Centre for Internet and Society

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit https://cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond

Aadhaar security: Here's how your private information can be protected

praskrishna — 2017-05-19T10:05:25Z

Lock Aadhaar, and notify UIDAI if you get a one-time-password for a transaction you did not initiate

The article by Sanjay Kumar Singh was published in the Business Standard on May 11, 2017. Udbhav Tiwari was quoted.

The linking of Aadhaar — the 12-digit unique identification number for Indian residents — across various benefits is going through a roller-coaster ride. On one hand, the government, keen to make it mandatory, is linking it with filing of income-tax returns and benefits. But, on the other, many are uncomfortable with it because of privacy issues and leakages that have been reported recently. The Supreme Court, on Tuesday, referred another fresh plea challenging the Aadhaar Act and its mandatory use in government schemes to a larger Constitution bench.

There has been several reports that say that Aadhaar numbers and other personal data are being leaked. Bengaluru-based Centre for Internet and Society (CIS) has published a report (titled Information security practices of Aadhaar, or lack thereof) where it lists four government departments that have posted Aadhaar numbers and other personal information of people. According to the report, an estimated 130-135 million Aadhaar numbers and 100 million bank account numbers were posted on the four portals that the CIS researchers checked. Normally such data should be kept on the government’s intranet, where only authorised people can access it. However, a few government departments have uploaded this data on their websites. In many cases, the data was in excel format, making it all the more easy for people to download and misuse it. The worst part: If your data is stolen, you cannot file even a First Information Report with the police. Only the nodal body, the Unique Identification Authority of India (UIDAI), can file a police complaint.

Your data can be misused: Experts say that leakage of Aadhaar numbers and other personal information into the public domain violates peoples’ privacy. “Your name, phone number, address, bank account number and Aadhaar number are personal information. Only you have the right to decide whether to release such information to others. Such data shouldn’t be complied in excel sheets in large numbers and be freely accessible on the internet to everyone," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Tele-marketers and advertisers will have access to the personal information of all those people. More serious problems such as identity theft can occur. Says Smitha Krishna Prasad, project manager, Centre for Communication Governance at National Law University, Delhi: “The more sensitive information a person has about you, the easier it becomes to impersonate you when that person is speaking to, say, a bank." The impersonator could open a bank account or even take a loan in your name.

Suppose a hacker gets your email ID. “He will use the ‘password reset or forgot password’ feature to change your password and get access to your account. This feature poses questions based on personal info about you. Any such data collected about you comes useful here. Such hackers mine a lot of data about potential victims from all possible sources," says Shomiron Das Gupta of NetMonastery, a threat management provider. In the email, he could find info about your bank account, credit card account, etc, and cause financial losses to you.

Serious risks can also arise if someone manages to breach the biometric authentication or one-time password (OTP) required for using the Aadhaar system. “It is possible to copy an individual’s fingerprints, and replicate them using very commonly available resins. It is also possible for hackers to capture the data being communicated between a telephone tower and a mobile phone, especially if it is poorly encrypted. This will allow the hacker to see the OTP. Admittedly, this does require expertise and a targeted effort vis-a-vis an individual," says Tiwari. Now that the Aadhaar numbers of so many people have been divulged, someone could utilise their identities to steal their government-granted benefits, or obtain a SIM card, which could then be misused. Raman Jit Singh Chima, policy director, Access Now, says at many places where the Aadhaar number is required today, no biometric authentication is done. So just the number can be used to impersonate you.

Lock your biometrics: If your Aadhaar number and other personal information have been leaked, here are a few steps you can take to safeguard yourself. One, be wary of any calls you receive asking for additional details, which may not have been leaked already. Be equally wary if you receive a call wherein someone rattles off your personal data and asks you to verify it. The caller could pretend to be calling from your bank. It is best not to reveal or confirm any information over the phone at all. Two, you have the option to lock your biometric data online. Even if someone manages to steal your fingerprint, he will not be able to use it if you have locked your biometric data (see table). Also, if you get an OTP on your phone for an Aadhaar utilisation that you did not initiate, notify the UIDAI, and thus ensure that no transaction is carried out using your Aadhaar account.

Need for a privacy law: To prevent data leaks in the future, the government needs to sensitise state government officials who work with Aadhaar data about the need to protect the its privacy. More importantly, India needs a comprehensive data protection law. At present, there is limited provision in the Information Technology Act of 2008 under which you can file a civil case against a corporate that has leaked your personal information. “The person affected by data leakage has to show that he has suffered wrongful loss, or somebody else has enjoyed a wrongful gain, and then claim compensation," says Prasad.

After the Radia tapes incident, the government had said it would pass a comprehensive privacy law. “This law would lead to the creation of a data protection authority with enforcement powers, which would be able to penalise both companies and government bodies violating privacy principles. Despite the process beginning in 2012-13, and multiple drafts being leaked into the public domain, there has not been much progress on this count," says Chima. He adds that when the privacy law becomes a reality, any part of the Aadhaar Act that is contrary to it should also be amended.

