We are anonymous, we are legion

Aadhaar safety

Admin — 2018-03-26T17:09:26Z

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

The article was published in Asian Age on March 25, 2018.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

‘Safety claims are bogus’
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

‘Multi-level security assumes added significance’
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

‘Tightening system, or line of human command more important’
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.

‘Your data security is in your hands, always be cautious’
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

For more details visit https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety

Aadhaar Remains an Unending Security Nightmare for a Billion Indians

Admin — 2018-05-13T16:28:40Z

Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.

The article by Karan Saini was published in the Wire on May 11, 2018.

Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.

As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.

Poor security standards

Let’s start with the lackadaisical attitude towards information security. As has become evident in the past, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.

There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the Director General of Foreign Trade, the website for the National Food Security Mission and the Medleapr website.

With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.

It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.

The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.

In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.

What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.

Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.

It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.

A detailed analysis of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.

Threat level infinity

Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.

For instance, demographic information – as is stated in the draft for the Aadhaar Act (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.

However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.

If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected and it would have far-reaching consequences for everyone affected which might be very hard to offset.

On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs have been known to integrate data acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and then linking the same to residents’ corresponding Aadhaar data.

Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.

Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.

Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I discovered that it was possible to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.

This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.

This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.

The bank mapper rabbit hole

As of February 24, 2017, it was possible to retrieve bank linking status information directly from UIDAI’s website without any prior verification.

However, after this information was reported, the ‘uidai.gov.in’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.

A year later – when business technology news site ZDNet published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.

This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.

More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).

This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, which “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.

Who is on the hook?

There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?

Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.

Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.

The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.

In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.

Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI sent a legal notice to the organisation, stating that the people involved with the report had to be “brought to justice”.

In January 2018, an investigative story was published by Rachna Khaira of The Tribune newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.

Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.

In March 2018, ZDNet published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).

But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.

Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.

Hide and seek

In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.

Following this – the EPFO quickly switched to PR mode and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”

Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.

Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.

In response to a recent story by Asia Times regarding Aadhaar enrolment software being cracked and sold, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.

The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.

Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.

The way forward

In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), rather defensively noted that “not a single person had reported any incident” to the organisation.

CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.

In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.

Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.

It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.

I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.

The US Department of Defense (DoD) employs a similar approach where they invite hackers from the world over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians

Aadhaar privacy: Key issues that all Aadhaar card holders should bear in mind

Admin — 2017-07-20T14:18:28Z

As the Supreme Court hears petitions whether the right to privacy is a fundamental right, there are some key aspects that Aadhar Card holders should bear in mind, especially, because the government has made Aadhaar mandatory for a number of schemes and official purposes, including the filing of income tax returns.

The article was published by Business Today on July 19, 2017.

Linking of PAN with Aadhaar: What it means

The government claims that by linking the Aadhaar with PAN, authorities will be able to crack down on people with multiple PAN cards, and those who are escaping the tax net. The government has also made it clear that all bank accounts will have to be linked to Aadhar by the end of this year. This, essentially, implies that the government will be able track financial transactions.

Amit Maheshwari, Partner, Ashok Maheshwary & Associates LLP, says, "As the bank accounts of the person would already have PAN as his/her KYC requirement, once Aadhaar is linked with PAN, it will certainly lead to automatic link with the bank accounts as well."

"Since Aadhaar is based on biometrics, the chances of duplication are much less as compared to PAN, which is not based on biometrics," Maheshwari adds.

According to the latest data, there are more than 24.37 crore PANs registered in the country, while Aadhaar card has been issued to 113 crore people. Against this, only 2.87 crore individuals filed income tax returns (in the assessment year 2012-2013), out of which 1.62 crore did not pay any tax - leaving the number of taxpayers at just one per cent of the country's total population. Given the abysmally low number of tax payers in the country, the government intends to keep a close watch on tax evaders with this move.

Although the judgment is awaited, here's a low-down on how to link your PAN card with Aadhaar:

Register on the e-Filing portal of the Income Tax Department, www.incometaxindiaefiling.gov.in
Enter log-in ID, password and date of birth
After logging in, go to your profile setting which has the option of linking your Aadhaar Card. Generally, a pop-up window appears, prompting you to link your PAN card with Aadhaar card.
Check if the details such as name, date of birth and gender appearing on screen match with those on your Aadhaar card.
Enter your Aadhaar card number and click on the 'link now' button. If details on both the cards match, your card will be linked instantly.

