Centre for Internet and Society

Why Aadhaar leaks should worry you, and is biometrics really safe?

praskrishna — 2017-05-12T15:48:48Z

What’s worrying is that the UIDAI seems to always be in denial mode over security concerns.

The blog post was published by the News Minute on May 4, 2017. Amber Sinha was quoted.

If you’ve paid the slightest bit of attention to news about Aadhaar, you’ll have heard about a series of leaks of Aadhaar data from multiple government websites. Some of the latest government websites to leak Aadhaar and demographic data, were the Jharkhand Directorate of Social Security and the Kerala government’s pension department.

Shockingly, a report by The Centre for Internet and Society (CIS) revealed that the Aadhaar details along with demographic details and financial information of around 135 million people in the country has been leaked by four government portals. And this could just be the tip of the iceberg.

However, the public response to these revelations has been muted. The government and the UIDAI, the authority behind Aadhaar, have retreated behind the defence that only Aadhaar numbers have been leaked, and not biometric details, and hence there is no major problem.

However, experts warn that Aadhaar numbers by themselves pose a sufficient risk when leaked, and that the UIDAI has been consistently underplaying the risks of such leaks and overplaying the security of biometric identification.

Amber Sinha, who co-authored the CIS report, points out that it’s not just Aadhaar numbers that have been leaked on government websites, but also demographic information as well as financial details. Various such bits of data can be aggregated by fraudsters and used to steal identities and commit financial fraud online or through phones.

“We see a lot of examples of social engineering techniques where fraudsters collect data from various sources and impersonate people,” he says. The report points out that one of the most common techniques is to call persons impersonating bank officials requiring sensitive information, and provide Aadhaar and demographic details to make the bid for this information convincing.

Amber also points out that in online and phone verifications, it is possible to impersonate other persons with such information.

“Somebody can call the bank pretending to be me, and he could also authenticate himself as me if he has all the data about me. The bank will ask him some four questions and if he has all that information, then the bank has no reason to believe that he is not me,” he explains.

Co-Founder of HasGeek, Kiran Jonnalagadda, an active voice on net neutrality, freedom of speech and privacy, points out that one of the main problems is that the Aadhaar system assumes biometric verification in every transaction, but Aadhaar cards are often used as identity documents without biometrics particularly for many non-financial transactions.

“Somebody can apply for a SIM card with your Aadhaar number, and if the place that is issuing the SIM card didn't do a biometric verification then your card is good enough, because now they can do anything they want in your name,” Kiran said. In such cases, he points out, impersonation is almost ridiculously easy because the Aadhaar card, just a colour printout with no security features, can be faked by almost anyone.

He points out that, particularly in cases of online verifications, the problem of fraud is acutely heightened. “The thing is that if they have your number and your demographic details, if the government does a verification online, the details will match. Which means that the ID is not fake. It's just that you didn't actually authorise any of this. In a perfect world, everybody would do biometrics. The problem is that that does not exist right now.”

One of the major flaws of the current security practices of Aadhaar is that the UIDAI only takes responsibility for the security of data stored within its Central Identities Data Repository. However, explains Amber, over the last five years, the UIDAI has proactively seeded Aadhaar data across multiple government databases. However, the UIDAI has not exercised strict disclosure controls on these government databases, and there are no clear standards for publicity of information.

The CIS report points to the example of the Andhra Pradesh portal of the NREGA, which carries information on Aadhaar numbers and disbursal amounts on a simple text file, with no encryption or other security measures. The report argues that this system could easily be exploited to transfer illegal sums of money into these accounts, making beneficiaries liable for them.

Importantly, Amber points out that the recent publications of Aadhaar details cannot properly be called leaks. A leakage occurs, he points out, when information is treated as secret and stored accordingly and then breached from the outside or leaked by abusing access.

“Here the websites that we looked at are designed in such a way that anybody without any technical knowledge can access information. They are available for download as spreadsheets, how much simpler could it get?” he asks.

Even with the much-vaunted infallibility of biometric verification, experts warn, there are some scarily large loopholes present. While the UIDAI regularly goes to town with the claim that the biometric data stored in the CIDR is well protected behind multiple firewalls, detractors point out that biometric data collected at each transaction point is not similarly secure.

Other kinds of financial transactions such as card transactions , explains Amber, use two-factor authentication (a physical card and a pin number or card details and an OTP, for instance). With Aadhaar, however, authentication is possible with just biometrics.

This is risky because biometric data is not duplication-proof. When biometric data is collected for authentication, he says, there are ways in which this data can be stored for re-use. “At the end of the day, the way the biometric authentication works is by comparing two images. There is a copy of an image which is collected at the time of enrolment which is stored by the UIDAI, and every time you authenticate yourself you give a fresh image. As far as the CIDR is concerned, it has nothing to do with how that image is being created at that stage,” says Amber.

This can and has led to what is called a “replay attack”, where stored biometric images are used to complete transactions without the presence of the actual owner of the biometric data. This is what happened in the case involving Axis Bank, Suvidha Infoserve and eMudhra in February.

Such situations arise, says Kiran, because Aadhaar confuses two very separate functions–authentication (establishing that I am who I am) and authorisation (certifying that I want an action done in my name). “It’s the difference between signing a cheque and showing a photo ID to prove that you are who you are,” explains Kiran. The problem with biometrics is that both processes are combined in one, and there is nothing to verify that the person to whom the biometrics belongs to is actually present for each transaction.

