[Reader-list] (National Identity Card ) A digital Pandora's box - 153

[Taha Mehmood]

Dear All,

Here's a report published by The Hindu some years ago. MNIC/UIDC are
smart cards, which are run on Smart Card Operating System for
Transport Applications or SCOSTA based software.

We need to pay attention to this report, particularly to two aspects
of the process through which consensus around technology of smart card
appears to have been achieved.

The first one relates to the social dimension of the consensus
building exercise carried out by the government of India at the
national level. In this regard the report suggests, that there seems
to be wide spread disagreement amongst so called technical experts who
gave a green signal to this technology.

Excerpt-

Strangely enough, the Expert Committee chairman's report too took an
open-ended position with regard to technology choice, contrary to the
Apex Committee's recommendation. This was done apparently to
accommodate evolving technologies, such as contact and contact-less
(using wireless) `dual-interface' cards and larger storage capacity
cards, such as optical strip, for multiple applications. However,
Zarabi gave a dissenting note to the Chairman's report in November
2003. Veni Madhavan, however, declined to comment. But some people in
the computer science community question the MoRTH's wisdom of
appointing a person with private interests as the chairman of a
committee on matters of public interest.

Then there were cautious views emanating from  the then officers
representing the GOI too particularly around the issue of
"vendor-driven technologies" which is perhaps interpreted in the
official GOI jargon as G-B (Government-to-Business relationship) or in
terms of official Sarkaari rhetoric as maybe 'Bhaagidari'.

Excerpt-

 IN a panel discussion at the recent Smart Card Tech-India 2005
conference, with the theme "National ID Card - The Foundation of Trust
in e-Governance", Prakash Kumar, Secretary, Information Technology and
Administration Reforms, Government of Delhi, cautioned against
"vendor-driven technologies".

The second dimension relates to the technological compatibility of the
card itself. The report suggests that there maybe violations and
misinterpretations arising from the use prescribed by the so called
'Expert Committee' insofar as a 32 KB or a 64 KB smart card is
concerned.

Excerpt-

While a 32 KB or a 64 KB smart card would have easily met any
additional capacity that may be required by individual States, the
note has been carefully worded to defeat that very purpose. The note
says: "The microprocessor chip shall not carry any other information
not prescribed for the purpose." So, even if the microprocessor had
enough additional memory, it could not be used for any other
application that may be envisaged, say one's National ID, for which
the government has already initiated a pilot project for 3.2 million
people in 13 regions across the country.

Some questions related to this issue-

Why is only SCOSTA software used for national identity card? What
other technologies were considered? Why were they rejected? ON what
grounds?

Did the GOI of India did any cost benefit analysis on using the SCOSTA
technology, if yes the what were the detailed findings?

Who owns the patents for this technology? What are the conditions of
use of this technology? How is the issue of inter-operability dealt
with here?

On what grounds did people like M.J. Zarabi, Chairman and Managing
Director, Semiconductor Complex Ltd., Chandigarh, gave a dissenting
note? Why did Veni Madhavan, a Computer Science Professor at the
Indian Institute of Science, Bangalore declined to present a comment
to the expert committee? Why was Prakash Kumar, Secretary, Information
Technology and Administration Reforms, Government of Delhi, cautioning
against "vendor-driven technologies"? What were his reasons?

Warm regards

Taha

http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=20050812003902500.htm&date=fl2216/&prd=fline&

SPOTLIGHT

A digital Pandora's box

R. RAMACHANDRAN
VENKITESH RAMAKRISHNAN

The extra capacity added to the new smart card for car-owners gives no
added benefits but has pushed up the cost.

IN a panel discussion at the recent Smart Card Tech-India 2005
conference, with the theme "National ID Card - The Foundation of Trust
in e-Governance", Prakash Kumar, Secretary, Information Technology and
Administration Reforms, Government of Delhi, cautioned against
"vendor-driven technologies". To many members of the audience, it was
obvious what he was referring to. It was the legacy of the choice of
an inappropriate technology made by the Delhi administration of 2003
in the introduction of IT in the road transport sector. Today, he
finds himself in the embarrassing situation of having to implement it
even though he disapproves of it.

An important component of the much-hyped induction of IT in the
transport sector in many States - as part of the government's
nationwide e-governance initiative - is the smart card-based driving
licence and vehicle registration certificate (VRC). But, as the
process of implementing this scheme gets under way in many States, one
is also witnessing a number of petitions in the courts against the
choice and induction of the technology. And in many instances, the
cases have been dragged into the Supreme Court.