Aadhaar prone to financial frauds

Many civil rights activists have raised concerns about privacy and security of data under Aadhar. Bangalore-based civil society group, The Centre for Internet and Society (CIS), has expressed concerns over the lack of security features associated with Aadhaar-linked financial transactions.

Authored by Amber Sinha and Srinivas Kodali, the CIS report pointed out that unless sufficient security features are added, the system is prone to financial frauds.

"The availability of large datasets of Aadhaar numbers along with bank account numbers and phone numbers on the Internet increases the risk of financial fraud," the report said.

According to the authors, social engineering is often used to find out bank account details, credit card numbers and passwords to steal money from people's accounts.

"One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions. In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of Aadhaar numbers and other related data available," the report pointed out.

How secure is Aadhar Pay?

In May, when malicious ransomware (in which the attacker locks down your computer and demands money to unlock it) infected hundreds of computers in different countries, questions were raised on how safe are we from cyber attacks, especially when digital transactions are increasing by leaps and bounds?

The government launched Aadhaar Pay, a platform that allows you to make payments using Aadhaar number-linked bank accounts. It is a merchant version of Aadhaar-enabled payment system which lets you make payments without a smartphone. One just requires the fingerprint of the payer for authentication; there is no need for a POS machine to swipe the card.

However, when passwords are fallible, how reliable can biometric authentication from Aadhaar Pay be, particularly when there have been cases of leakage of Aadhaar data? According to some experts, Aadhaar authentication is pretty strong because you cannot connect to the Aadhaar database except through secured APIs.

For more details visit https://cis-india.org/internet-governance/news/business-today-july-19-2017-aadhaar-privacy-key-issues-that-all-aadhaar-card-holders-should-bear-in-mind

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T11:10:37Z

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

The article was published by DNA on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/dna-may-2-2017-report-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T10:42:59Z

The news was published by the Press Trust of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/pti-news-may-2-2017-aadhaar-numbers-of-135mn-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-12T15:40:28Z

The article was published in the Times of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added. SR MBI MR

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-5-2017-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar Number vs the Social Security Number

elonnai — 2015-07-24T01:24:00Z

This blog calls out the differences between the Aadhaar Number and the Social Security Number

In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.[1]

Governance

SSN is governed by Federal legislation: The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935[2] - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.[3]

Aadhaar was constituted under the Planning Commission: The UIDAI was constituted as an attached office under the Planning Commission in 2009.[4] A Unique Identification Authority Bill has been drafted, but has not been enacted.[5] Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.

Purpose

SSN was created as a number record keeping scheme for government services: The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.[6] In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.[7] Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. [8]

Aadhaar was created as a biometric based authenticator and a single unique proof of identity: The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.[9]

Applicability

SSN is for citizens and non-citizens authorized to work: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.[10]

Aadhaar is for residents: The aadhaar number is available to any resident of India.[11]

Storage, Access, and Disclosure

SSN and applications are stored in the Numident: The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.[12] Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.

Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: According to the report "Analytics, Empowering Operations", "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.[13] It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. [14]

Use by public and private entities

Public and private entities can request SSN: Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.[15] Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.[16]

Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.[17] Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. [18]

Public and private entities can request Aadhaar: The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,[19] and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.[20]

Verification

The SSN can be verified only in certain circumstances: The SSA will only respond to requests for SSN verification in certain circumstances:

Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.
When legally permitted, the SSA verification system will verify SSNs for government agencies.
When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.
If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.

For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.[21]

The Aadhaar number can be verified in any transaction: If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.[22]

Lost or stolen

SSN can be replaced: If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. [23]

Aadhaar number can be replaced: If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.[24] The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.

Implementation

Legislation and formal roll out: The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.

Bill and pilot studies: The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.

Enrollment

Social Security Administration: The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. [25]

UIDAI, registrars, and enrolling agencies: The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.