How to lock your biometric data online

Go to the UIDAI web site: https://uidai.gov.inGo to Aadhaar services, then Lock/Unlock Biometrics Enter Aadhaar number Enter security code that appears below the Aadhaar numberYou will receive an OTP on your registered mobile number. Enter it Click ‘Verify’Click box against ‘Enable biometric lock’Click on Submit buttonSame procedure can be repeated to disable biometric lock.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-aadhaar-security-here-is-how-your-private-information-can-be-protected

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

UIDAI asks Centre for Internet & Society to provide hacker details

praskrishna — 2017-06-07T12:21:47Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.
The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details

Provide hacker details, outfit that claimed data leak told

praskrishna — 2017-06-07T12:14:13Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.

The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told

Plug data leak before imposing Aadhaar

praskrishna — 2017-05-17T02:10:37Z

As the Central government continues to expand the scope and boundaries of the applicability of Aadhaar, the unique identification number, even before the Supreme Court’s verdict on its constitutional validity, reports suggesting that millions of Aadhaar numbers may have been leaked deliberately or inadvertently are a matter of grave concern.

The article was published in the Deccan Herald on May 11, 2017.

The Centre for Internet and Society, a Bengaluru-based organisation, has claimed that close to 135 million Aadhaar numbers and 100 million bank account numbers have been exposed by government portals dealing with pension, social welfare and employment guarantee schemes. The report says that with Aadhaar being used or planned to be used for authenticating and authorising several transactions, the financial risks of the disclosure of such data are greatly exacerbated. Virtually confirming that some ‘over-enthusiastic’ government agencies have been making the Aadhaar data public, Aruna Sundararajan, secretary, Union Electronics and Information Technology Ministry, has said that the Centre is in the process of ‘educating officials’ about the sanctity of the material collected, besides drafting amendments to the Information Technology Act to ensure data protection and secrecy. That’s indeed a late realisation, and hopefully, not a case of locking the stables once the horses have bolted.

The Supreme Court is also rightly concerned about the invasion of a citizen’s body in obtaining fingerprints and iris impressions for Aadhaar and the violation of an individual’s privacy. Attorney General Mukul Rohatgi raised several eyebrows by arguing that “citizens don’t have an absolute right over their own bodies” and there was nothing illegal about obtaining biometric details. He may be legally right, but as the court pointed out, it is the duty of the state to maintain the liberty and dignity of all individuals. As almost 98% of the population has already been covered by Aadhaar, the question of privacy is now more academic, though making Aadhaar mandatory for the filing of income tax along with PAN card is not. As the government is unable to come to grips with millions of benami transactions and largescale evasion of income tax in the country, if the linking of Aadhaar is going to bring down such cases, it needs to be welcomed.

However, Aadhaar is not a magic bullet that has a solution for every problem. The government shoulddrop the idea of making it mandatory for social welfare programmes such as children availing midday mealsin schools, supply of nutrition under ICDS programme and provision of scholarship for the disabled. The government certainly has a responsibility to prevent misuse of the schemes, while making sure that welfare measures are not denied to the needy on technical grounds.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-may-11-2017-plug-data-leak-before-imposing-aadhaar

India is building a biometric database for 1.3 billion people — and enrollment is mandatory

praskrishna — 2017-05-12T16:22:35Z

Inside the buzzing enrollment agency, young professionals wearing slim-fitting jeans and lanyards around their necks tapped away at keyboards and fiddled with fingerprint scanning devices as they helped build the biggest and most ambitious biometric database ever conceived.

The article by Shashank Bengali was published in the Los Angeles Times on May 12, 2017.

Into the office stepped Vimal Gawde, an impoverished 75-year-old widow dressed in a floral print sari. She had come to secure her ticket to India’s digital future — to enroll in the identity program, called Aadhaar, or “foundation,” that aims to record the fingerprints and irises of all 1.3 billion Indian residents.

Nearly 9 out of 10 Indians have registered, each assigned a unique 12-digit number that serves as a digital identity that can be verified with the scan of a thumb or an eye. But Gawde came to the enrollment office less out of excitement than desperation: If she didn’t get a number, she worried that she wouldn’t be able to eat.

Designed as a showcase of India’s technological prowess — offering identity proof to the poor and reducing waste in welfare programs — Aadhaar’s grand promises have been muddied by controversy as the government makes enrollment mandatory for a growing number of essential services.

Indians now need an Aadhaar number to pay taxes, collect pensions and obtain certain welfare benefits. The rapid expansion of a program that was originally described as voluntary has sparked criticism that India is vacuuming up citizens’ personal information with few privacy safeguards and creating hardship for the very people the initiative was supposed to help.

Like many Indians living in poverty, Gawde uses a ration card to purchase her monthly allotment of subsidized rice and cooking gas. But the shopkeeper told her that starting next month, he would sell to her only if she produced an Aadhaar number.

She had visited the enrollment agency three times but had yet to be approved, for reasons she did not understand. (Enrollment agents would not comment on individual cases.)

Reaching into her canvas bag, Gawde pulled out the familiar panoply of documents — ration card, voter card, electricity bill, income tax ID — that Indians use to navigate a dizzying bureaucracy. Aadhaar, she was told, would supplant all these papers.