While the UIDAI has now proposed registered and encrypted biometric devices to overcome this problem, some detractors argue that a way around this is not impossible to find either.

“The larger problem is that the UIDAI constantly plays a game of denial and catch up. They keep pretending like other people are stupid and their system will never be broken. And other people keep pointing out that they've forgotten the most obvious things about security in any information system. They are currently in denial mode, where they insist such things are not possible until after it happens, and then they say oh it's happening, let's go do something to fix it,” Kiran says.

What’s more, Kiran and Amber point out that biometrics can even be physically duplicated. On iris scans, Amber argues, “Now, with a lot of CCTV cameras, if their resolution is high enough it is possible to capture things like an iris scan. So the means for biometric authentication can be used covertly, and that is a technological truth,” he asserts.

Duplicating fingerprints, says Kiran is even easier, pointing out to attendance fraud carried out by students of the Institute of Chemical Technology in Mumbai. These students used a resin adhesive to make copies of their fingerprints, which their friends used to give them proxy attendance in the biometric attendance system.

“Lifting fingerprints is ridiculously easy. Anything you touch will leave fingerprints on it. All it requires is some cello-tape to make a copy of your fingerprints. And then you can apply some wax to it and you get an actual impression of your finger. You can go place that on any fingerprint reader and it'll be fooled,” says Kiran.

It’s not as if such duplication is not possible with devices like credit cards. However, says Kiran, there are two key differences. Firstly, credit card companies have built up elaborate checks and balances over years to tackle fraud. Secondly, and far more importantly, credit cards that have been compromised can be cancelled. “Revocability is a feature in the credit card system. In Aadhaar you can't revoke anything. If fraud happens, you are stuck with fraud for the rest of your life,” explains Kiran.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-rakesh-mehar-may-4-2017-why-aadhaar-leaks-should-worry-you-and-is-biometrics-really-safe

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-12T15:40:28Z

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

The article was published in the Times of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added. SR MBI MR

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-5-2017-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar's the largest biometric database globally but it is leaky by design

praskrishna — 2017-05-12T15:35:00Z

It the largest biometric database in the world and it is fraught with security issues.

The article by Rohith Jyothish was published in the Business Standard on May 5, 2017. This article by Rohith Jyothish originally appeared on Global Voices on May 2, 2017

Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.

On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.

Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person's demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.

This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:

Expanding programmes

Aadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.

The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include UID for a wide range of essential government services meant to be available to the public.

Independent news portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.

In Delhi in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.

Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”

Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.

In spite of multiple court orders making UID voluntary and limited to selected schemes, the government continues to expand its scope.

Delicate infrastructure and its misuse

According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which UID doesn't address.

Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.“

Contention with the court

The Supreme Court issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.

‘Leaky’ by design

Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.

More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.

In another case, UID numbers of scholarship-holders sat on a state government website for over a year.

On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.

This was immediately taken down. But new ones continue to appear with other simple Google searches.

Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a UID enrollment operator.

The government response

The UIDAI responded to the uproar with a campaign entitled #AadhaarStars, in which parents of young children were encouraged to post 30-second videos of what UID meant to them.

This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.

In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking UID data on their portals.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

For more details visit https://cis-india.org/internet-governance/news/business-standard-rohith-jyothish-may-5-2017-aadhaar-the-largest-biometric-database-globally-but-it-is-leaky-by-design

135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers

praskrishna — 2017-05-20T06:19:12Z

This was published by Counterview on May 5, 2017.

A top study by the Centre for Internet and Society (CIS) has estimated that “estimated number of aadhaar numbers leaked” through top portals which handle aadhaar “could be around 130-135 million”. Worse, it says, the number of bank accounts numbers leaked would be “around 100 million”.

The study, carried out by researchers Amber Sinha and Srinivas Kodali, adds, “While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used aadhaar for direct bank transfer (DBT) could have leaked personally identifiable information (PII) similarly due to lack of information security practices.”

Pointing out that “over 23 crore beneficiaries have been brought under aadhaar programme for DBT”, the study, titled “Information Security Practices of Aadhaar (Or Lack Thereof)”, says, “Government schemes dashboard and portals demonstrate … dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures.”

Claiming to have a closer look at the databases publicly available portals, the researchers identify four of them a pool of other government websites for examination:

A welfare programme by the Ministry of Rural Development, the National Social Assistance Programme (NSAP) portal, even as seeking to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement, offers information about “job card number, bank account number, name, aadhaar number, account frozen status”, the researchers say.

Pointing out that “one of the url query parameters of website showing the masked personal details was modified from nologin to login”, they say, the “control access to login based pages were allowed providing unmasked details without the need for a password.”

In fact, they say, the Data Download Option feature “allows download of beneficiary details mentioned above such as Beneficiary No, Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”
They add, “The NSAP portal lists 94,32,605 banks accounts linked with aadhaar numbers, and 14,98,919 post office accounts linked with aadhaar numbers. While the portal has 1,59,42,083 aadhaar numbers in total, not all of whom are linked to bank accounts.”

Also giving the example of the national rural job guarantee scheme, popularly called NREGA, the researchers say, its portal provides DBT reports containing “various sub-sections including one called ‘Dynamic Report on Worker Account Detail’,” with details like “Job card number, aadhaar number, bank/postal account number, number of days worked”, and so on.