As regards the technology, the main contentious issue relates to the
respective governments' invitation for bids for the supply of simple
microprocessor-based smart cards (with a minimum memory of 4 KB) for
driving licences, and an optical smart card which has an optical strip
(of memory 1.5 MB or more) in addition to the microprocessor chip (of
4 KB memory or more) for VRCs. Petitioners have contended that this is
in violation of the guidelines issued by the Central Ministry of Road
Transport and Highways (MoRTH) under the Central Motor Vehicles Act
and associated Rules. Since these only required that driving licences
and VRCs should have a minimum 4 kb memory on a microprocessor chip,
the States had no legal authority to insist upon an additional feature
like an optical strip.

The basic guidelines issued by the Centre were: uniformity across the
country; readability throughout the country; inter-operability across
States; and non-proprietary or open-source technology that would allow
indigenous modification or development. Operationally, these
translated into conformity to ISO standards (ISO-7816-1, 2, 3), which
ensured uniformity and non-proprietary technology; standardised
hand-held terminals, which ensured readability everywhere; and
compliance to open source Smart Card Operating System for Transport
Applications (SCOSTA) software, based on ISO-7816-4, 8, 9 standards,
which ensured inter-operability.

SCOSTA was developed by Indian Institute of Technology, Kanpur, based
on specifications drawn up by an apex committee set up in 2000 by the
MoRTH - that included experts from the National Informatics Centre
(NIC) of the Ministry of Information Technology and Communications
(MCIT) and IIT-Kanpur, and representatives of industry. The SCOSTA
specifications were established to ensure that every card used for a
driving licence or a VRC is certified by a set of tests designated by
the NIC and IIT-K to ensure the usability of the smart card with the
same specifications by all States.

The origin of the controversy can be traced to the MoRTH's gazette
notification GSR 513(E) of August 10, 2004, which set out the
specifications for smart cards as amendments to the Central Motor
Vehicle Rules. The footnote to the notification provided room for
(deliberate) arbitrariness and manipulation in the States'
interpretation of the Rules. There is, as a result, more than a hint
of corruption in the implementation of the programme in some States.
But more importantly, the cards do not conform to the basic
guidelines.

It is instructive to go over the history of this footnote to
understand how the government machinery functions when implementing
off-the-shelf technologies in public schemes requiring large volumes
of a given product. Indeed, like the case of the smart card in the
transport sector, there are apparently other projects under the
e-governance initiative, which bear evidence of rather dubious
implementation.

The smart card Apex Committee produced its first report, titled
"National Standard for the Driving Licence and Vehicle Registration
(Version 1.0)", in January 2001. Based on this, the MoRTH issued
Version 1.0 guidelines. Following this, several States issued tenders
for smart cards and some, like Gujarat, had already implemented the
scheme in part. However, these were at variance with the guidelines
mentioned above. Some of these, for example, had invited bids for the
microprocessor cum optical strip smart card. This was apparently
because of the lack of precise understanding of the technicalities by
State administrations, coupled with the entry of multiple technologies
into the country.

To rectify the situation and in view of the technological
developments, Version 2.0 of the standards were evolved both for
back-end computerisation and for driving licences and VRCs. The
detailed specifications of SCOSTA, as well as the software `Saathi'
and `Vahan' (developed by the NIC), for back-end systems, formed part
of the Version 2.0 guidelines. These were issued in October 2001,
following which, in fact, some States withdrew their tender
notifications.

The Apex Committee had considered various available technologies -
microprocessor, integrated-circuit memory and optical memory - in
detail, particularly keeping in view the security aspect as well as
the volume of information to be stored. For security, a Key Management
System was specified for use with SCOSTA and it was also noted that
the latter two technologies are pure memory storage technologies with
no key-encryption mechanism unlike the microprocessor-based smart
card. Accordingly, for enhanced security the committee recommended the
use of microprocessor technology (with contacts).

As regards data size, it was reckoned that the volume of information
on a driving licence would be 1 kb and that on a VRC would be nearly 4
kb. The committee, therefore, added that since in driving licences and
VRCs the data volume requirement is low, security considerations are
paramount. It also noted that microprocessor technology existed with a
memory range from 4 KB to 32 KB, and 62 KB memory was in the pipeline.

Curiously enough, the MoRTH sought to issue some amendments to the
Central Motor Vehicle Rules concerning the smart card scheme for
driving licences and VRCs and a draft notification (GSR 42(E)) was
accordingly issued in January 2003, inviting public comments. This
contained a draft version of the note (reproduced in box) and its
import was essentially the same, which would virtually nullify the
Apex Committee's detailed standards.

In July 2003, the MoRTH constituted an Expert Committee - which was
headed by V.P. Bhatkar, Chairman, ETH Research Lab., Pune, and
included M.J. Zarabi, Chairman and Managing Director, Semiconductor
Complex Ltd., Chandigarh, and Veni Madhavan, a Computer Science
Professor at the Indian Institute of Science, Bangalore - to resolve
the ambiguities arising from technology variations as well as to make
appropriate recommendations on the choice of technology that was
non-proprietary, easily available, and suitable for field operations
and easy handling, and the cost of which would be within the fee
structure prescribed under the Rules. The Expert Committee also had to
look into issues arising from the draft notification.

