Ruminations

Too Many Confidants

System designs that require participants to keep secrets almost always have something in common: people as the weakest link. The basic premise of "security via keeping secrets" is flawed. Not only does it require everyone to intend to keep the secret, but the expectation that all future recipients will keep it. Things start off on a bad security footing that inevitably results in a poor implementation.

Good system planning and design is essential. And that planning should always include data and operational security from the very beginning. If how a system will be used is not part of the initial design then the scales of failure are not tipping in the system's favor.

"We'll figure it out before we roll it out" is never a good practice. It's a lot like the good intentions of "good enough is good enough". They both face similar time constraints as a system nears completion. Yet the priority of addressing "we'll figure it out" will always increase and the priority of "good enough" will always decrease. As deadlines approach corners tend to be cut and compromises are made.

Think about the paragraphs above with your project as the "system". Would, or could you, try to implement this type of security model?

System designers or "trusted participants" may be well intentioned. But the more people who know a secret the greater the chance of it not remaining a secret.

Enter India's Aadhaar national ID system. It holds the personal and biometric information of over 1.1 billion Indian citizens. The secret ingredient in Aadhaar? Trust. And that trust has been shared with 100,000 "enrollment administrators" spread out across their country.

A system this size, and this important, is a staggering undertaking. The financial costs are extremely high, as are the political costs of failure. And let us not forget the many costs of poorly designed security.

It is unimaginable that 100,000 people can keep a secret. Because they can't. With that many enrollment administrators it is easy to predict that not every one of them will intend to.

So, what's the point of this post anyway? That anyone can buy anyone else's Aadhaar information for $8. Because enrollment administrators have full access to anyone's profile in Aadhaar. And each one can add new enrollment administrators without approval or limitations. Think about that last bit for a moment.

How else could it have been implemented? I haven't had the privilege to review Aadhaar's requirements. But I would have started with limiting access to only the citizens an enrollment administrator entered. And I would not allow them to add more enrollment administrators.

I don't know who thought sharing enrollment administrator access to Aadhaar with 100,000 people was a good idea. Or why they felt that giving these 100,000 individuals the ability to add anyone else as an enrollment administrator was necessary. But I can tell you why they did it: convenience.

This is not the first time I've said this, and it won't be the last: One cost of security is convenience. When you trade security for convenience you are not going to enjoy either. Having 100k individuals add India's citizens to this system is convenient. Cleaning up this type of security exposure is not. And if human nature gets involved in the cleanup process I'd bet good money that other corners will be cut. For the sake of convenience.

Sometimes the people who plan and design the systems are the weakest link. And that's not a secret.

---