Required supporting documents

SSN requires proof of age, identity, and citizenship: To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:

Name to be shown on the card
Full name at birth, if different
Other names used
Mailing address
Citizenship or alien status
Sex
Race/ethnic description (SSA does not receive this information under EAB)
Date of birth
Place of birth
Mother's name at birth
Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)
Fathers' name
Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).
Whether applicant ever filed for an SSN before
Prior SSNs assigned
Name on most recent Social Security card
Different date of birth if used on an earlier SSN application.
Date application completed
Phone number
Signature
Applicant's relationship to the number holder.[26]

Aadhaar requires proof of age, address, birth, and residence and biometric information: The application form requires the following information:

Name
Date of birth
Gender
Address
Parent/guardian details
Email
Mobile number
Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services
Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose
If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details
Signature[27]

[1] Sahil Makkar, "PM's idea to track kids from birth hits practical hurdles", Business Standard. April 11^th 2015. Available at: http://www.business-standard.com/article/current-affairs/pm-s-idea-to-track-kids-from-birth-hits-practical-hurdles-115041100828_1.html

[2] The Social Security Act of 1935. Available at: http://www.ssa.gov/history/35act.html

[3] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[4] Government of India Planning Commission "Notification". Available at: https://uidai.gov.in/images/notification_28_jan_2009.pdf

[5] The National Identification Authority of India Bill 2010. Available at: http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010.pdf

[6] History of SSA 1993 - 2000. Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[7] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[8] History of SSA 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[9] UID FAQ: Aadhaar Features, Eligibility. Available at: https://resident.uidai.net.in/faqs

[10] Social Security Numbers for Noncitizens. Available at: http://www.ssa.gov/pubs/EN-05-10096.pdf

[11] Aapka Aadhaar. Available at: https://uidai.gov.in/aapka-aadhaar.html

[12] Program Operations Manual System. Available at: https://secure.ssa.gov/poms.nsf/lnx/0203325025

[13] UIDAI Analytics -Empowering Operations - the UIDAI Experience. Available at: https://uidai.gov.in/images/commdoc/other_doc/uid_doc_30012012.pdf

[14] Information Technology (Reasonable security practices and procedures and sensitive personal data or information rules 2011) available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[15] IdentityHawk, "Who can lawfully request my social security number?" Available at: http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Social-Security-Number

[16] SSA FAQ " Can I refuse to give my social security number to a private business?" Available at: https://faq.ssa.gov/link/portal/34011/34019/Article/3791/Can-I-refuse-to-give-my-Social-Security-number-to-a-private-business

[17] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[18] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[19] Aapka Aadhaar. Available at: https://uidai.gov.in/what-is-aadhaar.html

[20] Business Standard, "Aadhaar not mandatory to claim any state benefit, says Supreme Court" March 17^th, 2015. Available at: http://www.business-standard.com/article/current-affairs/aadhaar-not-mandatory-to-claim-any-state-benefit-says-supreme-court-115031600698_1.html

[21] Social Security History 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[22] Aapka Aadhaar. Available at: https://uidai.gov.in/auth.html

[23] SSA. New or Replacement Social Security Number Card. Available at: http://www.ssa.gov/ssnumber/

[24] UIDAI, Lost EID/UID Process. Available at: https://uidai.gov.in/images/mou/eiduid_process_ver5_2_27052013.pdf

[25] Social Security. Availabl at: http://www.ssa.gov/

[26] Social Security Administration, Application for a Social Security. Available at: http://www.ssa.gov/forms/ss-5.pdf

[27] Aadhaar enrollment/correction form. Available at: http://hstes.in/pdf/2013_pdf/Genral%20Notification/Aadhaar-Enrolment-Form_English.pdf

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number

Aadhaar may be made must for market investments: Good to curb laundering but what about data security?

Admin — 2017-08-23T00:17:50Z

Aadhaar seems to be the master-key to get accesses into doors which once were never shut. Take for instance, your financial investments. Aadhaar may soon become mandatory for buying shares and mutual funds, according to a report in The Economic Times.

The article by Bindisha Sarang was published by First Post on August 10, 2017.

This move to link the 12 digit number to financial transactions being considered by the government and markets regulator Sebi is yet another attempt to stop the flow of black money entering into the financial markets.