But she had to get the number first.

“I’m nervous,” Gawde said outside the enrollment office on a sweltering morning. “I first applied three years ago and submitted all my documents, but didn’t follow up. Now that it’s becoming compulsory, I’m doing everything I can to get it.”

Indian Prime Minister Narendra Modi, who had criticized Aadhaar as a “political gimmick” before he took office, has embraced the futuristic idea of an all-in-one digital identity. His party pushed through a law last year that paved the way for a dramatic expansion of Aadhaar, allowing government entities and private businesses wide latitude to access the database, which collects not just people’s names and birth dates but also phone numbers, email addresses and other information.

Soon, as more private companies use the database, it could become difficult to open a bank account, get a new cellphone number or buy plane or train tickets without being enrolled.

Supporters say the program, which has cost about $1 billion to implement, will save multiples of that by curbing tax evasion and ensuring that welfare subsidies are not stolen by middlemen.

“Aadhaar was always meant to be an instrument of inclusion,” Nandan Nilekani, a tech billionaire and the program’s first chairman, said in an interview. “I’m really happy that the current government is completely endorsing Aadhaar and using it for a wide variety of services that will transform governance.”

Nilekani calls Aadhaar “hugely empowering” for the poor, but not long ago even he argued that enrollment should remain optional so that no Indians were prevented from accessing essential services. India’s Supreme Court agreed, ruling in 2015 that the government could not require Aadhaar for any benefit to which a person was otherwise entitled, as long as they could prove their identity by some other means.

Yet the court has stayed silent as Aadhaar creeps into every facet of Indian life, even for children.

A 12-year-old girl named Saiba is a case in point. After the girl’s grandmother passed away in their family’s ancestral village in northern India, Saiba’s mother moved her and her four siblings to a crowded neighborhood on the rough fringes of New Delhi, near a car parts market thick with the smell of grease.

When Saiba’s mother, Rani, went to the local school in April to register her for the sixth grade, administrators turned her down, saying every student must have an Aadhaar number.

But to get a number, a child usually needs a birth certificate — and like one-quarter of children born in this country, Saiba and her siblings did not have them because their village did not routinely register births.

Sitting with her mother in the cramped offices of the local advocacy group Pardarshita, above a noisy street lined with vegetable sellers, the girl puffed her round cheeks in an expression of helplessness.

“I don’t know anything about this,” said Saiba, who, like many Indians, has only one name. “I just want to go to school.”

Rakesh Thakur, a board member of Pardarshita, is trying to obtain Aadhaar numbers for dozens of children barred from Delhi schools. He called the policy “a clear violation” by the municipal government of both the Supreme Court order and India’s Right to Education Act, which guarantees every child younger than 14 free schooling.

A Twitter account called “Rethink Aadhaar” logs new instances almost daily of Indians who have suffered because scanners couldn’t read their fingerprints or because of errors in the database.

In Jawhar, a forested zone about 60 miles north of Mumbai, administrators have told local tribal communities that they will soon use Aadhaar to distribute welfare rations and school lunches. But the area lies outside cellphone range, leading residents to wonder how scanners will connect to the Internet to verify their identities.

“The idea of Aadhaar and the technology may be good, but do we have the infrastructure to make it mandatory?” said Vivek Pandit, a former lawmaker who runs a nonprofit group in the area. “The law is city-centric, and it would only lead to the social exclusion of rural India.”

This month lawyers opposing Aadhaar argued before the Supreme Court that the government could not force Indians to share their biometric data. Atty. Gen. Mukul Rohatgi countered that Indians had no constitutional right to privacy and could not claim an “absolute right” over their bodies.

Without privacy protections, activists worry that as Aadhaar numbers are linked to more and more services, intelligence agencies could use the database to more easily track Indians’ calls, travels and purchases.

“It’s become very clear that this is not a project about the poor,” said Usha Ramanathan, a lawyer and anti-Aadhaar activist. “The government’s ambitions have gotten greater over time.”

This month, the Center for Internet and Society, a New Delhi think tank, reported that federal and state agencies had published up to 135 million Aadhaar numbers — some including sensitive information such as a person’s caste and religion, or details of pension payments — on unsecured websites accessible through just a few clicks.

It’s become very clear that this is not a project about the poor. — Usha Ramanathan, a lawyer and anti-Aadhaar activist

Pranesh Prakash, the center’s policy director, said that when Indian authorities can’t even keep Aadhaar numbers private, as the law requires, it suggests the entire database is vulnerable — particularly after sensitive information involving 22 million Americans was exposed when federal databases were hacked in 2015.

“When these kinds of leaks are happening, it’s rather foolhardy to maintain a database of 1.2 billion people’s biometrics, because once this gets breached, it becomes completely unusable,” Prakash said.

“If your PIN number or password leaks, you can change it. You can’t change your fingerprints.”

Praveen Chakravarty, a former investment banker who worked with Nilekani to launch Aadhaar, believes the lack of safeguards undermines the project’s ideals of efficiency and empowerment. He said many Indians were right to worry that Modi’s government, which has cracked down on political activists and nonprofit groups it opposes, could use Aadhaar to snoop on citizens.

