As far back as 2012, when the overreach of Aadhaar was newly becoming apparent and it was still a voluntary project, CIO had highlighted the concerns of various CISOs (Chief Information Security Officer) about the lack of privacy and robustness of the project. Here are some select quotes.
Security and privacy expert Deepak Rout.
Even SSNs have been misused by criminals for years. The flaw of any personal identification project is that when you input data into a database, there must be an assured mechanism in place. Fingerprints have inherent inaccuracies as a proof of identification and retina scans make data storage requirements much higher. If you don’t provide enough security, then chaos is inevitable.”
Pawan Kumar Singh, CISO at Tulip Telecom
I am still insecure with the idea of entrusting my data to the government. Would I go for a UID card? No, thanks. The government may lay down stringent rules but where is the enforcement mechanism? UIDAI’s security policy will remain like our constitution—on paper—if citizen awareness is not brought up.
Sanjay Deshpande, CEO and CIO at Uniken Technologies
Uniken Technologies is a security firm that was involved in the initial talks with the UID project team—says that the UID could be vulnerable to insider attacks.
How are they (the government) going to ensure that systems aren’t vulnerable to insider threat? How trustworthy are the people handling a citizen’s personal identity? Also, are the biometric devices used by the government foolproof? You might have heard of losing your e-mail IDs and passwords at an Internet café owing to malicious software in public computers. How is the government ensuring that the data capture device by itself is not malicious?
My problem as an Indian citizen is that once the UID project starts collecting biometric data everywhere, how are we going to prove our disassociation with a wrong UID and a crime we have not committed?
The publication appears to have lost its concern for data security in coming years, but none of the problems highlighted in this article from 2012 have been addressed in the years since. In fact, we see them coming true with an increasing frequency now.
Read original article here: http://www.cio.in/article/indian-cisos-don-t-trust-uid-their-data