Search interesting materials

Thursday, May 10, 2012

Faulty tradeoffs in security

The new world of security in India

Only in a police state is the job of a policeman easy.

-- Orson Welles

The policemen of India say: It is only by using onerous and intrusive tracking procedures that we will be able to block the terrorism, the tax evasion, the money laundering. But society should be designed for the convenience of the median citizen and not for the convenience of the policeman. Yes, when citizens have liberty, it imposes more work upon the policeman. That is a tradeoff we should favour.

In every place in the world, I walk into a coffee shop, open my laptop, and go into free open wifi networks. Except in India. Open wifi networks are banned in India, because they make life difficult for policemen. This is a bad tradeoff : we have sacrificed the immense gains from ubiquitous open wifi networks, in return for reducing the work of policemen.

Terrorists and criminals use roads. Does that mean that we will only permit people with photo IDs to embark on roads? Terrorists and criminals drink water. Does this mean that we will only permit people with photo IDs to buy water? And so on.

Global norms on financial distribution, which have been pushed hard into the direction of more monitoring by the US Treasury, do not require a know-your-customer on every transaction. They only require `customer due diligence' (CDD), which means that the due diligence applied on a transaction should be appropriate (a big principles-based word) for the transaction at hand. We in India have translated this into a mechanistic rule "demand KYC for everything". This is incorrect. A greater push-back is required, from citizens.

In a civilised society, employees of government will have to work hard and work smart in blocking terrorism, obtaining tax revenues, etc. This is okay. We should not set out to make the life of these employees easy. Obtaining a high tax/GDP ratio requires careful, detailed hard work, and a lot of brainpower. In the absence of this, there is a temptation to resort to quick fixes, which should be avoided.

A civil liberties perspective

They who can give up essential liberty
 to obtain a little temporary safety,
deserve neither liberty nor safety

-- Benjamin Franklin

We get asked to prove identity to enter an airport, to do financial transactions, to get a mobile phone, etc. We have become used to the idea that this is essential in this world inhabited by too many terrorists.

I think anonymity and privacy are precious and valuable. We in India seem to have given up on protecting civil liberties from an encroaching State that wants to know a lot about us. Particularly given that we are a fragile democracy that works imperfectly, it is important for us to have less information in the hands of the State. One element of the imperfection of our democracy is the undersupply of criticism. We need to cherish and protect the critic, which will be assisted by having a government that knows less about us.

The best we're able to muster today, in the Indian discourse, is the hope that UIDAI will reduce our transactions costs of complying with the surveillance state. I think it's important to go deeper, to question this array of rules that monitor us. How much security do they buy us, in return for what costs to society?

What bang for the buck?

We should be more intelligent in weighing these tradeoffs between imposing costs upon society at large, and the extent to which they help us catch criminals. A great deal of what passes for security procedures today is quite silly when you pause to think about it.

We are obsessed with monitoring electronic payments. The bad guys will just use cash. The amount of money required for pulling off the WTC attacks is believed to be roughly \$100,000, which was wired to Mohammad Atta. It is not hard to move \$100,000 through non-electronic channels: this is the value of 11 bars of gold, each the size of a pack of cigarettes.

In fact, it is very convenient for the authorities when the bad guys use electronic channels, since greater tracing becomes feasible. We have a fair clue that this money came to Mohammad Atta from Pakistan's ISI because the money was wired; if the bad guys had moved money through cash or gold or diamonds or platinum, we would have not known this crucial fact. It is better for us if more bad guys ride on the electronic highways of the financial system. As long as cash is around in large quantities in India, it makes little sense to block people from coming into electronic payments on the grounds of KYC.

We are obsessed with physical IDs as a tool for security. But the bad guys will easily forge any physical IDs that you can propose. It is not clear what safety we're buying, in return for the enormous human resource and cost in time that is being expended today in checking IDs.

We in India are surprised to discover that in the US, you can buy a temporary one-month GSM SIM card at a storefront, without any know-your-customer or proof of identity. They do not even want to know your name. This is not to say that the security agencies in the US are not watching everyone keenly. The point is that they are doing this in ways that impose lower costs upon society; the security procedures are less of an eyesore.

A need to rethink where we're going

Many elements of the information before us, today, suggest things aren't going well:
  • In the US, despite a fairly open and liberal system (e.g. freely selling GSM SIMs to anyone, without requiring even a name), law enforcement has been pretty effective: They haven't had a single successful terrorist attack after 2001, despite being the #1 target of myriad nutcases like OBL. In India, thousands of people have died in terrorist attacks, even though we have embarked on a barrage of security procedures.
  • Every terrorist caught dead or alive in India has a cell phone. This suggests that our attempts at requiring a KYC for every mobile phone aren't so useful.
Failure should have consequences. We should rethink the way we work today, drawing on these blocks of evidence.

We need to ask three questions:
  1. Tradeoffs between freedom and safety. How much of a violation of personal freedom are we willing to accept, in return for better enforcement of laws. We should be willing to sacrifice some safety in return for more freedom. E.g. Saudi Arabia has low crime, but do we want to be Saudi Arabia?
  2. Tradeoffs between prosperity and safety. How much inferior GDP are we getting, as a consequence of the security procedures which are being put into place? We are willing to sacrifice some safety in return for more GDP. E.g. there would be fewer road accidents if the speed limit were 25 kph (and road accidents kill vastly more people than terrorists), but we're willing to live with the carnage on the roads in return for higher prosperity.
  3. Does the claimed security procedure even work?? What is the bang for the buck, the effectiveness of these procedures? As many examples above have suggested, many of the security procedures used in India seem to be poorly thought out.