“Maybe Aadhaar didn’t need to be this big,” Chakravarty said, adding that the government could simply have worked to fix inefficiencies in individual welfare programs.

“People could ask, ‘Did we need this at all?’” he said. “It’s a good question.”

For Gawde, the widow, Aadhaar remained an idea of the future. She left the enrollment agency that day empty-handed, told by a young employee that her number had not been assigned. But she retained hope that the new ID would make life easier.

“We are just poor people,” she said. “We have to trust what the government tells us.”

For more details visit https://cis-india.org/internet-governance/news/los-angeles-times-shashank-bengali-may-12-2017-india-is-building-a-biometric-database-for-1.3-billion-people-and-enrollment-is-mandatory

Aadhaar: Are a billion identities at risk on India's biometric database

praskrishna — 2017-05-20T06:38:26Z

"My fingerprints and iris are mine and my own. The state cannot take away my body," a lawyer told India's Supreme Court last week.

The article by Soutik Biswas was published by BBC News on May 4, 2017. Also see the blog post by Rawlson King published by Biometric Update.com on May 5, 2017.

Shyam Divan was arguing a crucial petition challenging a new law that makes it compulsory for people to submit a controversial biometric-based personal identification number while filing income tax returns.

Defending this law, the government's top law officer told the court on Tuesday that an individual's "right to body is not an absolute right".

"You can have right over your body but the state can restrict trading in body organs, so the state can exercise control over the body," Attorney General Mukul Rohatgi said.

At the heart of the latest challenge are rising concerns over the security of this mega biometric database and privacy of the number holders. (The government says it needs to link the identity number to income tax returns to improve compliance and prevent fraud.)

India's biometric database is the world's largest. Over the past eight years, the government has collected fingerprints and iris scans from more than a billion residents - or nearly 90% of the population - and stored them in a high security data centre. In return, each person has been provided with a randomly generated, unique 12-digit identity number.

For a country of 1.2 billion people with only 65 million passport-holders and 200 million with driving licenses, the portable identity number is a boon to the millions who have long suffered for a lack of one.

States have been using the number, also called Aadhaar (Foundation), to transfer government pensions, scholarships, wages for a landmark rural jobs-for-work scheme and benefits for cooking fuel to targeted recipients, and distribute cheap food to the poor.

Over the years, the number has taken a life of its own and begun exerting, what many say, is an overweening and stifling control over people's lives. For many like political scientist Pratap Bhanu Mehta, Aadhaar has transmuted from a "tool of citizen empowerment to a tool of state surveillance and citizen vulnerability".

People will soon need the number to receive benefits from more than 500 of India's 1,200-odd welfare schemes. Even banks and private firms have begun using it to authenticate consumers: a new telecom company snapped up 100 million subscribers in quick time recently by verifying the customer's identity through the number.

'Forcibly linked'

People are using the number to even get their marriages registered. The number, says Nikhil Pahwa, editor and publisher of Indian news site MediaNama, is "being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk".

Some of the fears are not without basis.

The government has assured that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.

But there have already been a number of leaks of details of students, pensioners and recipients of welfare benefits involving a dozen government websites. Even former Indian cricket captain MS Dhoni's personal information was mistakenly tweeted by an overzealous enrolment service provider.

Now a disturbing report by The Centre for Internet and Society claims that details of around 130-135 million Aadhaar numbers, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries have been leaked online by four key government schemes.

More than 230 million people nationwide are accessing welfare benefits using their numbers, and potentially, according to the report, "we could be looking at a data leak closer to that number". And linking the number to different databases - as the government is doing - is increasing the risk of data theft and surveillance.

The chief law officer believes that the outrage over the leaks is "much ado about nothing".

"Biometrics were not leaked, only Aadhaar numbers were leaked. It is nothing substantial. The idea is biometrics should not be leaked," Mukul Rohtagi told the Supreme Court on Tuesday.

The government itself has admitted that it has blacklisted or suspended some 34,000 service providers for helping create "fake" identification numbers or not following proper processes. Two years ago, a man was arrested for getting an identification number for his pet dog. The government itself has deactivated 8.5 million numbers for incorrect data, dodgy biometrics and duplication. Last month, crop loss compensation for more than 40,000 farmers was delayed because their Aadhaar numbers were "entered incorrectly by banks".

'Mass surveillance'

There are also concerns that the number can be used for profiling. Recently, authorities asked participants at a function in a restive university campus in southern India to provide their Aadhaar identity numbers. "This is not only a matter of privacy. The all pervasiveness of the Aadhaar number is a threat to freedom of expression, which is a constitutional right," Srinivas Kodali, who investigated the latest report on data leaks, told me.

Critics say the government is steaming ahead with making the number compulsory for a range of services, violating a Supreme Court order which said enrolment would be voluntary. "The main danger of the number," says economist Jean Dreze, "is that it opens the door to mass surveillance."

