Being secure in a digital world

December 13, 2020

A new digital app can not only create a doomsday script for the rent-seekers but will ensure a friendlier interaction between the citizens and the government

Marc Goodman, known for his seminal work on law enforcement and technology, writes in his book, Future Crimes, “The cornucopia of technology that we are accepting into our lives, with little or no self-reflection or thoughtful examination, may very well come back and bite us.” These include, but are not limited to, connected home devices, laptop webcams, baby monitors, keyless cars and delivery drones etc.

Impersonation in such a technology-dependent world can lead to frequent financial frauds and data breaches. Hence, while treading on the digital transformation path for Pakistan, we need to be extra careful for our own sake and for the sake of our children and their future that all online traffic is super secure and can be irrefutably traced to its actual initiator and owner in the real world. In order to do this, a national digital authentication app is the need of the hour.

Consider a hypothetical scenario where Advocate Mashhoor-i-Zamana files a case on behalf of his client, Mr Seedha Pakistani. The case is about a shady land transaction. Seedha Pakistani claims that he was abroad when this happened and he never sold his land to Mr Bao Badmash, who has now built a 5-storey shopping mall on it.

On the other hand, Advocate Badnam-i-Zamana contests that his client, Bao Badmash had purchased the land after paying the agreed amount of money to a Mr Teesra Admi who had an authority letter from Seedha Pakistani to go ahead with the deal on his behalf.

The court issues orders for the police to produce Mr Admi. However, in the next hearing, the court is told that Mr Admi has flown abroad and, hence, cannot be produced before the honourable Court. This leads to multiple hearings spread across months, adjournments happening due to the unavailability of any of the advocates or parties, out-of-court pressure on the parties to withdraw the case, and perhaps even undue influence on the court to dispose of the case.

Now, if we proceed with the automation of existing processes without fixing lacunae like these first, we would end up creating new problems instead of solving the old ones. For example, if we introduce an electronic case filing initiative without fixing the existing issues of fake letters of attorney and fake authority letter, impersonators will have an open field to play havoc.

In this scenario, we should either be doing business processes re-engineering first and then go for process automation, or institutionalise such a technology-based solution that not only introduces new ways of doing things but also fixes existing loopholes painlessly.

In order to fix these issues, it is imperative that we establish a regime that issues and keeps track of the digital identities of citizens, foreign passport holders having valid Pakistani visas, and business and government representatives.

Our National Database Registration Authority (NADRA) has been doing a commendable job in not just giving us our Computerized National Identity Card (CNIC) number, but also in biometrically verifying each individual Pakistani citizen. The next logical evolutionary step is to establish a link between every citizens’ real NADRA identity with their cyber identity that guarantees non-repudiation.

The new digital authentication regime will not only address the impersonation issue but will also act as a foundation for a paperless, cashless, and presence-less regime.

For this, it is proposed that NADRA may use the already available picture of a CNIC holder to initiate the process of registration of citizens for digital identification, which can later be used to authenticate their digital transactions. For non-CNIC holders and for cases wherein the picture available with NADRA does not match with the person’s face against the provided CNIC number, the individual concerned may physically visit nearby NADRA facilities centre to get his/her picture updated for digital identification.

At that time, NADRA may also take the individual’s iris data and voice samples (of digits from zero to nine), for giving two additional biometric options for logging-in into the proposed National Digital Authentication app and authenticating an online transaction.

Any software application that requires an authorisation check will have to get itself linked with the National Digital Authentication app, which will be randomly generating 6 digit one-time-passcode (OTP), refreshed every minute for that linked software application.

Now, let us revisit the scenario of Mr Seedha Pakistani. The authority letter which was presented in the court by Advocate Badnam-i-Zamana would not have been generated in the first place. Similarly, there would be no more fake letter of attorney, no more fake guarantors for bail. People like Bao Badmash will not be able to take advantage of others, no matter how seedha (or simple-minded) one is.

More importantly, this regime will act as a building block for all e-services, including e-FIR, electronic case filing in courts, e-payments, e-voting, e-office and e-signatures.

For services like the disbursement of pensions to the retired civil servants, teachers, and judges, banks require the beneficiaries to be physically present with horribly long waiting-queues at the time of receiving their rightful pensions. This is not how we would like our elderly to be treated.

Similarly, for services wherein change in government records is required, like transfer of properties and wealth, marriages, divorces, etc, the physical presence of the initiator and/or beneficiary is needed in front of a state functionary. This is called proof-of-life.

The good news is that we can get this required proof-of-life with our national digital authentication app without any need for physical presence. For this, we could either use the latest digital face recognition techniques or do a digital voice match, with voice samples stored against each digital ID. In the latter case, beneficiaries may be asked to speak out the randomly generated OTP digits that he/she sees on the screen. Matching these latest voice samples with the already stored ones is going to give us a digital proof-of-life, which will be more reliable than the corruptible physical one.

This new digital authentication regime will not only address the impersonation issue but will also act as a foundation for a paperless, cashless, and presence-less regime, wherein the front-end bureaucracy will have absolutely no physical interaction with citizens for any transaction or delivery of service.

This will not only spell out a doomsday script for the rent-seekers but will allow for a friendlier and easier interaction among the citizens and the government.

The writer is head of software engineering at the PITB since 2011. He is also a member of the PM’s Task Force on Austerity and Restructuring

Being secure in a digital world