[Reader-list] National Identity Card ) A digital Pandora's box - 153
Patrice Riemens
patrice at xs4all.nl
Thu Jul 23 02:20:32 IST 2009
Upon fwding the original post to the 'Hippies frrom Hell' (aka Dutch
hackers) list, as this is an issue that plays in the Netherlands also, the
following comment came from Eduard de Jong, who was one of the early
developpers of the Java card. Fwd fyi (reposted with permission)
Cheers, p+2D!
--------
Indeed, the SCOSTA specifcations for smart cards come back to hound!
As a specification for cards go, they have nothing to offer but
stagnation and increased cost. Theye where clearly drafted to created
a local smart card industry, that would not be hindered by paying a
licence fee for (commercially and technologically) superior
specifications like Java Card (DISCLAIMER: the basic patents for
JavaCard are in my name).
The main technical failure in SCOSTA is to specify a card operating
system rather than a card application. Interestingly, at the time
SCOSTA was initiated, a public domain specifications for card
applications for transport already existed, the ITSO specs, fully
paid for by the UK DOT.
Having created the desired local industry to deliver cards fort the
exclusive, protected transport market th esuppliers now discover
their is no other demand for their products, which do not meet what
the rest of the world needs. So they change form being pulled into
pushing: lobbying to use SCOSTA wherever a card is going to be issued
in the sub-continent... The citizen ID card being the big fish there.
Side stepping a discussion on the lerits or desirability of such
cards, both in Europe and Austarlia a range of standards exists for
eGgovernment/Id cards which could easily be used in India instead of
hanging on to an outdated SCOSTA.. In Austarlia the states have gone
to great length in developing these standards to be in the public
domain.
As for India, it looks that after having growing a tail, now that
tail is (tries) wagging the dog....
eduard
At 17:09 +0200 21/7/09, Patrice Riemens wrote:
>A case of "when India speaks, the world listens"? (Pandit Jawaharlal Nehru)
>
>
>
>---------------------------- Original Message ----------------------------
>Subject: [Reader-list] (National Identity Card ) A digital Pandora's box -
>153
>From: "Taha Mehmood" <2tahamehmood at googlemail.com>
>Date: Tue, July 21, 2009 15:53
>To: "Sarai Reader-list" <reader-list at sarai.net>
>--------------------------------------------------------------------------
>
>Dear All,
>
>Here's a report published by The Hindu some years ago. MNIC/UIDC are
>smart cards, which are run on Smart Card Operating System for
>Transport Applications or SCOSTA based software.
>
>We need to pay attention to this report, particularly to two aspects
>of the process through which consensus around technology of smart card
>appears to have been achieved.
>
>The first one relates to the social dimension of the consensus
>building exercise carried out by the government of India at the
>national level. In this regard the report suggests, that there seems
>to be wide spread disagreement amongst so called technical experts who
>gave a green signal to this technology.
>
>Excerpt-
>
>Strangely enough, the Expert Committee chairman's report too took an
>open-ended position with regard to technology choice, contrary to the
>Apex Committee's recommendation. This was done apparently to
>accommodate evolving technologies, such as contact and contact-less
>(using wireless) `dual-interface' cards and larger storage capacity
>cards, such as optical strip, for multiple applications. However,
>Zarabi gave a dissenting note to the Chairman's report in November
>2003. Veni Madhavan, however, declined to comment. But some people in
>the computer science community question the MoRTH's wisdom of
>appointing a person with private interests as the chairman of a
>committee on matters of public interest.
>
>Then there were cautious views emanating from the then officers
>representing the GOI too particularly around the issue of
>"vendor-driven technologies" which is perhaps interpreted in the
>official GOI jargon as G-B (Government-to-Business relationship) or in
>terms of official Sarkaari rhetoric as maybe 'Bhaagidari'.
>
>Excerpt-
>
> IN a panel discussion at the recent Smart Card Tech-India 2005
>conference, with the theme "National ID Card - The Foundation of Trust
>in e-Governance", Prakash Kumar, Secretary, Information Technology and
>Administration Reforms, Government of Delhi, cautioned against
>"vendor-driven technologies".
>
>The second dimension relates to the technological compatibility of the
>card itself. The report suggests that there maybe violations and
>misinterpretations arising from the use prescribed by the so called
>'Expert Committee' insofar as a 32 KB or a 64 KB smart card is
>concerned.