Nandan Nilekani, the technology tycoon who set up the programme popularly known by its acronym UIDAI, believes concerns about the safety of the biometric database are exaggerated.

He says the identity number has cut wastage, removed fakes, curbed corruption and made substantial savings for the government. He insists that the programme is completely encrypted and secure. "It's like you are creating a rule-based society," he told Financial Times recently, "it's the transition that is going on right now."

Abused

More than 60 countries around the world take biometric data from its people, says Mr Nilekani. But then there are nagging concerns worldwide about these databases being abused by hackers and state intelligence.

In 2016, personal details of some 50 million people in Turkey were reportedly leaked. (Turkey's population is estimated at 78 million.) In 2015, hackers stole more than five million fingerprints after breaching US government networks. In 2011, French experts discovered a hack involving the theft of millions of people's data in Israel.

Pratap Bhanu Mehta has written that the lack of a "clear transparent consent architecture, no transparent information architecture, no privacy architecture worth the name [India doesn't have a privacy law], and increasingly, no assurance about what exactly you do if the state decides to mess with your identity" could easily make Aadhaar a "tool of state suppression".

So a lot of lingering doubts remain. How pervasive should an identity number be? What about the individual freedom of citizens? How do you ensure the world's biggest biometric database is secure in a country with no privacy laws and a deficient criminal justice system?

In many ways, the debate about Aadhaar is also a debate about the future of India. As lawyer Shyam Divan argued forcefully in the top court, "people are reduced to vassals" when the state controls your body to this extent.

For more details visit https://cis-india.org/internet-governance/news/bbc-news-soutik-biswas-may-4-2017-aadhaar-are-a-billion-identities-at-risk-on-indias-biometric-database

In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online

praskrishna — 2017-05-12T15:59:31Z

The Modi government has been trying to make Aadhaar mandatory for everything from Income Tax return, buying a SIM card, bank transaction, train ticket, air travel, mid-day meal government subsidies etc.

The blog post by Bobins Abraham was published by India Times on May 3, 2017.

While the government claims that the move will increase security and ensure that the benefits are reaching to real people and not syphoned off. But security experts have been pointing out the possibility of security breach in the system resulting in the sensitive biometric data reaching in the hands of those, who could misuse them.

A study by Bengaluru-based think tank, Centre for Internet and Society has once again cemented these concerns. According to its report titled, "Information Security Practices of Aadhaar (or lack thereof): A documentation of the public availability of Aadhaar Numbers with sensitive personal financial information," Aadhaar data of as many as 13.5 crore card holders have already leaked online.

The study revealed that the mass data leak happened due to security flaws in four government websites:

National Social Assistance Programme
National Rural Employment Guarantee Act (NREGA)
Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh)
Chandranna Bima Scheme run by Government of Andhra Pradesh

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

The report was published even as the government continue to defend Aadhaar in the Supreme Court saying that the move to link Aadhaar with PAN cards was meant to put a stop on the number of individuals in possession of multiple PAN cards by putting a robust identification system in place. Attorney General Mukul Rohatgi said that this will help in curbing money laundering, the flow of black money and controlling the funding of terror.

For more details visit https://cis-india.org/internet-governance/news/india-times-bobin-abraham-may-3-2017-in-the-biggest-data-leak-info-of-13-crore-aadhaar-card-holders-has-been-compromised-and-is-available-online

Why Aadhaar leaks should worry you, and is biometrics really safe?

praskrishna — 2017-05-12T15:48:48Z

What’s worrying is that the UIDAI seems to always be in denial mode over security concerns.

The blog post was published by the News Minute on May 4, 2017. Amber Sinha was quoted.

If you’ve paid the slightest bit of attention to news about Aadhaar, you’ll have heard about a series of leaks of Aadhaar data from multiple government websites. Some of the latest government websites to leak Aadhaar and demographic data, were the Jharkhand Directorate of Social Security and the Kerala government’s pension department.

Shockingly, a report by The Centre for Internet and Society (CIS) revealed that the Aadhaar details along with demographic details and financial information of around 135 million people in the country has been leaked by four government portals. And this could just be the tip of the iceberg.

However, the public response to these revelations has been muted. The government and the UIDAI, the authority behind Aadhaar, have retreated behind the defence that only Aadhaar numbers have been leaked, and not biometric details, and hence there is no major problem.

However, experts warn that Aadhaar numbers by themselves pose a sufficient risk when leaked, and that the UIDAI has been consistently underplaying the risks of such leaks and overplaying the security of biometric identification.

Amber Sinha, who co-authored the CIS report, points out that it’s not just Aadhaar numbers that have been leaked on government websites, but also demographic information as well as financial details. Various such bits of data can be aggregated by fraudsters and used to steal identities and commit financial fraud online or through phones.

“We see a lot of examples of social engineering techniques where fraudsters collect data from various sources and impersonate people,” he says. The report points out that one of the most common techniques is to call persons impersonating bank officials requiring sensitive information, and provide Aadhaar and demographic details to make the bid for this information convincing.

Amber also points out that in online and phone verifications, it is possible to impersonate other persons with such information.