“As per the NREGA portal, there were 78,74,315 post office accounts of individual workers seeded with aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502”, they add.

Providig similar instances form two other sources, the researchers insist, “The availability of large datasets of aadhaar numbers along with bank account numbers, phone numbers on the internet increases the risk of financial fraud.”

Underlining that “aadhaar data makes this process much easier for fraud and increases the risk around transactions”, they say, “In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of aadhaar numbers and other related data available.”

Click to read the original published by Counterview on May 5, 2017.

For more details visit https://cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million

आधार नंबर, नाम, पता, बैंक अकाउंट और दूसरी संवेदनशील जानकारियां लीक: CIS रिपोर्ट

praskrishna — 2017-05-20T11:40:49Z

एक तरफ भारत सरकार लोगों से अपना आधार कार्ड बनवाने और उसे जरूरी सर्विसों के साथ जोड़ने की अपील कर रही है. दूसरी तरफ लगातार सरकारी वेबसाइट्स से लोगों की आधार से जुड़ी जानकारियां लीक हो रही हैं. सरकार ने आधार को लगभग सभी सर्विसों के लिए जरूरी करने की तैयारी की है.

This was published by Aaj Tak on May 4, 2017.

ताजा रिसर्च के मुताबिक सरकार के डेटाबेस से लगभग 135 मिलियन आधान नंबर ऑनलाइन लीक हुए हो सकते हैं. इस रिसर्च दी सेंटर फॉर इंटरनेट एंड सोसाइटी (CIS) ने कराया है. इस एजेंसी ने इस रिसर्च को इनफॉर्मेशन सिक्योरिटी प्रैक्टिस ऑफर आधार के नाम से प्रकाशित किया है.

रिपोर्ट के मुताबिक सरकारी पोर्टल्स ने लगभग 135 मिलियन भारतीय नागरिकों के आधार नंबर ऑनलाइन को पब्लिक कर दिया. यानी कोई भी इसे ऐक्सेस कर सके. जाहिर है ऐसे में आधार नंबर के गलत यूज का भी खतरा होता है.

चार सरकारी वेबसाइट जिनमें मनरेगा, सोशल ऐसिस्टेंस प्रोग्राम, डेली ऑनलाइन पेमेंट रिपोर्ट और चंद्रण बीमा स्कीम वेबसाइट शामिल हैं. रिपोर्ट के मुताबिक इन वेबसाइट्स पर यूजर्स के आधार नंबर और फिनांशियल जानकारी जैसे बैंक अकाउंट डीटेल को पब्लिक कर दिया जिसे कोई भी ऐक्सेस कर सकता है.

रिपोर्ट के मुताबिक नेशनल सोशल ऐसिस्टेंस प्रोग्राम की वेबसाइट पर पेंशन धारकों के जॉब कार्ड नंबर, बैंक अकाउंट नंबर, आधार कार्ड नंबर और अकाउंट की स्थिति जैसी संवेदनशील जानकारियां उपलब्ध होती हैं. लेकिन कमजोर सिक्योरिटी की वजह से यह दुनिया के किसी भी इंसान के लिए उपलब्ध हो गई. सिर्फ कुछ क्लिक से ही तमाम संवेदनशील जानकारियां हासिल की जा सकती हैं.

हाल ही में झारखंड सरकार की एक वेबसाइट पर लाखों आधार कार्ड होल्डर्स की जानकारियां लीक हो गईं. इसके अलावा कई राज्यों की सरकारी वेबसाइट पर स्कॉलरशिप पाने वाले स्टूडेंट्स के आधार कार्ड डीटेल्स लीक हो गए. गूगल सर्च के जरिए सिर्फ कुछ कीवर्ड्स यूज करके डीटेल्स कोई भी ढूंढ कर गलत यूज कर सकता है.

इस रिसर्च रिपोर्ट में कहा गया है आधार नंबर, जाती, धर्म, पता, फोटोग्राफ्स और यूजर की आर्थिक जानकारी इस तरह पब्लिक होना इस बात को दर्शाता है कि इसे कितने लचर तरीके से लागू किया गया है.

हाल ही में मानव संसाधन विकास मंत्रालय की वेबसाइट से ऐसे डेटा ऐक्सेल शीट आसानी से गूगल के जरिए डाउनलोड की जा सकती थी. आप इसे चूक करें या लापरवाही, लेकिन इतने नागरिकों का घर तक का पता किसी के पास भी हो सकता है.

क्या आधार नंबर को पब्लिक करना सही है?
आधार ऐक्ट 2016 के मुताबिक किसी नागरिक का आधार डेटा पब्लिश नहीं किया जा सकता. यानी मंत्रालय की वेबसाइट इन डेटा को सिक्योर रखने में नाकामयाब हो रही हैं.

आधार ऐक्ट 2016 के तहत कलेक्ट किया गया कोई भी आधार नंबर या कोर बायोमैट्रिक इनफॉर्मेशन पब्लिक नहीं किया जा सकता और न ही इसे किसी पब्लिक प्लैटफॉर्म पर पोस्ट किया जा सकता है. हालांकि इसके इस्तेमाल कानून के तहत शामिल की गईं एजेंसियां और संस्थाएं कर सकती हैं.

