Centre for Internet and Society

What privacy? 13 crore Aadhaar numbers accessible on government portals

praskrishna — 2017-05-03T14:39:46Z

At least 13 crore Aadhaar numbers and 10 crore bank account numbers are readily accessible on government portals, a report claims.

The blog post by Anusha Ravi was published in Oneindia on May 2, 2017.

The centre for internet and society, in its report, has claimed that Aadhaar numbers with sensitive personal financial information were publicly available on four government portals built to oversee welfare schemes. The report said that the government portals made it easy to access sensitive details, despite it being illegal. "It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief," said Amber Sinha and Srinivas Kodali, the authors of the report.

Apart from accessing a person's details, the portals made it possible for anyone to get data on beneficiaries of welfare schemes. In many cases, it included bank account numbers of beneficiaries. The report suggests that close to 23 crore Aadhaar number could have been leaked if most of the government portals connected to direct benefit transfers used the 'same negligent standards for storing data as the ones examined'. "The document shows that the breaches are an indicator of potentially irreversible privacy harm and the data could be used for financial fraud," the authors said in the report. The report was documented after authors studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government's Chandranna Bima Scheme and Andhra Pradesh's Daily Online Payment Reports of NREGA.

The report said that sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information were easily available with a few clicks and suggested how poorly conceived these initiatives were. The report highlights that it was illegal to make personal data public and also refers to # #AadhaarLeaks, a campaign on twitter aimed at exposing the loopholes in the Aadhaar system.

For more details visit https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals

13 crore Aadhaar numbers on four government websites compromised: Report

praskrishna — 2017-05-03T15:19:52Z

The lack of information security practices in key government websites which hosts Personally Identifiable Information (PII) has left citizens of the country more vulnerable to identity theft and financial fraud, a research paper has argued.

The article by Akram Mohammed was published by the New Indian Express on May 2, 2017.

A paper by Amber Sinha and Srinivas Kodali of Centre for Internet and Society analysed four government websites and found that more than 13 crore Aadhaar numbers with related PII were available on the websites, exposing lax security features.

The paper published under Creative Commons is titled ‘Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information’ and was released on Monday.

Sinha and Kodali looked at databases on four government portals -- National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme, Govt. of Andhra Pradesh and Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh.

“We chose major government programmes that use Aadhaar for payments and banking transactions. We found sensitive and personal data and information accessible on these portals,” the report said.

Leaked through portals

“Based on the numbers available on the websites, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million.

While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, that have also used Aadhaar for DBT, could have leaked PII similarly due to lack of information security practices,” it said.

They fear that data of over 23 crore beneficiaries under DBT of LPG subsidies could be leaked also. Identity theft and financial fraud “risks increase multifold in India...,” they said.

Aadhaar payments unsafe

In case a financial fraud takes place through Aadhaar enabled Payment System (AePS), the consumer may not be able to assert his claims for compensation due to the terms and conditions around liabilities.

“These terms force the consumer to take liabilities onto oneself than the payment provider..... Regulations and standards around Aadhaar are at a very early and nascent stage causing (an) increase in financial risk for both consumers and banks to venture into AePS,” they added. The authors also pulled up UIDAI for their inability in providing strong legislation against such leaks.

Leaky govt portals

National Social Assistance Programme

PII available - Access to Aadhaar no., name, bank account number, account frozen status 94,32,605 bank accounts linked with Aadhaar

14,98,919 post office accounts linked with Aadhaar numbers.

Though total Aadhaar number is 1,56,42,083, not all are linked to bank accounts

NREGA

PII Details available: Job card no., Aadhaar number, bank/postal account number, no. of days worked, registration no., account frozen status

78,74,315 post office accounts of individual workers seeded with Aadhaar numbers,

8,24,22,161 bank accounts of individual workers with Aadhaar numbers.