“Somebody can call the bank pretending to be me, and he could also authenticate himself as me if he has all the data about me. The bank will ask him some four questions and if he has all that information, then the bank has no reason to believe that he is not me,” he explains.

Co-Founder of HasGeek, Kiran Jonnalagadda, an active voice on net neutrality, freedom of speech and privacy, points out that one of the main problems is that the Aadhaar system assumes biometric verification in every transaction, but Aadhaar cards are often used as identity documents without biometrics particularly for many non-financial transactions.

“Somebody can apply for a SIM card with your Aadhaar number, and if the place that is issuing the SIM card didn't do a biometric verification then your card is good enough, because now they can do anything they want in your name,” Kiran said. In such cases, he points out, impersonation is almost ridiculously easy because the Aadhaar card, just a colour printout with no security features, can be faked by almost anyone.

He points out that, particularly in cases of online verifications, the problem of fraud is acutely heightened. “The thing is that if they have your number and your demographic details, if the government does a verification online, the details will match. Which means that the ID is not fake. It's just that you didn't actually authorise any of this. In a perfect world, everybody would do biometrics. The problem is that that does not exist right now.”

One of the major flaws of the current security practices of Aadhaar is that the UIDAI only takes responsibility for the security of data stored within its Central Identities Data Repository. However, explains Amber, over the last five years, the UIDAI has proactively seeded Aadhaar data across multiple government databases. However, the UIDAI has not exercised strict disclosure controls on these government databases, and there are no clear standards for publicity of information.

The CIS report points to the example of the Andhra Pradesh portal of the NREGA, which carries information on Aadhaar numbers and disbursal amounts on a simple text file, with no encryption or other security measures. The report argues that this system could easily be exploited to transfer illegal sums of money into these accounts, making beneficiaries liable for them.

Importantly, Amber points out that the recent publications of Aadhaar details cannot properly be called leaks. A leakage occurs, he points out, when information is treated as secret and stored accordingly and then breached from the outside or leaked by abusing access.

“Here the websites that we looked at are designed in such a way that anybody without any technical knowledge can access information. They are available for download as spreadsheets, how much simpler could it get?” he asks.

Even with the much-vaunted infallibility of biometric verification, experts warn, there are some scarily large loopholes present. While the UIDAI regularly goes to town with the claim that the biometric data stored in the CIDR is well protected behind multiple firewalls, detractors point out that biometric data collected at each transaction point is not similarly secure.

Other kinds of financial transactions such as card transactions , explains Amber, use two-factor authentication (a physical card and a pin number or card details and an OTP, for instance). With Aadhaar, however, authentication is possible with just biometrics.

This is risky because biometric data is not duplication-proof. When biometric data is collected for authentication, he says, there are ways in which this data can be stored for re-use. “At the end of the day, the way the biometric authentication works is by comparing two images. There is a copy of an image which is collected at the time of enrolment which is stored by the UIDAI, and every time you authenticate yourself you give a fresh image. As far as the CIDR is concerned, it has nothing to do with how that image is being created at that stage,” says Amber.

This can and has led to what is called a “replay attack”, where stored biometric images are used to complete transactions without the presence of the actual owner of the biometric data. This is what happened in the case involving Axis Bank, Suvidha Infoserve and eMudhra in February.

Such situations arise, says Kiran, because Aadhaar confuses two very separate functions–authentication (establishing that I am who I am) and authorisation (certifying that I want an action done in my name). “It’s the difference between signing a cheque and showing a photo ID to prove that you are who you are,” explains Kiran. The problem with biometrics is that both processes are combined in one, and there is nothing to verify that the person to whom the biometrics belongs to is actually present for each transaction.

While the UIDAI has now proposed registered and encrypted biometric devices to overcome this problem, some detractors argue that a way around this is not impossible to find either.

“The larger problem is that the UIDAI constantly plays a game of denial and catch up. They keep pretending like other people are stupid and their system will never be broken. And other people keep pointing out that they've forgotten the most obvious things about security in any information system. They are currently in denial mode, where they insist such things are not possible until after it happens, and then they say oh it's happening, let's go do something to fix it,” Kiran says.

What’s more, Kiran and Amber point out that biometrics can even be physically duplicated. On iris scans, Amber argues, “Now, with a lot of CCTV cameras, if their resolution is high enough it is possible to capture things like an iris scan. So the means for biometric authentication can be used covertly, and that is a technological truth,” he asserts.

Duplicating fingerprints, says Kiran is even easier, pointing out to attendance fraud carried out by students of the Institute of Chemical Technology in Mumbai. These students used a resin adhesive to make copies of their fingerprints, which their friends used to give them proxy attendance in the biometric attendance system.

“Lifting fingerprints is ridiculously easy. Anything you touch will leave fingerprints on it. All it requires is some cello-tape to make a copy of your fingerprints. And then you can apply some wax to it and you get an actual impression of your finger. You can go place that on any fingerprint reader and it'll be fooled,” says Kiran.