दी वायर की एक रिपोर्ट के मुताबिक एक महीने पहले डेटा रिसर्चर श्रीनीवास कोडाली ने थर्ड पार्टी वेबसाइट के द्वारा गलती लीक किए गए 5-6 लाख लोगों के पर्सनल डेटा के बारे में बताया था. इस डेटा में आधार नंबर, नाम, कास्ट, जेंडर और फोटोज शामिल थे.

सरकार के हमेशा दावा करती है कि आधार सिक्योर है
सरकार लगातार दावा करती है कि आधार सिक्योर है सेफ है और डेटा लीक नहीं हो रहे हैं. लेकिन ये घटनाएं लागातार उन दावों को खोखला साबित कर रही हैं. सवाल यह है कि अब इस रिपोर्ट के बाद सरकार कोई कठोर कदम उठाती है या फिर पहले की तरह लचर सुरक्षा बनी रहेगी.

For more details visit https://cis-india.org/internet-governance/news/aaj-tak-may-4-2017-135-million-aadhaar-number-leaked-by-govt-website-cis-report

Aadhaar data of 130 millions, bank account details leaked from govt websites: Report

praskrishna — 2017-05-20T09:13:57Z

Just how leaky is the Aadhaar data? A lot, says a study published by Centre for Internet and Society, a Bengaluru-based organisation (CIS). In a study published on May 1, two researchers from CIS found that data of over 130 million Aadhaar card holders has been leaked from just four government websites. As scary as this is, there is more to it. Not only the Aadhaar numbers, names and other personal details of millions of people have been leaked but also their bank account numbers.

The article was published in India Today on May 4, 2017.

The CIS report noted that the leak is from four portals that deal with National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payment Reports of NREGA.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at," notes the report released on May 1.

It also says that the extent of the leaks could be even bigger than what the CIS research found. "While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT,10 and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," noted the report prepared by Amber Sinha and Srinivas Kodali.

The report highlights that one of the major issues with the Aadhaar project is how the data has been collected is handled by various government agencies. "While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data," notes the report. "...it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief."

This is not the first time, there have been leaks into the Aadhaar system, although this is probably the first time someone has documented the whole bit so meticulously. There have been reports of data leaks in the past. In fact, as more and more government schemes and ID cards gets linked with Aadhaar data the instances of leaks have increased significantly.

One of the big problem with the Aadhaar data is that of accountability. In absence of a good privacy law and provisions that prescribe punishment in case of private data leak, private and public agencies in India are often careless about handling of data. The private details of people have not only leaked from government websites but also from private bodies like banks, telecom operators, insurance providers and financial organisations. Recently, a major data leak came to light involving a website that was selling private information of probably hundreds of thousands of people who have take car loan in the last several years.

This is a point that is also highlighted by CIS report. "Information and data leaks have been occurring in India for a long time and the leaks around Aadhaar are not the first data leaks. But with the scale and design of Aadhaar, any information being leaked is dangerous and its impact not entirely reversible," it says.

Yet, despite all the data leaks and the fact that they undermine the faith in Digital India, the government -- first UPA and now NDA -- has not created and introduced a proper privacy and data protection law in India.

For more details visit https://cis-india.org/internet-governance/news/india-today-may-4-2017-aadhaar-data-of-130-millions-bank-account-details-leaked-from-govt-websites-report

With digitisation at the forefront, government departments need to be cautious about digital security

praskrishna — 2017-05-20T08:33:37Z

The huge leak of Aadhar data from four websites belonging to a central ministry and the Andhra Pradesh government has been on the government radar for a while. The leak, caused by poor security protocols, had left around 130 million numbers and their allied information, like bank and post office account details, open to access for several months. As the last website finally plugged loophole, violation echoed in Supreme Court.

The blog post by Manas Pratap Singh was published by NDTV on May 4, 2017.

Deliberate revelation of Aadhaar can lay people open to financial fraud and it is a punishable offence and this is what the Electronics and Information ministry has reminded all government departments.

"Aadhaar numbers and demographic information and other sensitive personal data" collected by "ministries/departments, state departments" have been published online, read a letter from the ministry dated April 24.

Such publishing, it added, "is in clear contravention of the provisions of the Aadhaar Act 2016 and constitutes an offence punishable with imprisonment upto 3 years". Such outing of financial information is also a violation of IT Act, it said.

Besides asking web managers to sensitise the ministries, the letter also said that display of such information be stopped immediately.

On May 1, a report by non-profit research organisation Centre for Internet & Society said two of the websites from where the data leak took place, belongs to the Union Ministry of Rural Development.

One stored data for the MNREGA - the mammoth Central scheme for rural employment which caters to 25.46 crore people. The other was the National Social Assistance Programme, another Central scheme under which pension is provided to the elderly people, widows and persons with disabilities.

Amber Sinha, co-author of the CIS report, told NDTV, "For portals that had not masked data, we informed the relevant authorities and asked them to take down the available information."

The Rural Development ministry has now decided to form an expert group on IT and cyber security, which will be headed by Kiran Karnik, a former chief of Nasscom. The ministry, however, is yet to comment on the data leak.

For more details visit https://cis-india.org/internet-governance/news/ndtv-may-4-2017-manas-pratap-singh-government-knew-of-mega-aadhaar-leak-ministries-were-warned

India’s Supreme Court hears challenge to biometric authentication system

praskrishna — 2017-05-20T06:44:02Z

Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.

The post by John Riberio, IDG News Service was mirrored by IT World on May 3, 2017.

Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and payment systems.

Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.

Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.