Drawing on my experiences in Indian public policy process, I can venture a guess about how the prevailing tools of security came about. A meeting was organised. Everybody in the room was an experienced security practitioner. The only viewpoint present was about how the world can be redesigned to make life easier for the employees of government. Everyone was indignant. We have to do something. A few security as theatre proposals came up. Everyone agreed. It felt like we were making progress; we certainly got plenty of showy security procedures to impress Parliamentarians and the media. Nobody asked second order questions; nobody analysed the data. This combination of factors (indignation, decision making dominated by the status quo, theatre to satisfy journalists and politicians, lack of a feedback loop through data capture and data analysis) is not conducive to problem solving.

We in India repeatedly find ourselves in a situation where law enforcement is placed under pressure to deliver. Whether it is a crime wave, or a terrorist attack, or a low tax/GDP ratio: officials are asked to do better. Such demands for performance are entirely appropriate. However, at such times, we should be careful to not accede to bargains where the enforcers promise results in exchange for arrangements that make life convenient for the enforcers, at the expense of the open society.


  1. There are many such issues in India. The western philosophy of personal liberty, including minimal-to-no censorship of art and media, and freedom of expression, is not adhered to by many in India. In the least, not many seem to raise their voice on these important matters---they simply do not seem concerned. This silence of the people makes one wonder is there is even a critical mass of people who have the resources and willingness to defend their rights.

    1. We went through one great burst of political consciousness in the freedom movement - but that was largely focused on a negative agenda (getting rid of the British) rather than a positive agenda (what do we want to be?). There used to be a naive viewpoint that all we have to do is get rid of the British and all will be well.

      We need to do more thinking asking ourselves what kind of society we want to be.

      This should be led by intellectuals. Unfortunately, India has destroyed the university departments in the fields of philosophy, law, political science and history. This has eliminated a key group of individuals who should have played a leadership role in these questions.

      We in India, at present, do not have a liberal philosophy at the core of thinking about the State. This is truly dangerous - every now and then the government gets up to egregious stuff. The universities are not producing thoughtful people; all too often, students leave college holding the same naive prejudices and closed-mindedness that they brought when they came in.

  2. I am not very sure whether this issue is of much concern to a large number of Indians. I see my dear compatriots as gladly accommodating of a paternalistic state controlling with a rusty iron fist, sheathed, perhaps in a tattered velvet glove.

    The mobile phone 'KYC' norms are an utter joke and in any case, they are not enforced - which just ends up being a compliance burden.

    Talking of 'security' and stretching the definition of security a bit, I had an experience with a bank not so long ago.

    The bank asked me to fill a form to get online-banking service. The form had a field where I had to *write* my desired password. I asked, what happens to this form once I fill it. They said, it will be kept on file. I cannot imagine what sort of moron from their IT department designed a form which asks a customer to write their password for a banking account and essentially hand it over to them. (It is a leading bank too...)

    Very recently I had the misfortune of visiting the local police station, to report car theft. A car went missing at about 8pm from a very busy area in Bombay. The police officer on duty casually told me that it is impossible that a car was stolen because - "8pm is not the time when cars are stolen; that thieves don't steal before dark".

    What is more worrisome is that such is the situation in a reasonably decent suburb of the city; I cannot imagine the general incompetence of public 'security' agencies (and other public services paid by way of taxes) which people have to deal with elsewhere outside town.

    I think, the 'security procedures being less of an eyesore' in the US has a lot to do with creating/using state-of-art technology to address security-related issues. If they are collecting data quietly, I reckon, they are at the very least using it intelligently.

    In contrast, if all the billion Indians have a cell phone, in the current form, we will have one billion paper forms for KYC along with associated documents. Who will 'process' them and how? How will that data ever get mined, analyzed to extract the 'bad guys outliers' *in time*?

    With a fetish for forms and paper work, India is bound to always miss the needle in the haystack - unless of course, we decide to burn the haystack totally and then spot a shining needle.

    Franklin's quote is apt for India.

  3. When I came back to India and I had a valid passport, it was still difficult for me to open a bank account. Why? I wanted to settle down in a semi-rural area, but my passport had a city address. This was in 2004. KYC is stupid. I fully agree with you.

    In Saudi Arabia -- as also other Gulf countries -- there is no free press and crime is highly under-reported. The Saudi state itself is a criminal state, from where money has flown in to countries like India and Pakistan to institutions that preach hatred for others.

  4. Also reminded me of :

    This page has much of interest :

    1. Dear Vishal,

      Do use href for links as in HTML.

      The links above are link and link.

  5. If anyone has seen the recent evemts in Mumbai with regard to Police High-handedness, one would wonder that things are turning for the worst. Just to quote two recent events

    1 Mumbai police raids a bar in Khar and takes guests in custody. When nothing is proven, they want to label the absolutely anachronistic law that they were drinking Liquor without permits. Sure they have better things to do than moral policing

    2. Some Mumbai Additional commisionar staates that all rental agreements to be informed to Police and they will do verification so that crime can be prevented. Why this intrusive behaviour in all aspects of citizens life is beyond me. THey definitely need to go about more intelligently in tackling crime rather than creating beauraucracies which add to citizend as well as Police burden

  6. The pressures to deliver are primarily responsible not only for 'security as theater' but also for the fake encounters,the illegal detentions,the extortion of confessions through torture,and the rounding-up of innocents.We must realize that policing is more like economics than physics;there are no straightforward answers to the problems created by the behaviour of a large number of persons.


Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.