It’s not as if such duplication is not possible with devices like credit cards. However, says Kiran, there are two key differences. Firstly, credit card companies have built up elaborate checks and balances over years to tackle fraud. Secondly, and far more importantly, credit cards that have been compromised can be cancelled. “Revocability is a feature in the credit card system. In Aadhaar you can't revoke anything. If fraud happens, you are stuck with fraud for the rest of your life,” explains Kiran.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-rakesh-mehar-may-4-2017-why-aadhaar-leaks-should-worry-you-and-is-biometrics-really-safe

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-12T15:40:28Z

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

The article was published in the Times of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added. SR MBI MR

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-5-2017-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar's the largest biometric database globally but it is leaky by design

praskrishna — 2017-05-12T15:35:00Z

It the largest biometric database in the world and it is fraught with security issues.

The article by Rohith Jyothish was published in the Business Standard on May 5, 2017. This article by Rohith Jyothish originally appeared on Global Voices on May 2, 2017

Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.

On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.

Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person's demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.

This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:

Expanding programmes

Aadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.

The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include UID for a wide range of essential government services meant to be available to the public.

Independent news portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.

In Delhi in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.

Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”

Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.

In spite of multiple court orders making UID voluntary and limited to selected schemes, the government continues to expand its scope.

Delicate infrastructure and its misuse

According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which UID doesn't address.

Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.“

Contention with the court

The Supreme Court issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.

‘Leaky’ by design

Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.

More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.

In another case, UID numbers of scholarship-holders sat on a state government website for over a year.

On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.

This was immediately taken down. But new ones continue to appear with other simple Google searches.

Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a UID enrollment operator.

The government response

The UIDAI responded to the uproar with a campaign entitled #AadhaarStars, in which parents of young children were encouraged to post 30-second videos of what UID meant to them.

This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.

In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking UID data on their portals.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

For more details visit https://cis-india.org/internet-governance/news/business-standard-rohith-jyothish-may-5-2017-aadhaar-the-largest-biometric-database-globally-but-it-is-leaky-by-design

135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers

praskrishna — 2017-05-20T06:19:12Z

This was published by Counterview on May 5, 2017.

A top study by the Centre for Internet and Society (CIS) has estimated that “estimated number of aadhaar numbers leaked” through top portals which handle aadhaar “could be around 130-135 million”. Worse, it says, the number of bank accounts numbers leaked would be “around 100 million”.

The study, carried out by researchers Amber Sinha and Srinivas Kodali, adds, “While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used aadhaar for direct bank transfer (DBT) could have leaked personally identifiable information (PII) similarly due to lack of information security practices.”

Pointing out that “over 23 crore beneficiaries have been brought under aadhaar programme for DBT”, the study, titled “Information Security Practices of Aadhaar (Or Lack Thereof)”, says, “Government schemes dashboard and portals demonstrate … dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures.”

Claiming to have a closer look at the databases publicly available portals, the researchers identify four of them a pool of other government websites for examination:

A welfare programme by the Ministry of Rural Development, the National Social Assistance Programme (NSAP) portal, even as seeking to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement, offers information about “job card number, bank account number, name, aadhaar number, account frozen status”, the researchers say.

Pointing out that “one of the url query parameters of website showing the masked personal details was modified from nologin to login”, they say, the “control access to login based pages were allowed providing unmasked details without the need for a password.”

In fact, they say, the Data Download Option feature “allows download of beneficiary details mentioned above such as Beneficiary No, Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”
They add, “The NSAP portal lists 94,32,605 banks accounts linked with aadhaar numbers, and 14,98,919 post office accounts linked with aadhaar numbers. While the portal has 1,59,42,083 aadhaar numbers in total, not all of whom are linked to bank accounts.”

Also giving the example of the national rural job guarantee scheme, popularly called NREGA, the researchers say, its portal provides DBT reports containing “various sub-sections including one called ‘Dynamic Report on Worker Account Detail’,” with details like “Job card number, aadhaar number, bank/postal account number, number of days worked”, and so on.

“As per the NREGA portal, there were 78,74,315 post office accounts of individual workers seeded with aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502”, they add.

Providig similar instances form two other sources, the researchers insist, “The availability of large datasets of aadhaar numbers along with bank account numbers, phone numbers on the internet increases the risk of financial fraud.”

Underlining that “aadhaar data makes this process much easier for fraud and increases the risk around transactions”, they say, “In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of aadhaar numbers and other related data available.”

Click to read the original published by Counterview on May 5, 2017.

For more details visit https://cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million

आधार नंबर, नाम, पता, बैंक अकाउंट और दूसरी संवेदनशील जानकारियां लीक: CIS रिपोर्ट

praskrishna — 2017-05-20T11:40:49Z

एक तरफ भारत सरकार लोगों से अपना आधार कार्ड बनवाने और उसे जरूरी सर्विसों के साथ जोड़ने की अपील कर रही है. दूसरी तरफ लगातार सरकारी वेबसाइट्स से लोगों की आधार से जुड़ी जानकारियां लीक हो रही हैं. सरकार ने आधार को लगभग सभी सर्विसों के लिए जरूरी करने की तैयारी की है.

This was published by Aaj Tak on May 4, 2017.

