February 26, 2013, RSA Conference, San Francisco—Srikanth Nadhamuni with the universal ID project in India described the efforts and challenges associated with providing unique and secure IDs to 1B people.
India has many government forms and identification methods, with lots of leakage and duplications. Much of the existing ID forms exist only on paper, or may not exist at all in rural areas. The many government agencies have different types of identity documentation. To address these issues, they decided to create a single ID system for the entire population that is biometric-based and tied in to on-line authentication. This universal identification program is labeled Aadhaar.
The technology has to verify IDs for many functions, provide on-line authorization, and support some level of privacy and security. Enrollment into the system requires basic information including name, address, gender, data of birth, and now some biometrics like fingerprints or iris scans. For many rural workers, their fingerprints are smoothed out from the lifetimes of abrasion, so they have to go to iris scans for unique biometrics.
At the entry point, a new enrollee's identity has to be compared with the whole database to check for duplication and fraud. The person's information is stripped of details and the fingerprints and a random number are checked against the existing records. The process to enroll 1B people raises lots of questions when the infrastructure cannot handle the 5MB payload per person.
The stages for validation start with the biometrics. Three vendors are handling the verification, and to get higher accuracy, all three are compared against each other. The system has a dynamic reassignment based upon accuracy and throughput to select the primary.
To ensure privacy and security at enrollment, the data is encrypted and concatenated with a random number for processing. All packets with the biometrics are verified and the data at rest is partitioned across multiple zones. The biometrics providers are only getting the bio-data and the unique number.
The national government delegated the enrollment process to the local governments as registrars. The state entities have to train and certify the workers and set up their own infrastructure for handling the data. This ecosystem of devices, governments, vendors for verification, training and certification, etc. all have to be secure and robust.
The technology is based on open source tools and hardware configurations. Packets are moved into Hadoop, with MySQL for queries. Unfortunately, some of the tools are not able to scale up to the needs of the project, so some patches and workarounds are in place. The base hardware is Linux blade servers for scalability.
In use, thresholds of match determine approval. The authentication process only returns a yes or no response to a query in close to real time. The system allows for federated authentication, so other agencies and companies can add other requirements like a bank can require a PIN to access bank accounts. Other areas can build up functions based upon the authenticated ID. Policy implementations call for end-end security to protect users, and aid in fraud detection.
The rollout of the national ID system has improved the lives of many rural people in the country. Only 30 percent of the population has a bank account, so many rural farmers who get subsidies lose over a quarter of their subsidies. These farmers have to go to another area to get to a bank to cash their checks, and have to pay fees and transportation costs to get there.
With the UID, local mom-and pop stores can use a micro ATM—a smart phone and a fingerprint scanner—to carry out the same transactions. The scanner data go to a bank, then to the federal database for verification. Upon verification, an authorization message is returned to the bank, and transferred to the micro ATM, as which point, the farmer can use the phone to get cash or any other financial transaction.
To date, they have enrolled over 350M people and issued 300M ID cards. They are processing over 1M people a day with 100k operators. As a result, they are performing 300billion biometric matches a day and generating over 5TB a day of data. This data is expected to increase to over 20 B a day in a short time.
The government is considering other projects in part to the growing acceptance of the overall program. The project is challenging with aspects of big data, scale, and human elements, all covered in a secure and robust manner. The cloud and mobile devices are enabling better service delivery across all phases of the economy and in people's lives.