The notion that UID is a threat to India’s security is absurd

It looks like they outsourced the headline writing to P Chidambaram. Nevertheless…

Fake enrolments in Aadhaar Phase-I spark security fear (Indian Express)

The first half of the article asserts security threats without exactly backing up the assertion.

The second half of the article actually describes some of the improvements upon Phase I sought by the UIDAI for Phase II. This part of the article is more instructive.

As for those who fear for the security of India, which environment is more secure?

STATUS QUO: Up to 500 million people (more than the total population of all but two countries) about whom the government knows nothing, whose status (or lack thereof) increases their likelihood of poverty and susceptibility to communicable disease, whom government’s attempts at assistance provide a magnet for corruption and graft, and whose lack of status increases vulnerability to person trafficking or other exploitation (I could go on and on).


GOOD: A 99% accurate national identity management regime ensuring access to public support, banking, telecommunications, and investment markets to all Indians. BAD: Some liars, cheats, scoundrels, illegal immigrants and spies will receive a legitimate ID with fraudulent information. BUT: From there forward they should be unable to maintain more than one identity.

So you’ve got to pick your poison. While no human system attempting to account for over a billion other humans can ever be perfect. It’s difficult (if not impossible) to see how UID can increase insecurity.

Even if there are a million terrorists hiding out among the 500 million undocumented people, and even if they all get Aadhaar numbers with fake details, at least he government has the fingerprints and aliases of a million terrorists and if those same fingerprints show up somewhere else with a different name, some questions for further investigation present themselves. That sounds like a security improvement to me.

The most prominent UID antagonists have consistently relied upon the “UID is bad for security” argument which essentially posits that it’s safer to remain ignorant about a third of the population than to make some mistakes in learning about it.

See also:
India: How Much Fraud is Acceptable in NPR, UID
Perfect is the Enemy of Good
Biometrics “Fix” Identity

Data Don’t Have Feelings

This is an odd way to spin a fire at a server farm…

Fire at UID data centre, 20cr citizens’ data at risk (Times of India)

The data centre on the third floor is a small subset of the main data centre in Bangalore, said the spokesman.

“Little data was being stored here. Nonetheless, no data is harmed as we have a back up at 3-4 locations across the country,” the spokesman said.

So as not to single out the Times of India, it’s worth noting that the Economic Times is running essentially the same article.

My question is how exactly, as asserted in the headline, is citizen data at risk?

Only two possibilities make sense.

The first possibility is that the data is at risk of being lost, deleted or destroyed by fire. If that’s the case the “risk” is that all the staff work and the effort of those who waited in line to get an ID is wasted. But since it’s backed up at 3-4 locations, that’s not the case.

The other possibility is that is is less secure because of the fire, but burning data and/or destroying hardware doesn’t make it less secure in the sense that it can be abused, it makes it more secure in the sense that it is useless. Even NO2ID knows that.

Another funny quote from the article…

“The accident puts a big question mark over safety of data being collected from about 1.2 billion Indian residents and being housed in risk prone facilities.”

The only way this makes sense is if data have feelings. If they do, they might care about fire safety out of a sense of self-preservation but then again, they might not.

The Times of India and The Economic Times frequently do top-rate work on UID. This article is just strange. Fun, but strange.

Patco Construction v People’s United Bank is a Big Deal

Court Rules Bank’s Security Procedures Were Not Commercially Reasonable (Day Pitney LLP)

In an important decision last week, the U.S. Court of Appeals for the First Circuit held, as a matter of law, that People’s United Bank’s online banking security procedures were not commercially reasonable, even though its selected authentication technology fully complied with the Federal Financial Institutions Examination Council (FFIEC) guidelines for Authentication in an Internet Banking Environment.

This case of PATCO CONSTRUCTION COMPANY, INC. v. PEOPLE’S UNITED BANK is a really big deal but a little outside the scope of what we usually deal with around here.

The gist is that with today’s decision, banks have more responsibility to shield their business customers from fraud. That responsibility, however, will entail a cost that will ultimately be borne by customers in higher fees — applied directly to this this case, wiring fees. But if not appealed and/or upheld, it means banks will be offering customers more security and charging higher prices, part of which will flow to security providers including biometric ID management providers.

A couple of good blog posts already exist out there to bring interested readers up to speed:

Technology & Marketing Law Blog: Bank ACH Fraud Victims Get Mixed Rulings (Venkat Balasubramani – June 18, 2011). This one covers the first round and mixed decisions in two different but related cases.

