#
Appear in an exam
#
Get school admission for his child
#
Get admitted to a hospital
#
Get himself cremated when dead !
·
Supreme Court is asking the government : “ With such proliferation
of Aadhar ID , in the databases of all and sundry , how do you propose to
protect the private / personal data of Aadhar holders ? “
GOVERNMENT RESPONSE :
Last week , UIDAI came up with the
introduction of ( from March 2018 ) a 16
digit Random Number called VIRTUAL
ID , behind which the ORIGINAL REAL ID
can hide !
HOW WILL THIS
WORK ?
An existing Aadhar ID holder ( -
of which , by now , there are over 1,000
MILLION ) can log into UIDAI web
site , fill up a form ( - including his bio-metric ? ) , enter his CURRENT REAL
Aadhar Number ( 12 digit ) and press, “
SUBMIT “
Voila !
UIDAI web server will instantly generate
a 16 digit “ Random Number “ called VIRTUAL ID - which now you can provide to any agency in
lieu of the REAL ID ! ( - of course , you will need to write it down
in your diary and carry it with you wherever you go , since you are unlikely to
remember it easily ! )
Now , no agency can get to know your REAL ID , nor be able to “ access “ your
private / personal data which is linked only to your REAL ID and not to your VIRTUAL ID !
And , you can return to UIDAI website
again and again and generate / obtain a different VIRTUAL ID , by revoking the
earlier generated VIRTUAL ID ( - arrangement to silence those privacy maniacs ?
)
Hey , this seems neat ! So
why are some critiques still not happy ?
Could it be for following practical difficulties ?
·
Already millions of those 1000 Million
Aadhar holders have given out their ORIGINAL / REAL ID to various Agencies in
whose sever databases , these real IDs will remain
·
These means , dozens of banks (
holding some 550 million bank accounts )
and 4 Mobile Service Providers ( serving
close to 850 million users ), have such
REAL IDs in their databases ( - apart from hundreds of other agencies that you
do not even remember having given your Aadhar Number , digitally online or on a
piece of paper ! )
·
How many of these persons will take the trouble to find an internet-connected
computer, log into UIDAI web site ,
generate a VIRTUAL ID , note it down in
diary and then systematically visit the web site of his Bank / MSP and enter
their VIRTUAL ID to link it with their REAL ID
?
HERE ARE UIDAI ARGUMENTS
IN SUPPORT OF VIRTUAL ID :
·
People don’t have to give their Aadhar Number and can authenticate using
the Virtual Id
·
Aadhar will not come on the front end device unless the customer gives
it by choice
·
Even during activities such as filing for tax returns online, giving the
Virtual Id number in lieu of Aadhar will make the transaction go through
·
Virtual ID limits the information available to authentication agencies
·
Citizens will also have the choice for the reverse – which is not to
generate their Virtual ID and continue using their Aadhar Number each time
·
Networks of Service Providers will not be able to save the information
in any form
·
In case the Service Providers resort to unscrupulous means of retrieving
the Aadhar Number, they will be conducting a criminal offence and will be
punished by law
Now , not being a mathematician or a
software geek , I have following stupid questions , which , I hope the experts
( including those of UIDAI ) may want to
answer :
·
Are VIRTUAL ID numbers generated using some Random Number Generator ( such as PRNG
= Pseudo Random Number Generator / TRNG
= True Random Number Generator ) ?
·
Do both types of Generators depend upon some software algorithm ? ( - a somewhat deterministic logic )
·
Considering the Aadhar Virtual ID requirement ( viz : generation of data
encryption keys ) , is it more likely that UIDAI is using TRNG ?
·
If , given a starting number ( original / real Aadhar Number ) , TRNG generates a “ linked “ RANDOM NUMBER , is it possible to REVERSE this process ?
·
Using BIG
DATA /
DATA
ANALYTICS /
Artificial Intelligence / MACHINE
LEARNING etc
, can one figure out the ORIGINAL / REAL Aadhar Number , from its counter-part
Virtual Number ?
Over
a period of few months , it is likely that the servers of those Agencies
, may have billions of sets of linked “ Real Numbers / Virtual Numbers “
Could
such a large enough database ( if some hacker can lay his hand on it ) , be
enough for a software geek to design a Neural Network ( backward propagation
/ forward propagation ) , to reverse the
process ?
I am tempted to believe that such a scenario
is entirely possible !
Those who have any doubt might want to
look up ( on BBC web site ) , last
week’s episode of CLICK , where a
software geek gave a demo of a computer , embedded with an improvised ALEXA ( with speech capability )
A person from the audience was invited
on the stage / given a stack of playing cards / asked to pick one at RANDOM ( without showing it to either the anchor or the
audience ) and requested to just THINK about
that card ( - not think aloud ! )
That person did NOT wear any headset , nor was he, in any way
connected to ALEXA by wires or wirelessly
– which was some 15 feet away from him !
Then he asked ALEXA to tell everybody , what card he
was “ thinking about “
ALEXA accurately determined and
announced a playing card held by that person !
How long before an Indian Software Geek
comes up with ANJANA (- the “ Unknown “ sister of
ALEXA ? ) , which will “ read “ the databases of Service Providers , and figure out the REAL Aadhar Number , given the VIRTUAL
Number ?
Or , let ANJANA reside on the mobile of each Aadhar holder and just “
read “ his mind which has both the Numbers stored side by side, in the
neurons of his brain ?
Privacy : RIP !
13 Jan 2018
www.hemenparekh.in
/ blogs
No comments:
Post a Comment