If you would like to read my past post on #Aadhar here is the link Whats is wrong with Aadhar Software System ? (Part-1) You may also be interested in reading a previous comparison between SSN & Aadhar at this link Why you should be concerned about #Aadhar being made mandatory for citizen of India?
Continuing from
Whats needs to be fixed in Aadhar Software System ? (Part-1)
One pertinent question I want to ask UIDAI is, for a company that in implementing Aadhar should it not be a prerequisite for it's employee & service partners to have an Aadhar number and use Aadhar for registering new user of Aadhar System? In this alleged data leak case how did the system allow new ASA and AUA users (Authentication Service Agencies & Authentication User Agencies ) to be added without their Aadhar numner keyed in? Would the alleged hacker dare to sell data if he knew his activity was being tracked by his Aadhar number and that he would be caught? Software Design flaw eh?I found the so called Aadhar System's Vision at their website and it is the briefest software vision document that I have seen in 20 years. Even after reading the Vision you won't know what are all Services that Aadhar is designed to provide today & in future. Our understanding was that Aadhar would be used for distribution of social security benefits to the eligible. Now goverment wants to make Aadhar the Single Source of Truth of your identity, something even the USA & UK do not dare to do with their SSN because of their concern for the privacy of their citizen. You have to read my earlier post to know why USA does not use bio-metrics for their SSN which is similar to Aadhar (Link) Now your Aadhar number will get verified when you open a Bank accounts, do Stock investments, buy insurance and even when you get admitted to a hospital? Why are we using Aadhar for the financial transaction tracking? Was PAN not supposed to be the 'Universal Identification for Financial Transaction' as per the Income Tax website? I can understand that goverment wants to link PAN and Aadhar to ensure people do not create multiple PAN and that makes sense. But when you are linking PAN with Aadhar where is the need to provide Aadhar to Bank & Stock exchange? They already have my PAN which is already linked to Aadhar (Read older post Linking Aadhar )! This is just bad,bad, bad, software design, Last week it was in the news that a lady who was ill tragically died because she was denied admission to hospital because she could not produce Aadhar card. Who has given this ABSURD instruction to hospital that Aadhar is required to get medical treatment or to get admitted to hospital? Even the Nazi did not have such inhuman laws! Recently someone raised a valid question - How many homeless and nomads people live in India? Without a address how will they get Aadhar card to receive social benefit? I would have liked to know if such problems were already thought by the UIDAI ? Are these problems part of Vision document and is the Vision shared somewhere on their website so citizen can read and be aware of Aadhar Features.
If you want to build a Digital India start educating people and making them aware of what is coming their way. Sadly goverment schemes are very poor at educating citizen and GST is another example. Govt announces GST & the PVSindus 1 minute TV commercial does not tell how GST is going work. Who is going to educate the business men? Why could goverment not conduct 1 hour TV Training on all TV channels to demonstrate and educate business community on GST? When you go shopping talk to your grocer and you will be shocked to know that 50% of the times your grocer does not know how and when GST has to be filed! Sorry Sir, you cannot go Digital without training the last man & woman in the village, in a medium & language they understands. Everybody is not as smart as people sitting in Delhi!
Software engineering works on well defined Software Development Life Cycle Process. Software Managers help client define their Software Vision. A Software Vision document defines the high-level scope and purpose of a program. It is a clear statement of the problem, proposed solution, and the high-level features of a product helps establish expectations and reduce risks. So a vision document is kind of a Geeta or Bible that has all major functionality and behavior that has to be built into the software to support the enterprise's business goals. If something is not in the vision it will not be part of the software road map & software design. Period. Next we create a Software Road-map which has milestones for different functionality that has to be built into the software and then the software architecture and design work starts. What I want to highlight to non-IT folks is that if you don't have a documented vision or if your Software Vision changes every year/months than it requires frequent changes to design, leading to patchy software and it affects the software quality including quality of software security.
I believe Changing Requirements are a big challenge is software that we develop for government. The government changes, the Vision changes and software has to be changed - no scope for arguments! Take Obama Care where USA has spent millions on the program and developing software for the online program which might get scrapped now or else take Indian Aadhar Card. Vision of the government that started the UIDAI program was at least 90 degree if not 180 degree apart, from the vision of next government. Now think about different Government Software that have been built by past government, how subsequent governments have changed the Vision to what software should do and how software would have gone through structural changes making it patchy.
To give an example to those who are not from IT, imagine we order custom built Luxury Sedan, then goverment changes and wants the sedan to be modified to work like a Bus. Again the goverment changes and they want the vehicle to be again modified to work as a Bullet Train! The chassis of the car can only take load of 5 to 6 people and you change the requirement to carry 60 people or worse 1000 people? Don't you think it is Better, Cheaper and Safer to use the car as it is and build a new Bullet Train from scratch? That's what happens to a software that starts as a modest application to perform few services and then client gets ambitions and wants to continue to modify the same software to serve the entire humanity. If the software foundation was not meant to handle all the ritz then it is better to start from scratch and build a new software. I hope that's not what is happening to Aadhar but it could if the people who make the decisions are not advised about the impact by their software architects.
I believe it is a duty of an IT engineer (and every professional ) to highlight the risks to the management on paper and provide the best recommendation to implement the software system but never compromise on quality and security of a software. I wonder if Aadhar software architect & engineers have done their duty well because the operations issues like data leaks and publishing data Aadhar data on their website do not give me the confidence that it is a robust system..
In my 1st post I mentioned Aadhar is currently being used for taking attendance of municipal employees and I think that is WRONG use case for Aadhar and if I may say so it amounts to abuse of a software system. Hey, I want to use Aadhar bio-metrics verification for my driver & housemaid to make sure she comes on time. Can I please have it? There was news that children will have to provide Aadhar to get admission in school and I am not sure that is makes sense to implement that because one study says that bio-metrics of children change quite frequently and it will create issues if bio-metrics cannot be verified. So much for basics of software design now lets look at it as a black box system and visualize an 'ideal software architecture' that can support services that we know Aadhar is going to be linked with in future.
If the Aadhar system allowss sharing your Aadhar details with private concerns like bank or letting them access your profile using your Aadhar number then it is a huge risk to the security and privacy of an individual and that is why people have filed PIL in court. What Aadhar system should do is allow a user to enter his Aadhar number and in response show him a standard success or failure message like the Americans show for their SSN!
Moving on lets discuss a model architecture and its key components that would ensure that we have a well designed that will work smoothly. What are the check points of making the system secure, fool proof, intelligent & proactive? How to build software a system that notify authorities when a miscreant tries to access restricted data using password or even if he manages to hacks into the system bypassing authentication (if hackers can get into Pentagon you should be prepared for the worst)? That's what is coming next, right here on this post, in another couple of days. I will leave you with a diagram of a model architecture for now.
 |
| Sample block architecture for an enterprise system |
Thanks for visiting my blog.
No comments:
Post a Comment