Thinking About Security: Decision on Appeal of Patco v. Ocean Bank (Bill Murray – July 11, 2012). This one covers more recent news.

US: Outstanding Airmen of the Year Award Winner Played Key Role in Biometric ID System

Keesler member wins Outstanding Airman of the Year (Keesler Force Air Base)
Congratulations to Staff Sgt. Angelo Banks of the 81st Security Forces Squadron.

NIST releases second draft of federal ID credential security standard for commentWhile deployed at the transit center at Manas, in Kyrgyzstan, he secured $451 million in assets, 90 combat sorties and 296 tons of cargo. He led 19 fly-away security missions to 39 hostile forward-operating bases delivering 1,300 passengers and three detainees.

Banks also played an instrumental role during the implementation of the Defense Biometric Identification System, processing base access for more than 39,000 base users. Additionally, he positively identified and arrested a suspect with a $215,000 warrant who was attempting to gain access to a high-profile event on base. Additionally, Banks has volunteered with organizations such as Airmen Against Drunk Driving and Loaves and Fishes soup kitchen.

According to Banks, doing your job well is one thing — being professional and showing respect is another.

Keeping Biometric System Vulnerabilities in Perspective

Biometric security hacks threaten to ruin the KeyLemon party (Wired)

As biometric security systems from companies such as KeyLemon are increasingly introduced to devices, spoofing attacks are becoming more common and sophisticated. The Tabula Rasa project aims to prevent these security breaches.

Lots of good stuff in the article. Just remember, lock-picking is spoofing, too, and if you use unattended facial recognition for access control, be very suspicious of that strange person that wants to “interview” you using her camera phone.

Mobile Device Security Hardware Market Analysis: Now $430M; $1.9B in 2017

Mobile device hardware security expected to boom in 2017 (EE Times Asia)

The mobile device hardware security market is currently valued at approximately $430 million. It is projected that by 2017, the market will have grown and will be worth $1.9 billion. The market is currently largely made up of embedded chip security consisting of embedded chip security technology, such as ARM’s TrustZone, and other semiconductor companies’ security solutions. Other factors considered are revenues generated by secure elements for near field communication (NFC) and biometric sensors. However, this landscape will have changed in the next two years.

Retail and CCTV Vendors are Catching on to Facial Recognition

The new face of CCTV surveillance (The Retail Bulletin)

“There have been huge advancements in both facial recognition analytics and in network camera technology, which is ultimately the source that the analytics have to work from.

“In particular HDTV cameras offer higher resolution video and enhanced clarity and sharpness, that complements the accuracy of facial recognition solutions making identification even simpler and more accurate.”

Retail outlets and CCTV vendors are catching on to the opportunities for a return on investment facial recognition technology provide.

The article neglects to mention, however, that the installed base of CCTV cameras is poorly suited to facial recognition.

Facial recognition is what it says: the recognition of faces. It’s not top-of-the-head recognition; it’s not profile recognition; it’s not back-of-the-head recognition. In general, CCTV cameras have been installed to observe and/or record what people are doing, not who they are. They have been deployed to answer the question, “what’s going on?”

This is changing and can be overcome by moving a camera down and changing its zoom to where it is capturing good face images. As CCTV installers become more familiar with facial recognition technology, results will improve dramatically.

A Hundred Pounds of Cocaine Seized Despite Several Security Breaches

Convicted drug smuggler breached security 7 times (Richmond Review)

Ironically, his unauthorized access to the customs hall was recorded by a new technology introduced the same year Von Holtum was caught, and designed to sound alarm bells.

Billed in January of 2007 by the Canadian Air Transport Security Authority as “the world’s first dual biometric airport identification program for non-passengers acccessing restricted areas of the airport,” the RAIC (Restricted Area Identity Card) program was designed to detect and record the comings and goings of airport personnel, including whenever they enter restricted zones.

Security systems can be complex, especially in places like airports. For them to work, they have to bee well planned and someone has to be paying attention to them. In this case, it looks like there wasn’t a mechanism in place to bring several instances of odd behavior to the attention of officials.

Security technology, however awesome, can’t manage an organization. People have to do that.

On the other hand, security is usually redundant and provided in layers. The hundred-or-so pounds of cocaine, after all, was seized.

The Future: An Early Arrival at Love Field?