The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.

The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.

The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.

"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the top court ruled.

The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.

The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners “fight this battle with one arm tied behind their backs!,” wrote lawyer Gautam Bhatia in a blog post Wednesday.

For more details visit https://cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system

130 Million at Risk of Fraud After Massive Leak of Indian Biometric System Data

praskrishna — 2017-05-20T12:36:06Z

A series of potentially calamitous leaks in India leave as many as 130 million people at risk of fraud or worse after caches of biometric and other personal data became accessible online.

The article by Dell Cameron was published by Gizmodo on May 3, 2017.

That’s according to a new report from the Bangalore-based Centre for Internet and Society (CIS), which details breaches at four national- and state-run databases, all of which are said to contain purportedly “uniquely-identifying” Aadhaar numbers.

Launched in 2009, the Aadhaar system is an ambitious, albeit flawed program aimed at assigning unique identity numbers, not only to Indian citizens, but everyone who resides and works in the country. It is the largest program of its kind in the world. The 12-digit Aadhaar codes are assigned and maintained in a central database by the Unique Identification Authority of India (UIDAI) and link to biometric data of fingerprint and iris scans combined.

For security purposes, since 2002, all U.S. passports issued to international travelers at embassies and consulates around the world have contained biometric data, including a ten fingerprint scan, contained in a microchip embedded in the back cover. In 2007, the law was extended to cover U.S. citizens, and since at least 2013, so-called “e-passports” have been the standard.

With a very different intention in mind, the Aadhaar system was created to employ biometrics as a means to ensure that Indian residents have access to the social safety net, including programs for welfare, health, and education. But due to the sheer scale—again, the largest biometric project in history—the program has been fraught with controversy since day one. Since inception, more than 1.13 billion Aadhaar numbers have since been assigned, according to UIDAI data. (India has a population of roughly 1.32 billion.)

Former World Bank economist Salman Anees , a member of the Indian National Congress (INC), points to migrant laborers as an example of those the program is intended to help. The often carry no identification, he said, and therefore can rarely prove who they are when traveling from state to state. The purpose of the Aadhaar system, he said, is to provide every Indian with a “digital identity.”

“At least, that was the original idea,” adds Soz.

After the INC was battered in the 2014 general election, plans were put forth to expand the scope of the Aadhaar program, inflaming public concern over security and privacy. “Basically, you take this Aadhaar number and you start seeding different [government] databases,” Soz says. “And that, in effect, creates this huge data structure that people are very uncomfortable with.”

“In some ways,” he continued, “what you have is this amazingly modern system with huge data collection potential—and of course, many positives can come from this, but in the wrong hands it can become a huge problem for India. At the same time, your legal framework, your regulatory framework, your policies and procedures are not there. People aren’t aware of what their rights are. They have no idea what this thing can do.”

One problem, Soz says, is that Aadhaar numbers are not always checked against a cardholder’s fingerprints or iris scans in all cases, defeating its purpose entirely. When someone provides an Aadhaar number to prove their identity online or by phone, for example, their identities cannot adequately verified. In this way, Aadhaar numbers are not wholly unlike Social Security numbers in the United States. Were 130 million Social Security numbers to be leaked online, confidence in the ability to use that number to confirm an Americans’ identities would be shaken, if not destroyed.

Last month, a central government database containing thousands of Aadhaar numbers—as well as dates of birth, addresses, and tax IDs (PAN)—reportedly leaked, exposing thousands of Indian residents to potential abuse. According to The Wire, the information, which was contained in Microsoft Excel spreadsheets, could be easily located on Google.

According to CIS, roughly 130-135 million Aadhaar numbers have now been exposed in this most recent leak. With the growing use of the numbers in areas such as insurance and banking, and without proper mechanisms in place to biometrically confirm the identities of cardholders in every case, the threat of financial fraud is pervasive. “All of these leaks are symptomatic of a significant and potentially irreversible privacy harm,” the report says, noting that such incidents “create a ripe opportunity for financial fraud.”

While Aadhaar is not mandatory everywhere, CIS says, the Indian government continues collecting information about the participants under various social programs. Inevitably, that information is combined with other databases containing even more sensitive data. As that happens, there’s a heightened risk to those whose Aadhaar numbers have been compromised. How the Indian government will address its apparently inadequate security controls before fraud overwhelms the system remains unknown.

Read the full report: Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

For more details visit https://cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data

'Aadhaar' Of Your Existence Or Card Of Controversy?

praskrishna — 2017-05-20T12:24:20Z

recent report estimates that details of 13 crore Aadhaar card holders have been leaked from four government websites. These include bank account details, income levels, addresses, even caste and religion details.

This was telecasted by NDTV on May 3, 2017. Amber Sinha was a panelist.

As the Supreme Court questioned the government about this, the centre admitted for the first time that the leaks had taken place but passed the onus on to state governments. It also argued that no technology was a 100 per cent foolproof but that couldn't be the basis for a constitutional challenge. Those who have petitioned against making Aadhar mandatory for filing income tax say no other democratic country has such a requirement and allege that it shows the sinisterness of the government.

Video

For more details visit https://cis-india.org/internet-governance/news/ndtv-may-3-2017-aadhaar-of-your-existence-or-card-of-controversy

Aadhaar data of over 13 crore people exposed: New report

praskrishna — 2017-05-20T08:57:24Z

Ajay Bhushan Pandey, CEO of UIDAI, the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

The article was published in the Indian Express on May 3, 2017.