>
>Excerpt-
>
>While a 32 KB or a 64 KB smart card would have easily met any
>additional capacity that may be required by individual States, the
>note has been carefully worded to defeat that very purpose. The note
>says: "The microprocessor chip shall not carry any other information
>not prescribed for the purpose." So, even if the microprocessor had
>enough additional memory, it could not be used for any other
>application that may be envisaged, say one's National ID, for which
>the government has already initiated a pilot project for 3.2 million
>people in 13 regions across the country.
>
>Some questions related to this issue-
>
>Why is only SCOSTA software used for national identity card? What
>other technologies were considered? Why were they rejected? ON what
>grounds?
>
>Did the GOI of India did any cost benefit analysis on using the SCOSTA
>technology, if yes the what were the detailed findings?
>
>Who owns the patents for this technology? What are the conditions of
>use of this technology? How is the issue of inter-operability dealt
>with here?
>
>On what grounds did people like M.J. Zarabi, Chairman and Managing
>Director, Semiconductor Complex Ltd., Chandigarh, gave a dissenting
>note? Why did Veni Madhavan, a Computer Science Professor at the
>Indian Institute of Science, Bangalore declined to present a comment
>to the expert committee? Why was Prakash Kumar, Secretary, Information
>Technology and Administration Reforms, Government of Delhi, cautioning
>against "vendor-driven technologies"? What were his reasons?
>
>Warm regards
>
>Taha
>
>http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=20050812003902500.htm&date=fl2216/&prd=fline&
>
>SPOTLIGHT
>
>A digital Pandora's box
>
>R. RAMACHANDRAN
>VENKITESH RAMAKRISHNAN
>
>The extra capacity added to the new smart card for car-owners gives no
>added benefits but has pushed up the cost.
>
>IN a panel discussion at the recent Smart Card Tech-India 2005
>conference, with the theme "National ID Card - The Foundation of Trust
>in e-Governance", Prakash Kumar, Secretary, Information Technology and
>Administration Reforms, Government of Delhi, cautioned against
>"vendor-driven technologies". To many members of the audience, it was
>obvious what he was referring to. It was the legacy of the choice of
>an inappropriate technology made by the Delhi administration of 2003
>in the introduction of IT in the road transport sector. Today, he
>finds himself in the embarrassing situation of having to implement it
>even though he disapproves of it.
>
>An important component of the much-hyped induction of IT in the
>transport sector in many States - as part of the government's
>nationwide e-governance initiative - is the smart card-based driving
>licence and vehicle registration certificate (VRC). But, as the
>process of implementing this scheme gets under way in many States, one
>is also witnessing a number of petitions in the courts against the
>choice and induction of the technology. And in many instances, the
>cases have been dragged into the Supreme Court.
>
>As regards the technology, the main contentious issue relates to the
>respective governments' invitation for bids for the supply of simple
>microprocessor-based smart cards (with a minimum memory of 4 KB) for
>driving licences, and an optical smart card which has an optical strip
>(of memory 1.5 MB or more) in addition to the microprocessor chip (of
>4 KB memory or more) for VRCs. Petitioners have contended that this is
>in violation of the guidelines issued by the Central Ministry of Road
>Transport and Highways (MoRTH) under the Central Motor Vehicles Act
>and associated Rules. Since these only required that driving licences
>and VRCs should have a minimum 4 kb memory on a microprocessor chip,
>the States had no legal authority to insist upon an additional feature
>like an optical strip.
>
>The basic guidelines issued by the Centre were: uniformity across the
>country; readability throughout the country; inter-operability across
>States; and non-proprietary or open-source technology that would allow
>indigenous modification or development. Operationally, these
>translated into conformity to ISO standards (ISO-7816-1, 2, 3), which
>ensured uniformity and non-proprietary technology; standardised
>hand-held terminals, which ensured readability everywhere; and
>compliance to open source Smart Card Operating System for Transport
>Applications (SCOSTA) software, based on ISO-7816-4, 8, 9 standards,
>which ensured inter-operability.
>
>SCOSTA was developed by Indian Institute of Technology, Kanpur, based
>on specifications drawn up by an apex committee set up in 2000 by the
>MoRTH - that included experts from the National Informatics Centre
>(NIC) of the Ministry of Information Technology and Communications
>(MCIT) and IIT-Kanpur, and representatives of industry. The SCOSTA
>specifications were established to ensure that every card used for a
>driving licence or a VRC is certified by a set of tests designated by
>the NIC and IIT-K to ensure the usability of the smart card with the
>same specifications by all States.
