With over a billion Aadhaar numbers allotted to Indian citizens, the Unique Identification Authority of India (UIDAI) is the largest national identification number project in the world. For the same reason, this centralised data base is also one that needs to be secured all the time.
Watch all our tech videos below
Ilias Chantzos, Senior Director Government Affairs EMEA-APJ at Symantec, however, says the enormity of this data set has not added to the vulnerability in anyway. “In the end it is all about finding the right balance and making sure you have the right protections in place while offering the flexibility and advantages of digital usage on the other hand. We have to accept that identity is going more and more online, as you see with banks, and it is a natural evolution. So don’t view this as an additional vulnerability,” he explains.
Any standard for protecting public data, he says, needs to take into consideration local context as well. “There is a school of thought that argues the need for a sector specific standard for finance or health. This is the American way. But the European way is horizontal, to have a more encompassing standard irrespective of a sector or area of business. And these two models to seem to compete,” explains Chantzos. He represents Symantec before government bodies, national authorities and international organisations advising on public policy issues with particular regard to IT security and data risk management and availability.
“Depending on the trade flows and data flows countries like India will be pulled into these two directions. In the end every country is going to have something that fits its idiosyncrasies, but it would have to be somehow compatible to do business with other major trading partners,” he adds.
Chantzos says the right approach will be to put emphasis on individual data protection, because “that is where the value is”. He adds: “If we all agree that data is valuable then is should be no surprise that data is regulated.”
But governments often end up adding more context to individual data, without permission from them. But this is again a call that has to be taken at a local level, he says. “There needs to be information self determination, but even that is subject to certain restrictions. For instance, the institution doing business with you, like a bank, might object,” he explains, adding that there can be two ways to tackle this: “either decide on direct authentication or opt for crunching all the data to draw a conclusion about the context”.
“In the end you have to manage the identity and the use case will determine how you do it. But in such a case we will need to look at even the potential use cases of aadhaar as well,” Chantzos says, underlining how when the GSM standards were set up no one would have imagined used of mobile phones for banking.
Chantzos says there is a growing realisation that since we are all connected these days, the impact of a cyber incident will be much more. “There is greater realisation now that in the information society there is value in the data and data economy is why you see more attacks on the infrastructure that supports it,” he says, adding that in that sense India is no different from the rest of the world. “On one hand you see a lot of effort from the government in the UID project, but at the same time the challenge to share this information.”