UP TO 13.5 crore Aadhaar numbers are exposed and are publicly available on government websites and approximately 10 crore of these are linked to bank account details, according to a new report published on Monday. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — published by non-profit organisation The Centre for Internet and Society (CIS) has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and National Rural Employment Guarantee Act (NREGA), both under the Ministry of Rural Development. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the Andhra Pradesh government: a daily online payments report under NREGA by the state government, and Chandranna Bima Scheme.

The report states: “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at.” Ajay Bhushan Pandey, CEO of Unique Identification Authority of India (UIDAI), the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

Since the CIS report focused on websites of only four schemes, it is possible that many more Aadhaar cards may be available on other government websites. At least nine other instances were reported in April alone. Section 29(4) of Aadhaar Act prohibits making Aadhaar number of any individual public.

Pandey said, “Aadhaar numbers and bank accounts have been independently collected from people by other agencies for their own usage, not related to UIDAI.” Asked if UIDAI will take action against errant government departments, he said the “police will need to take action”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-may-3-2017-aadhaar-data-of-over-13-crore-people-exposed-new-report

En Inde, le biométrique version très grand public

praskrishna — 2017-05-03T16:27:23Z

Initiée en 2010, l’Aadhaar est désormais la plus grande base de données d’empreintes et d’iris au monde. Carte d’identité destinée aux 1,25 milliard d’Indiens, elle sert aussi de moyen de paiement. Mais la sécurité du système et son utilisation à des fins de surveillance posent question.

The article was published by Liberation on April 27, 2017. Sunil Abraham was quoted.

Le front barré d’un signe religieux hindou rouge, Vivek Kumar se tient droit derrière le comptoir de son étroite papeterie située dans une allée obscure d’un quartier populaire du sud-est de New Delhi. Sous le regard bienveillant d’une idole de Ganesh - le dieu qui efface les obstacles -, le commerçant à la fine moustache et à la chemise bleu-gris au col Nehru réalise des photocopies, fournit des tampons ou des stylos à des dizaines de chalands.

Gaurav, un vendeur de légumes de la halle d’à côté, entre acheter du crédit de communication mobile. Au moment de payer, il sort son portefeuille, mais pas pour chercher de la monnaie. Il y prend sa carte d’identité Aadhaar et fournit ses douze chiffres au commerçant. Qui les entre dans un smartphone, sélectionne la banque de Gaurav et indique le montant de l’achat. Le client n’a plus qu’à poser son pouce sur un lecteur biométrique relié au combiné, connecté à Internet. Une lumière rouge s’allume et un son retentit : la transaction est bien passée.

Depuis mars, 32 banques indiennes fournissent ce service novateur de paiement par empreinte digitale. Appelé Aadhaar Pay, il utilise les informations biométriques, à savoir les dix empreintes digitales et celle de l’iris, recueillies par le gouvernement depuis septembre 2010 pour créer la première carte d’identité du pays. Toute personne résidant en Inde depuis plus de six mois, y compris les étrangers, peut s’inscrire et l’obtenir gratuitement.

«Renverser le système»

L’Aadhaar («la fondation» en hindi) représente aujourd’hui la plus grande base de données biométriques au monde, avec 1,13 milliard de personnes enregistrées sur 1,25 milliard, soit 99 % de la population adulte indienne.

L’objectif initial était double : identifier la population - 10% des Indiens n’avaient jusqu’ici aucun papier, et donc aucun droit - et se servir de ces moyens biométriques pour sécuriser l’attribution de nombreuses subventions alimentaires ou énergétiques, dont le détournement coûte plusieurs milliards d’euros chaque année à l’Etat fédéral.

A partir de 2014, la nouvelle majorité nationaliste hindoue du BJP a étendu les usages de l’Aadhaar pour transformer cet outil de reconnaissance en un vrai «passe-partout» de la vie quotidienne indienne : depuis l’ouverture d’une ligne téléphonique à la déclaration de ses impôts, en passant surtout par la création d’un compte en banque, le numéro Aadhaar sera à présent requis. Dans ce dernier cas, l’Aadhaar permet en prime d’utiliser le paiement bancaire par biométrie pour réduire le recours au liquide, qui représente encore plus de 90 % des transactions dans le pays.

Le Premier ministre, Narendra Modi, a fait de cette inclusion financière l’un de ses principaux chevaux de bataille : en 2014, son gouvernement a lancé un énorme programme qui a permis la création de 213 millions de comptes bancaires en deux ans - aujourd’hui, quasiment tous les foyers en possèdent au moins un. Il a continué dans cette voie énergique en démonétisant, en novembre, les principales coupures. But de la manœuvre : convaincre les Indiens de se défaire, au moins temporairement, de leur dépendance aux billets marqués de la tête de Gandhi.

«Le liquide est gratuit, donc il est difficile de pousser les gens à utiliser d’autres moyens de paiement, explique Ragavan Venkatesan, responsable des paiements numériques à la banque IDFC, pionnière dans l’utilisation de l’Aadhaar Pay. Nous avons donc renversé le système pour que le commerçant soit incité à utiliser les moyens numériques.» L’établissement financier a d’abord développé le «microdistributeur de billets» : une tablette que le vendeur peut utiliser pour créer des comptes, recevoir des petits dépôts ou fournir du liquide aux clients au nom de la banque, contre une commission. Comme l’Aadhaar Pay, cette tablette se connecte au lecteur biométrique - fourni par l’entreprise française Safran - pour l’identification et l’authentification. Dans les deux cas, et à la différence des paiements par carte, ni le marchand ni le client ne paient pour l’utilisation de ce réseau. «Le mode traditionnel de paiement par carte va progressivement disparaître», prédit Ragavan Venkatesan.