>
>The origin of the controversy can be traced to the MoRTH's gazette
>notification GSR 513(E) of August 10, 2004, which set out the
>specifications for smart cards as amendments to the Central Motor
>Vehicle Rules. The footnote to the notification provided room for
>(deliberate) arbitrariness and manipulation in the States'
>interpretation of the Rules. There is, as a result, more than a hint
>of corruption in the implementation of the programme in some States.
>But more importantly, the cards do not conform to the basic
>guidelines.
>
>It is instructive to go over the history of this footnote to
>understand how the government machinery functions when implementing
>off-the-shelf technologies in public schemes requiring large volumes
>of a given product. Indeed, like the case of the smart card in the
>transport sector, there are apparently other projects under the
>e-governance initiative, which bear evidence of rather dubious
>implementation.
>
>The smart card Apex Committee produced its first report, titled
>"National Standard for the Driving Licence and Vehicle Registration
>(Version 1.0)", in January 2001. Based on this, the MoRTH issued
>Version 1.0 guidelines. Following this, several States issued tenders
>for smart cards and some, like Gujarat, had already implemented the
>scheme in part. However, these were at variance with the guidelines
>mentioned above. Some of these, for example, had invited bids for the
>microprocessor cum optical strip smart card. This was apparently
>because of the lack of precise understanding of the technicalities by
>State administrations, coupled with the entry of multiple technologies
>into the country.
>
>To rectify the situation and in view of the technological
>developments, Version 2.0 of the standards were evolved both for
>back-end computerisation and for driving licences and VRCs. The
>detailed specifications of SCOSTA, as well as the software `Saathi'
>and `Vahan' (developed by the NIC), for back-end systems, formed part
>of the Version 2.0 guidelines. These were issued in October 2001,
>following which, in fact, some States withdrew their tender
>notifications.
>
>The Apex Committee had considered various available technologies -
>microprocessor, integrated-circuit memory and optical memory - in
>detail, particularly keeping in view the security aspect as well as
>the volume of information to be stored. For security, a Key Management
>System was specified for use with SCOSTA and it was also noted that
>the latter two technologies are pure memory storage technologies with
>no key-encryption mechanism unlike the microprocessor-based smart
>card. Accordingly, for enhanced security the committee recommended the
>use of microprocessor technology (with contacts).
>
>As regards data size, it was reckoned that the volume of information
>on a driving licence would be 1 kb and that on a VRC would be nearly 4
>kb. The committee, therefore, added that since in driving licences and
>VRCs the data volume requirement is low, security considerations are
>paramount. It also noted that microprocessor technology existed with a
>memory range from 4 KB to 32 KB, and 62 KB memory was in the pipeline.
>
>Curiously enough, the MoRTH sought to issue some amendments to the
>Central Motor Vehicle Rules concerning the smart card scheme for
>driving licences and VRCs and a draft notification (GSR 42(E)) was
>accordingly issued in January 2003, inviting public comments. This
>contained a draft version of the note (reproduced in box) and its
>import was essentially the same, which would virtually nullify the
>Apex Committee's detailed standards.
>
>In July 2003, the MoRTH constituted an Expert Committee - which was
>headed by V.P. Bhatkar, Chairman, ETH Research Lab., Pune, and
>included M.J. Zarabi, Chairman and Managing Director, Semiconductor
>Complex Ltd., Chandigarh, and Veni Madhavan, a Computer Science
>Professor at the Indian Institute of Science, Bangalore - to resolve
>the ambiguities arising from technology variations as well as to make
>appropriate recommendations on the choice of technology that was
>non-proprietary, easily available, and suitable for field operations
>and easy handling, and the cost of which would be within the fee
>structure prescribed under the Rules. The Expert Committee also had to
>look into issues arising from the draft notification.
>
>Strangely enough, the Expert Committee chairman's report too took an
>open-ended position with regard to technology choice, contrary to the
>Apex Committee's recommendation. This was done apparently to
>accommodate evolving technologies, such as contact and contact-less
>(using wireless) `dual-interface' cards and larger storage capacity
>cards, such as optical strip, for multiple applications. However,
>Zarabi gave a dissenting note to the Chairman's report in November
>2003. Veni Madhavan, however, declined to comment. But some people in
>the computer science community question the MoRTH's wisdom of
>appointing a person with private interests as the chairman of a
>committee on matters of public interest.
>
>In his dissenting letter, commenting on the note in the gazette
>notification, Zarabi said: "The words `any other information storage
>technology' opens up a Pandora's box. This addition is being exploited
>for the backdoor entry of optical strip as part of the standard, which
>technology had been... discarded by the Apex Committee."
