KATHMANDU/NEW DELHI, June 27: The National ID Management Center (NIDMC)-initiated amendments of May 15 in the now controversial NID tender have made the database management system and biometrics, also known as Automated Fingerprint Identification System (AFIS), vulnerable.
As per the May 23, 2008 grant agreement between the government and the Asian Development Bank, it is the responsibility of the home ministry to secure the database of Nepali citizens. [break]
In line with the Asian Development Bank (ADB) Grant No 0106-NEP, Schedule 4 (3, iv), the Ministry of Home Affairs (MoHA) shall be the implementing agency for part 3 (2) which requires “the development of selected priority e-government applications to include a database for national ID system facilitating delivery of public services.”
As per the agreement, the government of Nepal and MoHA have to manage, maintain and secure the database. But by removing the entire database from the specifications, the government is now treading a dangerous path as it could make the data in delivery of public services vulnerable.
NIDMC on May 15 removed the database requirement from the specifications. This means that the prospective contractor can quote any database or in other words introduce freeware database.
Republica is in possession of a copy of the grant agreement between the government and ADB.
The government has said that the amendments of May 15 were made after some bidders complained of irregularities in the tender document. But by dropping the standard specification of the database and giving the bidders a free-hand, there are now doubts that the government could compromise the security sensitivity of the country.
“The amendment is faulty as it now opens up our database management to further manipulation,” an MoHA official told Republica on condition of anonymity.
“The component of database has been removed. So now a bidder can offer any database, commercial or freeware,” the source added.
If primary data is manipulated or not secured, there is no guarantee that the contractor would ensure security.
On the other hand, on the biometrics requirement, the government has asked for NIST-2003, a standard testing platform of the biometric vendor in which only three companies can qualify -- 3M, NEC and L1 Technology (which is part of Safron Morpho group).
The 2003 standard is outdated and the government is paying no attention to include the latest version,” a representative present at the pre-bid meeting of May 30 at NIDMC told Republica on condition of anonymity.
There have been three amendments so far to the NID project.
The national identification has to secure people’s data against internal and external threats. Such identifications will be used for bank accounts, land purchases and many other activities.
In India, Safran Morpho, a French company, was awarded the Unique Identity Project (Aadhar) rolled out by the Unique ID Authority of India (UID) in 2009. Morpho is only in-charge of the technical aspects of UID. But it is an Indian company, Satyam, which helps install the system, provide maintenance and train users. The registration and collection of biometric data is controlled centrally. At the same time, to protect privacy all information is centralized in a large database.
Also, in this first pilot phase project (which involves distribution of 110,000 IDs), the Public Key Infrastructure (PKI) is not in the scope of the work. A PKI is a cryptography arrangement that binds public keys with respective user identities by means of a certificate authority. This means that the access to the database will be over-simplified.
“The new procedure as per the tender specification will now compromise on data security, accessibility and interoperability,” the representative added.
The eligibility criteria as per the amendments and the initial specifications now suit only Morpho, a French company, and Gemalto Oy (Finland).
While the ADB has not issued any clarification on the complaint letter submitted by a group of bidders last month, the government too has not done anything substantive to take the internal investigation forward.
Officials familiar with the development, however, said MoHA has formed an evaluation committee comprising senior technical officials to select the company that best suits the requirements of Nepal. NIDMC earlier had made some amendments including replacement of health cards with driving license cards and other specifications to address genuine concerns of prospective bidders of the multi-million dollar project.
Related story
Medical certificates on sale for NID job aspirants