More and more people fly and the joy the experience brings has been at a continuous ebb since well before 9-11. We all know it is a drudge, and many of us remember it being different.

So, it’s not hard to see why brainstorming and daydreaming the Future of Air Travel™ is something of a cottage industry.

For examples, see:
Aviation Industry Researchers Predict Major Airport Overhauls Over the Next 15 Years,
Biometrics Will Enable the Takeoffs of Tomorrow, or
IATA Floats Airport Security Revamp

But most of us won’t need examples. We’ve had plenty of time to write all three of the above posts and the articles they reference while waiting our turn behind the travelers who arrived before us at the security checks to participate in the security ritual.

As Charles Dudley Warner* once said, “Everybody talks about how lame air travel has become, but nobody does anything about it.”

Until now…

‘Checkpoint of the future’ takes shape at Texas airport (USA Today)

At a terminal being renovated here at Love Field, contractors are installing 500 high-definition security cameras sharp enough to read an auto license plate or a logo on a shirt.

The cameras, capable of tracking passengers from the parking garage to gates to the tarmac, are a key first step in creating what the airline industry would like to see at airports worldwide: a security apparatus that would scrutinize passengers more thoroughly, but less intrusively, and in faster fashion than now.

According to this article, it’s actually being built, now, at Love Field, the spiritual and corporate home of Southwest Airlines.

This comes not a moment too soon. Another tidbit of the article sheds light on how the status quo just can’t hold:

The Federal Aviation Administration projects the number of passengers flying inside the USA will nearly double in the next 20 years, to 1.2 billion. Security has slowed since the attacks of Sept. 11, 2001. Before then, about 350 people passed through checkpoints each hour, the IATA says. A November survey at 142 airports found processing times fell to 149 an hour, with the worst at 60, Dunlap says.

The math buried in this paragraph just doesn’t work out. The number of air passengers simply can’t double in the next twenty years if the current trend in security throughput continues.

1. Due to a lack of security capacity, passengers will be unable to get to their planes in time (or they will have to arrive at the airport so early that many will opt to drive to their destination), or
2. Expanding the current security apparatus to handle twice the volume will drive up the cost of air travel affecting demand.

Incremental change will no longer do. Each additional security hurdle added in response to a novel security threat brings the entire system one step closer to collapse. The air travel industry’s future depends not upon a rethink (Future of Air Travel™) but on a radical reinvention and implementation of the security apparatus.

Thankfully, unlike the weather, someone’s finally doing something about it. Biometrics can, and will, help.

 *Not Mark Twain

Face Rec System Can Sell Lipstick and Bust Terrorists

I guess, in a few cases, it could do both.

From Testing Lipstick to Spotting Terrorists (IEEE SPECTRUM)

Talking with Robin during his visit to Palo Alto, Calif., last week, he definitely seemed like a man tugged in two directions. While he was happy to talk about the successes of the technology in security tests, he kept bringing the conversation back to its applications in department stores, guiding women to selections of hair color and makeup.

Unisys Security Index Survey Finds High Levels of Support for Biometric Solutions

The dedicated home for the Unisys Security Index is a gold mine of information about how security issues are perceived by the public in Mexico, Colombia, Hong Kong, Brazil, Germany, New Zealand, US, Belgium, Spain, Australia, UK, Netherlands and globally.

In general Unisys has found that individuals have shifted their attention from national security issues to individual security issues and (except Brazil & Mexico) are more focused on information security than physical security.

The video below shows that people are extremely receptive to biometric ID management solutions for better security.

Mobile Security & the Bi-annual Unisys Security Index Survey (Help Net Security)

Unisys also surveyed U.S. respondents on their preferences for securing their mobile work devices when used outside of the workplace. Fifty-five percent of U.S. respondents said they prefer using complex passwords (combinations of uppercase and lower case letters, symbols and numbers) for mobile security.

Biometrics such as fingerprints, voice or facial images were the second most preferred method, with 37 percent of respondents showing preference for one or more of those methods for protecting mobile devices outside the workplace.

Nearly a third (32 percent) of respondents said they prefer simple passwords for securing their mobile devices outside the workplace.

“This is a worrisome finding for executives and enterprise IT managers,” Vinsik added. “Passwords alone simply do not provide a sufficient level of security to protect sensitive data against today’s sophisticated cyber criminals. Organizations need to leverage the use of facial and voice biometrics that most smart phones are capable of supporting today.”