It’s not clear if Aadhaar will replace PAN, or whether it will be in addition to providing PAN details.

As far as linking Aadhaar for buying mutual funds and shares is concerned, the proposed move will probably impact those who use multiple PANs for investments, and those brokers who, in collusion with such people, invest illegal funds in markets. For the common man, it is unlikely to make any major difference.

Over the last few months, the government has made Aadhaar mandatory for a number of services, especially those related to your finances. Aadhaar is currently used as one of the KYC documents for your dealings in the financial sector but it's definitely not a compulsory document.

Though the government's decision to make Aadhaar mandatory for income tax returns filing has turned controversial, the government has made it clear that it intents to replace PAN with Aadhaar.

The reason being cited by the government is the issues with PAN, especially the duplicate numbers that being used to launder money by the tax cheats. Just last month, the government deactivated 11.44 lakh PANs for this reason.

The ET report cites market participants as saying that PAN, though unique for every individual for income-tax assessment purpose, has not been successful in preventing the laundering of money in the financial markets. According to brokers, multiple PANs and fake demat accounts are still being used to push illegal money into the stock market. The proposal to make Aadhaar mandatory for market dealings has to be seen in this context.

Suresh Sadagopan, a Mumbai-based certified financial planner, says, "The move is to clean the system used by crooks. For honest investors, it is just an additional step in the process of investing."

Sadagopan admits that there are concerns regarding the security of data. "A large amount of data is publicly available even today, which is a bad thing," he said.

This indeed is a big concern. Nandan Nilekani, former chief of Unique Identification Authority of India that issues Aadhaar, recently voiced his concerns over this.

"There hasn't been a hack to Aadhaar systems. People have tried to get access to OTPs (one-time passwords) and game others' details and capture them. It's not really a hack, but absolutely, security is going to be a big concern," Nilekani was quoted as saying in a report in The Times of India. He was speaking at an event by the Confederation of Indian Industry (CII) on Tuesday.

In May, the Bengaluru-based Centre for Internet and Society had published a report saying about government websites have leaked Aadhaar data of over 130 million users. The government, however, vehemently denied the development.

Despite all these, the move to make Aadhaar mandatory in financial markets is positive and goes well with the government's battle to curb black money generation.

However, with stock market investment too coming under Aadhaar, the government should move quickly to secure data from potential misuse.

For more details visit https://cis-india.org/internet-governance/news/firstpost-bindisha-sarang-august-10-2017-aadhaar-may-be-made-must-for-market-investments-good-to-curb-laundering-but-what-about-data-security

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

Aadhaar linking deadline approaches: Here are all the myths and facts

Admin — 2018-01-01T16:04:25Z

Love it or hate it, you just can't escape it. We're talking about Aadhaar, which is a bigger buzzword than usual in the face of the looming end-December deadline for linkages with bank accounts, PPF, insurance policies, ration card and perhaps even PAN. As India rushes to comply, there are a number of myths and half-truth making the rounds.

The article was published by Business Today on December 7, 2017.

The official website of the Unique Identification Authority of India (UIDAI), the body issuing the biometrics-based Aadhaar number, helpfully lists out some of them, while others came to light when activists took up cudgels on behalf of Aadhaar-harassed citizens. But, either ways, you need to know the hard truth behind them.

Myth: Aadhaar-linkage is not only mandatory for every Indian citizen but also every person residing in the country.
Fact: In a notification dated May 11, 2017, the Central Board of Direct Taxes exempted the following categories from mandatory Aadhaar enrolment:
Those who are not citizens of India, non-resident Indians as per Income Tax Laws, those aged over 80 years at any time during the tax year, and the residents of Assam, Meghalaya and Jammu & Kashmir.

The UIDAI has also made it clear that NRIs and those holding the Overseas Citizen of India (OCI) card are not eligible to obtain Aadhaar as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. "NRI/OCI need not verify their bank account or SIM or PAN with Aadhaar. If required, they may inform the service provider(s) that they being NRI/OCI are exempted from Aadhaar verification," the UIDAI had said on Twitter way back in October, and followed it up with a circular in mid-November.