>
>This footnote, he said, "may cascade into a serious issue of induction
>of proprietary technology and inter-operability issues, besides
>encumbering the public at large with costs attached to a monopoly
>source of supply and also risking the future and current
>implementation at the hands of a single vendor, all of which is
>against public policy, public interest and national security". He
>observed that no process of standards definition and certification
>procedure existed for optical strip or any other storage technology
>other than the microprocessor smart card.
>
>For the same reason, he said that the report's reference to other
>technologies in any form would run counter to the efforts made for
>SCOSTA. "If a smart card and optical technology or any other medium is
>put together on the same card," he said, "it will lead to ambiguity as
>well as problems of certification by the NIC." Because, one machine
>readable zone (MRZ) on the card is open and certified by the NIC and
>other MRZ in the other medium is proprietary and patented technology,
>the patent being held by Drexler Corporation, U.S.A.
>
>He pointed out that since SCOSTA specified only the standards for
>microprocessor, optical strip is not compliant with SCOSTA
>specifications. "We do not recognise optical strip cards and their use
>is completely unjustified," pointed out Rajat Moona, a Computer
>Science Professor at IIT-K who was associated with the development of
>SCOSTA.
>
>The hand-held terminals and field infrastructure specified by the Apex
>Committee, Zarabi said, also did not support optical strips and these
>required special hardware, which was neither specified nor
>standardised thus making field operability difficult. In the case of
>optical strip, in fact, according to him, read and write hardware was
>yet to be designed for mass use.
>
>He added that any ambiguity in the technology, if allowed, would push
>up the costs of the plastic card, and optical strip, being
>proprietary, is not available freely and is available only at higher
>monopolistic prices. Patent rights (USPTO No. 6390130) were held by
>Drexler Corp. and there are about 94 patents, which have been reserved
>for optical technology, making it unavailable for further indigenous
>development, Zarabi pointed out. The technology is licensed through
>Drexler's 100 per cent subsidiary, Laser Card Corporation, U.S., to
>various companies which only had sales rights in specified regions.
>
>The chairman's report, of course, overruled all of Zarabi's
>contentions, his objection to optical strip technology, in particular.
>However, Bhatkar endorsed his point about proprietary technologies and
>said that this could be ensured by requiring that "ISO or other well
>recognised international standards be complied with". Accordingly, he
>listed a set of ISO standards, which, according to him, were
>applicable to optical memory cards. But the point to be emphasised is
>that, even if ISO standards for these were evolving and could be
>applied, these had not been specified for use with SCOSTA and the NIC
>had not evolved standardised tests for these either. More important,
>the issue of security of optical storage still remained and Bhatkar
>did not address this crucial issue.
>
>Bhatkar, therefore, recommended not a removal of the gazetted footnote
>but an amendment to it to the effect that the other storage
>technologies must conform to the relevant ISO or other international
>standards. But curiously enough, Bhatkar's amendments to the footnote
>were ignored and Alok Rawat, Joint Secretary in the MoRTH in August
>2004, issued the final notification GSR 513(E) without any reference
>to international standards for the optical strip. Speaking to
>Frontline on authorisation from Union Minister for Transport T.R.
>Baalu, Rawat said that the Centre had taken this step because several
>State governments had demanded additional capacity.
>
>While a 32 KB or a 64 KB smart card would have easily met any
>additional capacity that may be required by individual States, the
>note has been carefully worded to defeat that very purpose. The note
>says: "The microprocessor chip shall not carry any other information
>not prescribed for the purpose." So, even if the microprocessor had
>enough additional memory, it could not be used for any other
>application that may be envisaged, say one's National ID, for which
>the government has already initiated a pilot project for 3.2 million
>people in 13 regions across the country.
>
>So what is the huge additional capacity doing in the transport sector
>cards? There is little doubt that it is not benefiting the average
>consumer. It is in this context that the Delhi government's IT
>Secretary's comment on "vendor-driven technologies" acquires worrying
>proportions.
>_________________________________________
>reader-list: an open discussion list on media and the city.
>Critiques & Collaborations
>To subscribe: send an email to reader-list-request at sarai.net with
>subscribe in the subject header.
>To unsubscribe: https://mail.sarai.net/mailman/listinfo/reader-list
>List archive: <https://mail.sarai.net/pipermail/reader-list/>
--
Eduard de Jong
More information about the reader-list
mailing list