10,96,41,502 total number of Aadhaar numbers stored by portal

Other websites

Chandranna Bima Scheme, Govt. of Andhra Pradesh

Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-may-2-2017-akram-mohammed-13-crore-aadhaar-numbers-on-four-government-websites-compromised

Around 13 crore Aadhaar numbers easily available on government portals, says report

praskrishna — 2017-05-03T15:29:12Z

A report by The Centre for Internet and Society claimed that around 13 crore Aadhaar numbers and 10 crore bank account numbers were easily accessible on four government portals built to oversee welfare schemes. The document, released on Monday, pointed out that though it is illegal to reveal Aadhaar numbers, the government portals examined made it easy for anyone to access them, as well as other data about beneficiaries of welfare schemes including in many cases their bank account numbers.

This was published by Scroll.in on May 2, 2017.

The report suggests that the Aadhaar numbers leaked could actually be closer to 23 crore, if most of the government portals connected to direct benefit transfers used the same negligent standards for storing data as the ones examined. “It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the authors of the report said.

The document also pointed out that the breaches are an indicator of “potentially irreversible privacy harm” and said the data could be used for financial fraud. The report authored by Amber Sinha and Srinivas Kodali studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government’s Chandranna Bima Scheme and Andhra Pradesh’s Daily Online Payment Reports of NREGA.

While the report said the Aadhaar initiative as a concept may be praiseworthy, the absence of adequate security could prove disastrous. “Sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away and suggest how poorly conceived these initiatives are,” the report said.

The Centre had, on April 25, cautioned states against leaking Aadhaar information, after it emerged that a number of government websites were making it easy for people to access individuals’ Aadhaar numbers. The Unique Identification Authority of India also filed First Information Reports against eight private websites for collecting Aadhaar-related data from citizens in an unauthorised manner on April 19, but no such action appears to have been taken against government websites so far.

According to government data, the UIDAI has issued 112 crore Aadhaar numbers so far and has maintained that its biometrics database is tamper-proof, although it is up to various other authorities to maintain the secrecy of Aadhaar data collected or kept by them.

On April 21, the Supreme Court had questioned the Centre for making the Aadhaar card mandatory for a number of central schemes despite its repeated orders that the unique identification programme cannot be made mandatory. The government has nevertheless been expanding the scope of the Unique Identity project over the past few months by introducing it for initiatives such as the midday meal scheme of school lunches for children, and, most recently, requiring Aadhaar to file income tax returns.

In March, an Aadhaar enrolment agency had been de-registered for leaking the personal data of cricketer Mahendra Singh Dhoni.

For more details visit https://cis-india.org/internet-governance/news/scroll-may-2-2017-around-13-crore-aadhaar-numbers-easily-available-on-government-portals-says-report

Aadhaar Case: Beyond Privacy, An Issue of Bodily Integrity

Amber Sinha and Aradhya Sethia — 2017-05-03T16:02:02Z

The insertion of Section 139AA in the Income Tax Act has been challenged and is being heard by a two-judge bench of the Supreme Court.

The article was published in the Quint on May 1, 2017.

The Finance Act, 2017, among its various sweeping changes, also inserted a new provision into the Section 139AA of the IT ACT, which makes Aadhaar numbers mandatory for:

(a) applying for PAN and

(b) filing income tax returns

In case one does not have an Aadhaar number, she or he is required to submit the enrolment ID of one’s Aadhaar application. The overall effect of this provision is that it makes Aadhaar mandatory for filing tax returns and applying for a PAN. The SC hearings began on 26 April. In order to properly appreciate the tough task at hand for the counsel for the petitioners, it is important to do a quick recap of the history of the Aadhaar case.

Case Over Constitutional Validity

Back in August 2015, the Supreme Court had referred the question of the constitutional validity of the fundamental right to privacy to a larger bench.

This development came after the Union government pointed out that the judgements in MP Sharma vs Satish Chandra and Kharak Singh vs State of UP (decided by eight and six judge benches respectively) rejected a constitutional right to privacy.

The reference to a larger bench has since delayed the entire Aadhaar case, while an alarming number of government schemes have made Aadhaar mandatory in the meantime.

Since then, the Supreme Court has not entertained any arguments related to privacy in the court proceedings on Aadhaar pending the resolution of this issue by a constitutional bench, which is yet to to be set up. The petitioners have had to navigate this significant handicap in the current proceedings as well.