As per the Aadhaar Act, only a "resident" is entitled to obtain Aadhaar, which refers to an individual, irrespective of nationality, who has resided in India for a period aggregating 182 days or more in the year immediately preceding the date of application for enrolment. So, this means that even NRIs and expats fulfilling the above criteria can apply for Aadhaar, but they cannot be forced to link their Indian bank accounts with it.

Myth: I had to give my fingerprints to get a SIM card and now the telecom company will keep my biometrics for future use

Fact: According to UIDAI, a telecom company cannot store your biometrics at its end. All the biometrics collected should be encrypted by the service provider and sent to UIDAI at that instant itself. Any storage of biometric by any agency is a serious crime punishable with up to three years of imprisonment under the Aadhaar Act.

Myth: Aadhaar is prone to data breaches and leaks
Fact: Yes, there have been at least two serious leaks reported in the media, but the UIDAI has denied both of them.

In May 2017, The Centre for Internet and Society, a Bangalore-based non-profit research organisation, had reportedly investigated three government portals linked with social welfare schemes that together leaked Aadhaar information of around 1.3 crore people. Then, two months later, came news about over 200 government websites Aadhaar information public. This raised a lot of concerns and detractors cried themselves hoarse.

According to the UIDAI, some agencies of central or state governments had been proactively putting up details of their beneficiaries as required under the RTI Act. While the said information was promptly removed from the offending websites, the authority points out that no biometrics were displaced.

"Therefore to say that Aadhaar has been breached, data has been leaked, is completely incorrect and misleading," it says.

Moreover, the Aadhaar Act and IT Act are now in place, which impose restrictions on publication of Aadhaar numbers, bank account, and other personal details.

Myth: Aadhaar has a poorly verified database.
Fact: Several security measures are in place to ensure that Aadhaar enrolment system is secure. It is done through registrars-credible institutions like state government, banks, Common Service Centres which employ enrolment agencies empanelled by UIDAI. The latter, in turn, employ operators certified by the authority. Aadhaar enrolments are done only through customized software developed and provided by UIDAI. Every day, the operators have to log into the enrolment machine through their Aadhaar number and fingerprints. Once an enrolment is done, the operator is required to sign through his/ her biometrics. Moreover, at the time of enrolment itself, the captured data is encrypted and can't be read by anyone other than the UIDAI server.

Myth: People are being denied benefits and rations because they don't have Aadhaar or because of biometrics issues
Fact: UIDAI CEO Ajay Bhushan Pandey has clarified to the media that though Section 7 of the Aadhaar Act stipulates that benefits and subsidies from the Consolidated Fund of India shall be given on the basis of Aadhaar or proof of possession of an Aadhaar number, the lack of it cannot be grounds for denial. "Section 7 specifies that till Aadhaar number is prescribed, the benefits should be given through alternate means of identification," Pandey said to The Hindu.

The Act also provides for statutory protection to those who are unable to authenticate because of worn-out fingerprints, medical conditions like leprosy or other reasons such as technical faults. "The field agencies have been accordingly instructed through the notifications issued by the government. In spite of this, if a person is denied because he does not have Aadhaar or he is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the government and such violators have to be punished," added Pandey.

Myth: Publicly sharing the Aadhaar number, to track a lost Amazon package, for instance, makes one susceptible to identity fraud
Fact: Your Aadhaar number, just like your mobile phone number or bank account number, is not a secret though it is certainly sensitive personal information. Just as no one can hack into your bank account using just the account number, identity theft is impossible using the Aadhaar number alone.

What you need to assiduously protect are things like passwords, including OTPs, and PINs. A prudent practice would be to never put up any sensitive personal information on websites or social media platforms.

For more details visit https://cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Aadhaar Details Of 13.5 Crore People Available On Government Sites

praskrishna — 2017-05-20T11:00:55Z

Up to 13.5 crore Aadhaar numbers can be easily accessed through government portals and nearly three-fourths of these are linked to bank accounts, said non-profit research organisation the Centre For Internet & Society (CIS).

Calling the Unique Identification Authority of India (UIDAI) “extremely irresponsible” in maintaining privacy standards, CIS blamed the Aadhaar governing body for turning a "blind eye" to the lack of standards regarding use of Aadhaar data by private and public bodies

"It is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards," CIS said in a report titled ‘Information Security Practices of Aadhaar (or lack thereof)’.

