September 19, 2015
A few days ago I wrote about National Identity Card Centre and the Supreme Court injunction. Dini Lallah posted questions in the article’s comment section and those would lead to interesting answers.
I decided to answer those questions in a blog post rather than in the comment section. Let’s start with the questions one by one.
1. What would be the purpose of the chip on the card? Would it be solely for keeping those 4 biometric fingerprints data on it?
The National Identity Card is an “ISO/IEC 14443” contactless integrated circuit card. It is also called a proximity card. Such cards can be read from a distance without requiring physical contact. I suggest you contact the Mauritius Standards Bureau to get details about this standard.
The chip in the National Identity Card allows a person in possession of a card reader with the decryption key to be able to read the cardholder’s personal data.
Apart from the four fingerprint minutiae the chip would also contain textual information such as full name, date of birth, identity number and address. This was published on mnic.mu, which unfortunately is no more accessible. When I wrote to the Ministry of Technology, Communication and Innovation about the current “consent form”, I also informed them that mnic.mu is not available.
2. As far as you know, has Minister Badhain, as a spokesperson for government, taken any undertakings that no other data will be electronically stored on the card?
Well, as far as I know, neither the minister nor the government gave an assurance that no other data will be stored on the card (either now or in the future).
3. The Minister stated that identity theft from the card was hypothetical and not substantiated. Furthermore, he said that he would be the first to take action if it was. Someone posted on Twitter this message: You want to read the contents of your NEW super SECURE Mauritian ID card, buy one of these at http://fb.me/2rszEPCVw. Is it that easy? What light can you shed on this?
I could say some actions of the minister were based on hypothesis too, but that would be like a personal attack, right? See, for the minister to call anything as “hypothetical”, first, did the ministry conduct a study of various scenarios how their system can be brought down? Did they audit the MNIS infrastructure according to IT Security standards?
Last year while I was on a radio debate, the Project Director, Mr Rao Ramah replied to the question on security audit and said that PricewaterhouseCoopers had effected an audit. I have never seen the report till date.
4. According to you, would be the purpose of verifying the biometric data be proportionate with the loss of privacy, taking into consideration the risk of identity theft and managing and indeed the verification and control of those machines, not to mention who would do it and what expertise they have? What if your card was stolen for example? Could the thief not be able to recreate another id card with another photo with all your details on the card including your 4 fingerprints? Then, they would have access to your bank account, your pension and anything else from governmental or non-governmental organisations that has a reader.
The context in which the government plans to use the National Identity Card, yes, there could be a high risk of misuse if one’s card is stolen or compromised.
The Head of Operations of MNIS last year on MBC TV said that the MNIS infrastructure cannot be “hacked”. The ‘reportage’ by the Mauritius Broadcasting Corporation mentioned that “il est impossible de pirater le système du MNIS”.
Now, let me give you a small hint. Say you have this Biometric ID Card which has encrypted data on it. The data cannot be read unless you have the key to decrypt it. Now, you go to the bank and you’re asked to swipe your finger on a reader that will match your fingerprint with the minutia on your card. How does the bank’s reader does it? It’s because the bank’s reader has the “key” to read yours or anybody else’s National Identity Card. Where else can we find such readers? We don’t know yet. All that matters right now is that the reader has the key. How to get the key is just a matter of time :) That’s like, security compromised in 5 minutes.
So, to answer you, no, it is not proportionate. We’re taking a high risk with biometrics in the National Identity Card and centralization of personal data.
5. The 1.6 billion rupees has been spent already. What, according to you, would be the cost to render the chip on the card inactive and no data whatsoever be stored on it?
The 1.6 billion rupees isn’t for the “making of cards” only. They cover the consultancy, software development, purchase of equipment training etc. I cannot answer you unless expenses regarding the project are broken down in a transparent manner.
For example, the website mnic.mu was hailed as the gateway of information for the National Identity Card Project. However, since the departure of the ex-Project Director, the website went offline. It’s been like that for several months now. Who owns mnic.mu? Mr. Rao Ramah or the government? Who paid for the domain name, hosting, design etc? How much did it cost? Who approved the project budget?
To answer whether it would incur additional cost to “modify” the project, well, the ministry should first have to be transparent regarding types of equipment and applications used. Under the veil of “national security” a lot of things are happening. It’s up to the concerned citizens to shoot the right questions at the right persons ;)