CIA listening through Mongo DB? Er…not so fast!

Amidst the deluge of stories being written on UIDAI or AADHAR, the latest to indulge in excessive hand-wringing is the Economic Times reporting about a dealbetween MongoDBand UIDAI. The story flags In-Q-Tel‘s investment in MongoDB as the wolf we should be scared of. In-Q-Tel is a venture capital firm funded by the US intelligence community. This fact supposedly, per the story, can make UIDAI more susceptible to Foreign Intelligence Surveillance Act(FISA) court orders in the United States, thus puttingpersonal data of millions of Indian nationals at risk. Here we try to sift the effectual truth from a mishmash of claims.

First and foremost, MongoDB is Free and Open Source Software (FOSS) for building and using “NoSQL” databases. NoSQL has been a leading area of technical innovation on data storage in recent years. Making database software is not the same as providing data storage services. MongoDB is a very small collection of programmers writing code. They control no data stored on computers, though other peoples’ computers run their program. People who don’t work in the industry might confuse news about a “service and consulting contract” between UIDAI and MongoDB Inc. with a data storage contract. If UIDAI had entered into a storage service agreement with Google or Amazon Web Services, to store Indians’ personal data on servers in the United States, the criticism voiced might be pertinent. But a service contract between UIDAI and MongoDB is one for service to the software program alone. We know this not because we have read the contract, but because, as FOSS lawyers, we know a little about MongoDB.

The involvement of In-Q-Tel with MongoDB has been used to imply sinister intent of some kind. While it is true that In-Q-Tel is a venture capital investor which learns about and supports technology start ups whose work may have future value to the US intelligence community, many important FOSS projects have had or now have support from US government and US intelligence community. An example of this is SELinux or Security Enhanced Linux, which was primarily developed on contract for the National Security Agency and has been integrated into the Linux kernel mainline since 2003. SELinux provides a complete security model for the Linux kernel that is being used by most of the commercial and community supported GNU/Linux distributors in the world today. This has not prevented many departments of Indian government, including the judiciary, from using Red Hat Enterprise Linux.

Further, no one has shown how either In-Q-Tel’s support, or the fact that the software is made in the United States, somehow makes the data stored when the program is run on Indian computers subject to the US Foreign Intelligence Surveillance Court, as has been suggested. If being made in the US and used by US military and intelligence agencies to store data were enough to taint software, Government of India could not use Oracle, IBM DB2, MySQL, Hadoop, Hive or any other proprietary or FOSS world-class programs for data storage and analysis. Currently, there are no Indian substitutes for any of these programs.

Fortunately, these claims do not seem to rest on any actual facts or any legal analysis.

One very important point which an observer touches upon but is generally overlooked is the ability to audit FOSS software. Unlike the proprietary offerings, FOSS products are completely open to study, inspect and modify. MongoDB’s database server and tools are distributed under the AGPLv3 FOSS license. This license requires public access to the sourcecode of the software, so that users have the freedom to look at the software and tinker with it. This means any entity can use the available software and modify it for any purpose. If there were some sort of spying code inside MongoDB, it would be visible, and it would be promptly removed by other distributors or users. FOSS communities are based on everyone’s ability to read the code, fix bugs, and make improvements. That property of FOSS made the audit of Securedrop so much cheaper and quicker to the market.

FOSS is the last place to suspect “back doors” or traps. Even if there were any problems with FOSS offerings, the fact that there are a large number of eyes scanning the code, makes the hunt for vulnerabilities faster and bug-fixing swifter. Needless to say that it also makes it possible for all enhancements and improvements that are made to the software to be contributed back to the common pool, thus benefiting the community as a whole.

UIDAI, which has the ambition to “issue a unique identification number that can be verified and authenticated in an online, cost-effective manner, which is robust enough to eliminate duplicate and fake identities,” will ultimately be one of the largest and most important parts of India’s public information infrastructure. Data storage software that is scalable, improvable, and inexpensive is a crucial building material in the project. Currently, MongoDB is a very sensible technology choice, with a crucial advantage in being FOSS. In fact, by choosing this very important FOSS component, UIDAI may actually be scooting slowly towards the much required transparency, atleast in the technology it deploys.

This MongoDB non-controversy, which this story seems intended to create, shows the complexity of public policy issues around digital privacy and security. In this area, policy discussions can easily be diverted by technical ignorance. The landscape of the world has definitely altered since June 2013, and not for the better. The large scale surveillance at an unprecedented scale as highlighted by the Snowden revelations have forced us to be very suspicious about the practices of the government agencies and intelligence services. However, the tools they use to carry out surveillance are mostly tools that have other substantial, harmless uses. While we must be more careful about practices being followed by the governments and corporations, we must avoid the need to hyper ventilate every time we hear NSA is using a wonderful FOSS program, say Apache Hadoop, for some purpose—when the same framework is also used by Amazon to serve your shopping needs, and by your bank, and perhaps by the search engine you used to find this comment.

Related Posts