The CIS report points out several government sites which showcase inefficiently masked Aadhaar codes with sensitive personally identifiable information, also available for download as spreadsheets.

Read the full story on Bloomberg Quint

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-may-2-2017-mahima-kapoor-aadhaar-details-of-people-available-on-govt-sites

Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online

Admin — 2018-05-05T08:43:53Z

Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.

The article was published in New Indian Express on April 27, 2018.

Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.

Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.

It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."

Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online

Aadhaar data of over 13 crore people exposed: New report

praskrishna — 2017-05-20T08:57:24Z

Ajay Bhushan Pandey, CEO of UIDAI, the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

The article was published in the Indian Express on May 3, 2017.

UP TO 13.5 crore Aadhaar numbers are exposed and are publicly available on government websites and approximately 10 crore of these are linked to bank account details, according to a new report published on Monday. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — published by non-profit organisation The Centre for Internet and Society (CIS) has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and National Rural Employment Guarantee Act (NREGA), both under the Ministry of Rural Development. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the Andhra Pradesh government: a daily online payments report under NREGA by the state government, and Chandranna Bima Scheme.

The report states: “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at.” Ajay Bhushan Pandey, CEO of Unique Identification Authority of India (UIDAI), the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

Since the CIS report focused on websites of only four schemes, it is possible that many more Aadhaar cards may be available on other government websites. At least nine other instances were reported in April alone. Section 29(4) of Aadhaar Act prohibits making Aadhaar number of any individual public.

Pandey said, “Aadhaar numbers and bank accounts have been independently collected from people by other agencies for their own usage, not related to UIDAI.” Asked if UIDAI will take action against errant government departments, he said the “police will need to take action”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-may-3-2017-aadhaar-data-of-over-13-crore-people-exposed-new-report

Aadhaar data of 130 millions, bank account details leaked from govt websites: Report

praskrishna — 2017-05-20T09:13:57Z

Just how leaky is the Aadhaar data? A lot, says a study published by Centre for Internet and Society, a Bengaluru-based organisation (CIS). In a study published on May 1, two researchers from CIS found that data of over 130 million Aadhaar card holders has been leaked from just four government websites. As scary as this is, there is more to it. Not only the Aadhaar numbers, names and other personal details of millions of people have been leaked but also their bank account numbers.

The article was published in India Today on May 4, 2017.

The CIS report noted that the leak is from four portals that deal with National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payment Reports of NREGA.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at," notes the report released on May 1.

It also says that the extent of the leaks could be even bigger than what the CIS research found. "While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT,10 and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," noted the report prepared by Amber Sinha and Srinivas Kodali.

The report highlights that one of the major issues with the Aadhaar project is how the data has been collected is handled by various government agencies. "While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data," notes the report. "...it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief."

This is not the first time, there have been leaks into the Aadhaar system, although this is probably the first time someone has documented the whole bit so meticulously. There have been reports of data leaks in the past. In fact, as more and more government schemes and ID cards gets linked with Aadhaar data the instances of leaks have increased significantly.

One of the big problem with the Aadhaar data is that of accountability. In absence of a good privacy law and provisions that prescribe punishment in case of private data leak, private and public agencies in India are often careless about handling of data. The private details of people have not only leaked from government websites but also from private bodies like banks, telecom operators, insurance providers and financial organisations. Recently, a major data leak came to light involving a website that was selling private information of probably hundreds of thousands of people who have take car loan in the last several years.

This is a point that is also highlighted by CIS report. "Information and data leaks have been occurring in India for a long time and the leaks around Aadhaar are not the first data leaks. But with the scale and design of Aadhaar, any information being leaked is dangerous and its impact not entirely reversible," it says.

Yet, despite all the data leaks and the fact that they undermine the faith in Digital India, the government -- first UPA and now NDA -- has not created and introduced a proper privacy and data protection law in India.

For more details visit https://cis-india.org/internet-governance/news/india-today-may-4-2017-aadhaar-data-of-130-millions-bank-account-details-leaked-from-govt-websites-report