Défi

Pour l’instant, le système n’en est toutefois qu’à ses débuts. Environ 70 banques - une minorité du réseau indien - sont reliées à l’Aadhaar Pay, et lors de nos visites dans différents magasins de New Delhi, une transaction a été bloquée pendant dix minutes à cause d’un problème de serveur. La connectivité est d’ailleurs un défi dans un pays dont la population est en majorité rurale : le système nécessite au minimum le réseau 2G, dont sont dépourvus environ 8 % des villages, selon le ministère des Télécommunications.

Mais c’est la protection du système qui est surtout en question : «La biométrie réduit fortement le niveau de sécurité, car c’est facile de voler ces données et de les utiliser sans votre accord, explique Sunil Abraham, directeur du Centre pour l’Internet et la société de Bangalore. Il existe maintenant des appareils photo de haute résolution qui permettent de capturer et de répliquer les empreintes ou l’iris», affirme ce spécialiste en cybersécurité.

Le problème tient au caractère irrévocable de ces données biométriques. A la différence d’une carte bancaire qu’on peut annuler et remplacer, on ne peut changer d’empreinte ou d’iris. L’Autorité indienne d’identification unique (UIDAI), qui gère l’Aadhaar, prévoit bien que l’on puisse bloquer l’utilisation de ses propres données biométriques sur demande, ce qui offre une solution de sécurisation temporaire. «Si un fraudeur essaie de les utiliser, on peut le repérer [grâce au réseau internet, ndlr] et l’arrêter», défend Ragavan Venkatesan, de la banque IDFC.

Mais cela risque de ne pas suffire en cas de recel de ces informations : la police vient d’interpeller un groupe de trafiquants qui étaient en possession des données bancaires de 10 millions d’Indiens, récupérées à travers des employés et sous-traitants, données qu’ils revendaient par paquets. Une femme âgée s’était déjà fait dérober 146 000 roupies (un peu plus de 2 000 euros) à cause de cette fraude.

Outil idéal

Le directeur de l’UIDAI assure qu’aucune fuite ni vol de données n’ont été rapportés à ce jour depuis leurs serveurs - ce qui ne garantit pas que cette confidentialité sera respectée par tous les autres acteurs qui y ont accès. En février, un chercheur en cybersécurité a alerté la police sur le fait que 500 000 numéros Aadhaar ainsi que les détails personnels de leurs propriétaires - exclusivement des mineurs - avaient été publiés en ligne. La loi sur l’Aadhaar punit de trois ans de prison le vol ou le recel de ces données. Ce texte adopté l’année dernière - soit six ans après le début de la collecte - empêche également leur utilisation à d’autres fins que l’authentification pour l’attribution de subventions et de services. Et l’UIDAI ne peut y accéder pleinement qu’en cas de risque pour la sécurité nationale, et selon une procédure spéciale.

Reste qu’il n’existe pas d’autorité, comme la Cnil en France, chargée de veiller de manière indépendante à ce que ces lignes rouges ne soient pas franchies par un Etat à la recherche de nouveaux moyens de renseignement. Car les experts s’accordent sur ce point : le biométrique est un outil idéal pour surveiller une population.

En 2010, le gouvernement britannique avait d’ailleurs mis fin à son projet de carte d’identité biométrique, estimant que le taux d’erreurs dans l’authentification était trop élevé et le risque d’atteinte aux libertés trop important. Les Indiens, souvent subjugués par les nouvelles technologies pour résoudre leurs problèmes sociaux, ne semblent pas prêts de revenir en arrière. Surtout si cela peut en plus servir à mieux ficher un pays menacé par un terrorisme régional et local.

For more details visit https://cis-india.org/internet-governance/news/en-inde-le-biometrique-version-tres-grand-public

Aadhaar Case: Beyond Privacy, An Issue of Bodily Integrity

Amber Sinha and Aradhya Sethia — 2017-05-03T16:02:02Z

The insertion of Section 139AA in the Income Tax Act has been challenged and is being heard by a two-judge bench of the Supreme Court.

The article was published in the Quint on May 1, 2017.

The Finance Act, 2017, among its various sweeping changes, also inserted a new provision into the Section 139AA of the IT ACT, which makes Aadhaar numbers mandatory for:

(a) applying for PAN and

(b) filing income tax returns

In case one does not have an Aadhaar number, she or he is required to submit the enrolment ID of one’s Aadhaar application. The overall effect of this provision is that it makes Aadhaar mandatory for filing tax returns and applying for a PAN. The SC hearings began on 26 April. In order to properly appreciate the tough task at hand for the counsel for the petitioners, it is important to do a quick recap of the history of the Aadhaar case.

Case Over Constitutional Validity

Back in August 2015, the Supreme Court had referred the question of the constitutional validity of the fundamental right to privacy to a larger bench.

This development came after the Union government pointed out that the judgements in MP Sharma vs Satish Chandra and Kharak Singh vs State of UP (decided by eight and six judge benches respectively) rejected a constitutional right to privacy.