Strangely enough, the Expert Committee chairman's report too took an
open-ended position with regard to technology choice, contrary to the
Apex Committee's recommendation. This was done apparently to
accommodate evolving technologies, such as contact and contact-less
(using wireless) `dual-interface' cards and larger storage capacity
cards, such as optical strip, for multiple applications. However,
Zarabi gave a dissenting note to the Chairman's report in November
2003. Veni Madhavan, however, declined to comment. But some people in
the computer science community question the MoRTH's wisdom of
appointing a person with private interests as the chairman of a
committee on matters of public interest.

In his dissenting letter, commenting on the note in the gazette
notification, Zarabi said: "The words `any other information storage
technology' opens up a Pandora's box. This addition is being exploited
for the backdoor entry of optical strip as part of the standard, which
technology had been... discarded by the Apex Committee."

This footnote, he said, "may cascade into a serious issue of induction
of proprietary technology and inter-operability issues, besides
encumbering the public at large with costs attached to a monopoly
source of supply and also risking the future and current
implementation at the hands of a single vendor, all of which is
against public policy, public interest and national security". He
observed that no process of standards definition and certification
procedure existed for optical strip or any other storage technology
other than the microprocessor smart card.

For the same reason, he said that the report's reference to other
technologies in any form would run counter to the efforts made for
SCOSTA. "If a smart card and optical technology or any other medium is
put together on the same card," he said, "it will lead to ambiguity as
well as problems of certification by the NIC." Because, one machine
readable zone (MRZ) on the card is open and certified by the NIC and
other MRZ in the other medium is proprietary and patented technology,
the patent being held by Drexler Corporation, U.S.A.

He pointed out that since SCOSTA specified only the standards for
microprocessor, optical strip is not compliant with SCOSTA
specifications. "We do not recognise optical strip cards and their use
is completely unjustified," pointed out Rajat Moona, a Computer
Science Professor at IIT-K who was associated with the development of
SCOSTA.

The hand-held terminals and field infrastructure specified by the Apex
Committee, Zarabi said, also did not support optical strips and these
required special hardware, which was neither specified nor
standardised thus making field operability difficult. In the case of
optical strip, in fact, according to him, read and write hardware was
yet to be designed for mass use.

He added that any ambiguity in the technology, if allowed, would push
up the costs of the plastic card, and optical strip, being
proprietary, is not available freely and is available only at higher
monopolistic prices. Patent rights (USPTO No. 6390130) were held by
Drexler Corp. and there are about 94 patents, which have been reserved
for optical technology, making it unavailable for further indigenous
development, Zarabi pointed out. The technology is licensed through
Drexler's 100 per cent subsidiary, Laser Card Corporation, U.S., to
various companies which only had sales rights in specified regions.

The chairman's report, of course, overruled all of Zarabi's
contentions, his objection to optical strip technology, in particular.
However, Bhatkar endorsed his point about proprietary technologies and
said that this could be ensured by requiring that "ISO or other well
recognised international standards be complied with". Accordingly, he
listed a set of ISO standards, which, according to him, were
applicable to optical memory cards. But the point to be emphasised is
that, even if ISO standards for these were evolving and could be
applied, these had not been specified for use with SCOSTA and the NIC
had not evolved standardised tests for these either. More important,
the issue of security of optical storage still remained and Bhatkar
did not address this crucial issue.

Bhatkar, therefore, recommended not a removal of the gazetted footnote
but an amendment to it to the effect that the other storage
technologies must conform to the relevant ISO or other international
standards. But curiously enough, Bhatkar's amendments to the footnote
were ignored and Alok Rawat, Joint Secretary in the MoRTH in August
2004, issued the final notification GSR 513(E) without any reference
to international standards for the optical strip. Speaking to
Frontline on authorisation from Union Minister for Transport T.R.
Baalu, Rawat said that the Centre had taken this step because several
State governments had demanded additional capacity.

While a 32 KB or a 64 KB smart card would have easily met any
additional capacity that may be required by individual States, the
note has been carefully worded to defeat that very purpose. The note
says: "The microprocessor chip shall not carry any other information
not prescribed for the purpose." So, even if the microprocessor had
enough additional memory, it could not be used for any other
application that may be envisaged, say one's National ID, for which
the government has already initiated a pilot project for 3.2 million
people in 13 regions across the country.

So what is the huge additional capacity doing in the transport sector
cards? There is little doubt that it is not benefiting the average
consumer. It is in this context that the Delhi government's IT
Secretary's comment on "vendor-driven technologies" acquires worrying
proportions.