False confidence

September 20, 2017

As reliance on electronic systems grows, it’s crucial to ensure accurate user identification. Authentication protocols should use permanent, non-reusable IDs, expanding digits if necessary. We must build robust systems that are error-resistant to match the increasing trust we place in them.

This article was first published in The Mint. You can read the original at this link.

Flying through Hyderabad airport these days is a true delight. It is the country’s first entirely digital airport—which means that you no longer need to print your boarding pass or ticket to access any part of the airport. All you need is a digital copy of your ticket or boarding pass on your mobile device and whenever you come upon a checkpoint (as you enter the airport, pass through security or approach the boarding gates) all you need to do is wave the QR code under a scanner and the system records the fact that you have passed through into this new area of the airport. If you travel without any check-in baggage, as I do most of the time, you can enter the airport through a special entrance down by the side of the airport building, completely bypassing the check-in counters and directly clearing security so that you almost immediately enter the boarding areas.

This is what can happen if we rely on technology to efficiently solve complex problems. By logging the passage of passengers through each section of the airport, Hyderabad airport has automatically improved the level of traceability of individuals within the building, offering far greater security than they were previously achieving when they used to apply a rubber stamp to a piece of paper. They have managed to ease the flow of passenger traffic and airlines can now locate, more efficiently, the last remaining passengers within the airport complex when they are hustling to complete boarding. It’s a pity that other airports haven’t already adopted this technology.

If this was one of the best airport experiences I have had in India, the very worst has to be a recent incident at immigration in Bengaluru airport. My wife and I were returning from a short holiday overseas and, while I passed through immigration without a problem, as I waited for my wife to get her passport stamped, I could see that something was wrong. Looking over the shoulder of the immigration official I noticed that every time he tried to scan the information off her passport, what kept coming up was the picture of a rather portly Sardar. The immigration official was confused and after a few more attempts, escalated the matter to his superiors.

They were just as perplexed. That very same passport had successfully allowed us out of the country less than a week ago; so it was bizarre that the system had, in the interregnum, suddenly transmorgified her into a rotund male. It took much digging through the system before they could finally identify the problem.

We learned, that night, that the passport department regularly re-uses passport numbers that are no longer in use. Apparently, one of my wife’s long expired passport numbers had, as part of this process of re-cycling, been issued to the gentleman in question. Due to a glitch in the system, instead of pulling up the details of her current passport, the system kept spitting out the details of the man who had inherited her expired number. To their credit, after identifying the problem, it didn’t take long for the immigration officials to stamp the passport and send us on our way. But the entire incident got me thinking about the design of digital systems and the importance of reliable identity.

There are an increasing number of circumstances in which modern society has incorporated digital processes into fundamental aspects of our lives.

Though the immigration official could see for himself that my wife was not the plump Sardar that the computer was asking him to believe, I can imagine alternative circumstances where he might have been inclined to believe the computer over the evidence of his eyes.

If, for instance, we fitted some stereotype of persons more likely—even if only in his perception—to assume a false identity to slip into the country, a glitch in the system like this was all it would have taken for him to invoke his discretion and deny us entry.

As electronic systems assume greater significance in our daily lives, we have begun to rely on them to the point where we will eventually believe them over the evidence of our senses. Before we get there, we must make sure that the systems we build can identify us accurately.

One simple step in this direction would be to base all authentication protocols on a form of permanent identification that is structurally incapable of being re-used. If the system gets to the point where we’re running out of numbers, we have to think of expanding the number of digits in the ID number instead of re-using old numbers.

Above all, let us build robust systems that are not susceptible to errors of this kind—that can live up to the confidence we have begun to repose in them.