www.gov.mu -- Is it safe enough? Doubtful! Then #NoToBiometricIDCard
The topic was tossed several times last year. Beginning 2014 it was again brought up when we discussed the .mu domain. Yes, I'm talking about DNSSEC. If I go through my emails I can still pull out a whole discussion that went lengthy on the Mauritius Internet Users mailing list. Unfortunately, at some point discussion stops & the topic goes dormant.
The past few days however, a whole different picture cropped up while serious discussions started over security issues surrounding the new Identity Card, as I met several people from various fields.
I would like to highlight that I am NOT against a new & modern Identity Card. Hey! But wait, modern doesn't mean just sell us anything. The new ID Card boasts a lot about security stuffs. I read the Prime Minister's speech (during the Official Launching of the new Mauritius National Identity Card) from Year 2013 archives available on the Government Portal. Below is an excerpt that highlights something about security.
Let's take each into consideration.
We should start with what we see first. The new ID Card will facilitate communication & sharing of information across various government & private agencies. Citizens should be able to log in the Government Portal and effect transactions. What's the Government Portal URL? You should know it by now. Yes it's www.gov.mu. Let's look at its anatomy.
The Goverment Portal URL can be broken into three parts; the Country Code Top Level Domain which is mu, the Government domain which is gov, and a sub-domain which in this case is www.
Now, let's see what is DNSSEC and then we'll come back to the Government Portal. I'll take extracts from the ICANN website with slight modification to simplify it.
As we understood to prevent ourselves from one day going on a fake www.gov.mu website, DNSSEC must be deployed on the root zone, which is the top-level domain mu and the signing process continued till the full domain is signed. Question: Is the Mauritian Government Portal safe from such vulnerabilities? Nope! We can test the same using an online tool provided by VeriSign Labs and let's compare with other government portals.
In my quest to know procedures of alerting concerned authorities about vulnerabilities, I recently visited CERT-MU (website for the National Computer Security Incident Response Team). The mere instructions & sight of the Vulnerability Reporting process made me #facepalm.
Sorry, I do not use Internet Explorer. Besides the Vulnerability Reporting form is designed using some proprietary software. The form doesn't work on Linux. Acrobat Reader is no more available on Linux & the form doesn't work with alternative PDF readers. Please, don't bother telling me to use Microsoft Windows alongwith an Antivirus. I prefer everyone using Linux at my place. My mom isn't as cautious as me when she surfs Internet. If a window pops up telling her she has won $ 1,000,000 in lottery, she WILL CLICK it (^^,) ...
I stopped right there. Searching anything else would make me hate the website even more.
A lot happened the last two weeks. L'Express & Le Mauricien covered the stories that highlighted privacy concerns. Should I get in touch with the Data Protection Office in that matter? Maybe. Things are happening new, learning procedures along the way & discovering stuffs that makes me #facepalm at almost every step.
Not really my cup of tea, oops, coffee I mean. I'll leave this part to the Human Rights activists. However, I do feel my rights being ripped by compelling me into giving fingerprints & a biometric photo to get a new Identity Card, all while security isn't yet the top-priority.
So far, for every problem we have in the country, be it traffic congestion, leaking pipes or new ID Card, Mauritian Government is looking for solutions around the world. Folks, you have traveled enough. Take a deep breath, relax and meditate. Invest in your human resources & maybe in the next few years Mauritius will be exporting technology instead of buying.
Lastly, an open letter to whom it may concern.