The reference to a larger bench has since delayed the entire Aadhaar case, while an alarming number of government schemes have made Aadhaar mandatory in the meantime.

Since then, the Supreme Court has not entertained any arguments related to privacy in the court proceedings on Aadhaar pending the resolution of this issue by a constitutional bench, which is yet to to be set up. The petitioners have had to navigate this significant handicap in the current proceedings as well.

Ongoing Hearing in Aadhaar Case

At the beginning of Advocate Shyam Divan’s arguments on behalf of the petitioners, the Attorney General objected to the petitioners making any argument related to the right to privacy. Anticipating this objection, Divan assured the court, right at the outset that they “will not argue on privacy issue at all”.

In the course of his arguments, Divan referred to at least three rights which may otherwise have been argued as facets of the right to privacy – personal autonomy, informational self-determination and bodily integrity. However, in this hearing those rights were strategically not couched as dimensions of privacy.

Divan consistently maintained that these rights emanate from Article 21 and Article 19 of the Constitutions and are different from the right to privacy.

Many Layers of the Right to Privacy

If one follows the courtroom exchanges in the original Aadhaar matter (not the one being argued now), the debates around the privacy implications of Aadhaar have focussed on simplistic balancing exercises of “security vs privacy” and “efficient governance vs privacy”.

These observations depict the right to privacy as a monolithic concept, i.e. a single right which has a unity of harm it captures within itself. In other words, all privacy harms are considered to be on the same footing. "Privacy harms" here mean the undesirable effects of the violation of the right to privacy.

This monolithic conception was clearly reflected in the Supreme Court’s decision to refer the constitutionality of “right to privacy” to a larger bench.

In MP Sharma vs Satish Chandra, the Supreme Court had rejected certain dimensions of what is generally understood as the right to privacy in a specific context (and hence dealing with a specific kind of privacy harm). A monolithic conception of the right to privacy would mean that MP Sharma should be applicable to all kinds of privacy claims.

Prof Daniel Solove, a privacy law expert, in his landmark paper “Taxonomy of Privacy” argues that the right to privacy captures multiple kinds of harms within itself. The right to privacy is not a monolithic concept, but a plural concept; there is no one right to privacy, but multiple hues of right to privacy.

Sidestepping ‘Privacy’ in the Current Case

The plural conception of the right to privacy not only makes our privacy jurisprudence more nuanced and comprehensive, but also guides us to analyse differential privacy harms according to the standards appropriate for them.

Therefore, the refusal of the Supreme Court in MP Sharma to recognise a specific construction of privacy read into a specific constitutional provision should not have precluded the bench, even one smaller in number, from treating other conceptions of privacy into the same or other constitutional provisions.

As a lawyer, Divan was severely compromised from being unable to argue the right to privacy, which in my opinion, cuts at the heart of the constitutional issues with the Aadhaar project.

He refrained from couching any of his arguments on bodily integrity, informational self-determination, and personal autonomy as privacy arguments. What the approach reveals is that far from being a monolithic notion, the harms that privacy, as we understand it, addresses, are capable of being broken into multiple and distinct rights.

Moving Beyond Article 21

Divan further argues that coercing someone to give personal information is compelled speech and hence, violative of Article 19(1)(a) (the rights to free speech and expression). Once again, the harm described here – compelling someone to part with personal data – is conventionally a privacy harm.

However, it is important to note here that a privacy harm may also be a speech harm. Therefore, Article 21 is not the sole repository of these rights. They may also be located under other articles. The practical consequence of these rights being located under multiple constitutional provisions could be added protection of these rights.

For instance, if it can be shown that compelling an individual to part with personal data results into violation of Article 19(1)(a), the State will have to show which ground laid down under Article 19(2) does the specific restriction fall under.

This might be more challenging as opposed to the vague standard of “compelling state interest” test which has been the constitutional test for privacy violations under Article 21.

Changing the Definition of Right to Privacy

The arguments presented by Divan, if accepted by the Supreme Court, could represent a two-pronged shift in the landscape of the values popularly understood under the right to privacy in India:

1) first, the idea of the rights of bodily integrity, informational self-determination, and personal autonomy as part of a plural concept (whether arising from the right to privacy or another right) that encompasses several harms within it, and

2) second that some of these rights may be read into other Articles in the Constitution.

Under the circumstances, Mr Divan’s performance was nothing short of heroic. Whether they pass muster and impact the course of this long drawn legal battle remains to be seen.

(Amber Sinha is a lawyer and works as a researcher at the Centre for Internet and Society. Aradhya Sethia is a final year law student at the National Law School of India University, Bangalore. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)

For more details visit https://cis-india.org/internet-governance/blog/the-quint-amber-sinha-and-aradhya-sethia-may-1-2017-aadhaar-case-beyond-privacy-an-issue-of-bodily-integrity

Govt may have made 135 million Aadhaar numbers public: CIS report

praskrishna — 2017-05-03T15:43:37Z

CIS report says Aadhaar numbers leaked through government databases could be 100-135 million and bank accounts numbers leaked about 100 million.

The article by Komal Gupta was published in Livemint on May 2, 2017.

A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

The report said the NSAP portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.

UIDAI did not respond to an email from Mint seeking comments.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-2-2017-komal-gupta-govt-may-have-made-135-million-aadhaar-numbers-public-cis-report

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report