DigiLocker Storage Service LaunchedFirst New Offering Under Digital India Initiative
As part of the Indian government's new "Digital India" initiative, Prime Minister Narendra Modi on July 1 launched the DigiLocker project. Aimed at providing a personal digital storage space for Indian citizens to preserve sensitive documents, this service will be linked to the citizen's Aadhar card or Unique Identification Authority of India number - the government's independent digital identity management program.
See Also: The Evolution of Email Security
Digilocker is the first service in the "Digital India" campaign to see a formal launch. According to the website for the project, DigiLocker aims at providing a dedicated personal storage space to be used to securely store government-issued e-documents, as well as to store Uniform Resource Identifier link of e-documents issued by various issuer departments. An e-sign facility provided as part of DigiLocker system can be used to digitally sign e-documents, as well.
Under the "Digital India" initiative, the DigiLocker aims to minimize the use of physical documents, by providing secure access to government-issued papers. This program also intends to reduce administrative overhead of government departments and agencies, and make it easy for citizens to avail existing and future services.
As described on its resource page, the DigiLocker is similar at a very basic level to other storage services such as Google drive or Dropbox. The planned merits go beyond just storage though, enabling citizens to provide a DigiLocker reference in places where physical papers may be required including applications, tax filing, etc.
The DigiLocker initiative is being spearheaded by Mahaonline - a joint venture between the government of the state of Maharashtra and Tata Consultancy Services, according to a source close to the Department of Electronics and Information Technology [DeitY], who declined to be named. The project was initially envisioned 5-6 years ago, with NASSCOM being given the charge of creating a digital vault to store government documents of citizens, the source says.
"It's still early days and this remains a work in progress. Lots of integration required at the backend with various government departments and application service providers," says the DeitY source. "The mechanism to transparently and conveniently access this service is going to be the biggest challenge."
But for entities such as banks, DigiLocker is going to prove a blessing, since storing sensitive paper and associated mismanagement and storage costs can be avoided. "Banks are mandated to perform a know-your-customer verification exercise every three years under RBI regulations," the source says. "The functionality provided by this service would mean that they no longer have to store these sensitive physical documents locally for seven years, as the law stipulates. Banks are direct beneficiaries and keen to get onboard."
However, how this would work in practice remains a question.
The practitioners and experts Information Security Media Group spoke to echo that there is still not much clarity from the government as to how this service will operate. While the service has been in beta since the 10th of Feb this year, details around the issuer-requester mechanism still remains hazy.
For instance, says ST Sathivageeswaran, Head - Information Systems at Hindustan Petroleum Corporation, what is the mechanism for a requester of information to ensure that the documents a citizen uploads into the vault are legitimate? "Instead of uploading documents directly, connecting to the government entity issuing the document directly, and pulling digital versions of the relevant documents at the time of adding to the vault, would ensure authenticity and reliability," he recommends.
The privacy and security issues around holding this sensitive data in trust with a government entity is also an issue experts cite. Government entities have traditionally had a bad security track record - a recent report by AppSec vendor Indusface cites that 155 .GOV and .NIC domains were hacked last year. Says Dhananjay Rokde, ex-CISO and thought leader, "It is obvious that Digital India is going to need a large amount of funding and skilled resources to pull off. It would be a no brainer to outsource this activity."
However, given the lack of a clear vision and a comprehensive plan with a step-by-step approach, it may prove to be hard to find vendors willing to put their reputations on the line.
"All this is extremely sensitive information that they propose to hold. If the recent OPM breach in the US is any indication, whoever takes this up will be drawing a big target on their backs," Rokde says. Without multiple clarifications and assurance mechanisms on the government's part, he believes that adoption will be hampered.
Prominent information security strategist Dr. Onkar Nath shares other security concerns. "Privacy of information may not have been taken into consideration, and there is no provision of security of data over the mobile channel," he says. There is provision of e-signature in IT Act 2000, but a lack of notification by the government means that DigiLocker's e-Sign feature may not legally hold up in court, he opines.
Moreover, operationally, finding skilled manpower to either operate or oversee these initiatives may be yet another challenge, say experts. For instance, they cite the NIC example. The backend integrations for the DigiLocker project are supposed to be managed by the National Informatics Center, or NIC, which is the government entity that provides technology support to all government departments. While the NIC has implemented a state of the art operations center with security built-it, NIC has not recruited new personnel since 1999, a source informs. With increased demand for specialists in security, a manpower crunch is inevitable and may play major spoilsport with the government's plans, sources say. [Also see: Wanted: 800,000 Security Pros]