ताजा रिसर्च के मुताबिक सरकार के डेटाबेस से लगभग 135 मिलियन आधान नंबर ऑनलाइन लीक हुए हो सकते हैं. इस रिसर्च दी सेंटर फॉर इंटरनेट एंड सोसाइटी (CIS) ने कराया है. इस एजेंसी ने इस रिसर्च को इनफॉर्मेशन सिक्योरिटी प्रैक्टिस ऑफर आधार के नाम से प्रकाशित किया है.

रिपोर्ट के मुताबिक सरकारी पोर्टल्स ने लगभग 135 मिलियन भारतीय नागरिकों के आधार नंबर ऑनलाइन को पब्लिक कर दिया. यानी कोई भी इसे ऐक्सेस कर सके. जाहिर है ऐसे में आधार नंबर के गलत यूज का भी खतरा होता है.

चार सरकारी वेबसाइट जिनमें मनरेगा, सोशल ऐसिस्टेंस प्रोग्राम, डेली ऑनलाइन पेमेंट रिपोर्ट और चंद्रण बीमा स्कीम वेबसाइट शामिल हैं. रिपोर्ट के मुताबिक इन वेबसाइट्स पर यूजर्स के आधार नंबर और फिनांशियल जानकारी जैसे बैंक अकाउंट डीटेल को पब्लिक कर दिया जिसे कोई भी ऐक्सेस कर सकता है.

रिपोर्ट के मुताबिक नेशनल सोशल ऐसिस्टेंस प्रोग्राम की वेबसाइट पर पेंशन धारकों के जॉब कार्ड नंबर, बैंक अकाउंट नंबर, आधार कार्ड नंबर और अकाउंट की स्थिति जैसी संवेदनशील जानकारियां उपलब्ध होती हैं. लेकिन कमजोर सिक्योरिटी की वजह से यह दुनिया के किसी भी इंसान के लिए उपलब्ध हो गई. सिर्फ कुछ क्लिक से ही तमाम संवेदनशील जानकारियां हासिल की जा सकती हैं.

हाल ही में झारखंड सरकार की एक वेबसाइट पर लाखों आधार कार्ड होल्डर्स की जानकारियां लीक हो गईं. इसके अलावा कई राज्यों की सरकारी वेबसाइट पर स्कॉलरशिप पाने वाले स्टूडेंट्स के आधार कार्ड डीटेल्स लीक हो गए. गूगल सर्च के जरिए सिर्फ कुछ कीवर्ड्स यूज करके डीटेल्स कोई भी ढूंढ कर गलत यूज कर सकता है.

इस रिसर्च रिपोर्ट में कहा गया है आधार नंबर, जाती, धर्म, पता, फोटोग्राफ्स और यूजर की आर्थिक जानकारी इस तरह पब्लिक होना इस बात को दर्शाता है कि इसे कितने लचर तरीके से लागू किया गया है.

हाल ही में मानव संसाधन विकास मंत्रालय की वेबसाइट से ऐसे डेटा ऐक्सेल शीट आसानी से गूगल के जरिए डाउनलोड की जा सकती थी. आप इसे चूक करें या लापरवाही, लेकिन इतने नागरिकों का घर तक का पता किसी के पास भी हो सकता है.

क्या आधार नंबर को पब्लिक करना सही है?
आधार ऐक्ट 2016 के मुताबिक किसी नागरिक का आधार डेटा पब्लिश नहीं किया जा सकता. यानी मंत्रालय की वेबसाइट इन डेटा को सिक्योर रखने में नाकामयाब हो रही हैं.

आधार ऐक्ट 2016 के तहत कलेक्ट किया गया कोई भी आधार नंबर या कोर बायोमैट्रिक इनफॉर्मेशन पब्लिक नहीं किया जा सकता और न ही इसे किसी पब्लिक प्लैटफॉर्म पर पोस्ट किया जा सकता है. हालांकि इसके इस्तेमाल कानून के तहत शामिल की गईं एजेंसियां और संस्थाएं कर सकती हैं.

दी वायर की एक रिपोर्ट के मुताबिक एक महीने पहले डेटा रिसर्चर श्रीनीवास कोडाली ने थर्ड पार्टी वेबसाइट के द्वारा गलती लीक किए गए 5-6 लाख लोगों के पर्सनल डेटा के बारे में बताया था. इस डेटा में आधार नंबर, नाम, कास्ट, जेंडर और फोटोज शामिल थे.

सरकार के हमेशा दावा करती है कि आधार सिक्योर है
सरकार लगातार दावा करती है कि आधार सिक्योर है सेफ है और डेटा लीक नहीं हो रहे हैं. लेकिन ये घटनाएं लागातार उन दावों को खोखला साबित कर रही हैं. सवाल यह है कि अब इस रिपोर्ट के बाद सरकार कोई कठोर कदम उठाती है या फिर पहले की तरह लचर सुरक्षा बनी रहेगी.

For more details visit https://cis-india.org/internet-governance/news/aaj-tak-may-4-2017-135-million-aadhaar-number-leaked-by-govt-website-cis-report