Ongoing Hearing in Aadhaar Case

At the beginning of Advocate Shyam Divan’s arguments on behalf of the petitioners, the Attorney General objected to the petitioners making any argument related to the right to privacy. Anticipating this objection, Divan assured the court, right at the outset that they “will not argue on privacy issue at all”.

In the course of his arguments, Divan referred to at least three rights which may otherwise have been argued as facets of the right to privacy – personal autonomy, informational self-determination and bodily integrity. However, in this hearing those rights were strategically not couched as dimensions of privacy.

Divan consistently maintained that these rights emanate from Article 21 and Article 19 of the Constitutions and are different from the right to privacy.

Many Layers of the Right to Privacy

If one follows the courtroom exchanges in the original Aadhaar matter (not the one being argued now), the debates around the privacy implications of Aadhaar have focussed on simplistic balancing exercises of “security vs privacy” and “efficient governance vs privacy”.

These observations depict the right to privacy as a monolithic concept, i.e. a single right which has a unity of harm it captures within itself. In other words, all privacy harms are considered to be on the same footing. "Privacy harms" here mean the undesirable effects of the violation of the right to privacy.

This monolithic conception was clearly reflected in the Supreme Court’s decision to refer the constitutionality of “right to privacy” to a larger bench.

In MP Sharma vs Satish Chandra, the Supreme Court had rejected certain dimensions of what is generally understood as the right to privacy in a specific context (and hence dealing with a specific kind of privacy harm). A monolithic conception of the right to privacy would mean that MP Sharma should be applicable to all kinds of privacy claims.

Prof Daniel Solove, a privacy law expert, in his landmark paper “Taxonomy of Privacy” argues that the right to privacy captures multiple kinds of harms within itself. The right to privacy is not a monolithic concept, but a plural concept; there is no one right to privacy, but multiple hues of right to privacy.

Sidestepping ‘Privacy’ in the Current Case

The plural conception of the right to privacy not only makes our privacy jurisprudence more nuanced and comprehensive, but also guides us to analyse differential privacy harms according to the standards appropriate for them.

Therefore, the refusal of the Supreme Court in MP Sharma to recognise a specific construction of privacy read into a specific constitutional provision should not have precluded the bench, even one smaller in number, from treating other conceptions of privacy into the same or other constitutional provisions.

As a lawyer, Divan was severely compromised from being unable to argue the right to privacy, which in my opinion, cuts at the heart of the constitutional issues with the Aadhaar project.

He refrained from couching any of his arguments on bodily integrity, informational self-determination, and personal autonomy as privacy arguments. What the approach reveals is that far from being a monolithic notion, the harms that privacy, as we understand it, addresses, are capable of being broken into multiple and distinct rights.

Moving Beyond Article 21

Divan further argues that coercing someone to give personal information is compelled speech and hence, violative of Article 19(1)(a) (the rights to free speech and expression). Once again, the harm described here – compelling someone to part with personal data – is conventionally a privacy harm.

However, it is important to note here that a privacy harm may also be a speech harm. Therefore, Article 21 is not the sole repository of these rights. They may also be located under other articles. The practical consequence of these rights being located under multiple constitutional provisions could be added protection of these rights.

For instance, if it can be shown that compelling an individual to part with personal data results into violation of Article 19(1)(a), the State will have to show which ground laid down under Article 19(2) does the specific restriction fall under.

This might be more challenging as opposed to the vague standard of “compelling state interest” test which has been the constitutional test for privacy violations under Article 21.

Changing the Definition of Right to Privacy

The arguments presented by Divan, if accepted by the Supreme Court, could represent a two-pronged shift in the landscape of the values popularly understood under the right to privacy in India:

1) first, the idea of the rights of bodily integrity, informational self-determination, and personal autonomy as part of a plural concept (whether arising from the right to privacy or another right) that encompasses several harms within it, and

2) second that some of these rights may be read into other Articles in the Constitution.

Under the circumstances, Mr Divan’s performance was nothing short of heroic. Whether they pass muster and impact the course of this long drawn legal battle remains to be seen.

(Amber Sinha is a lawyer and works as a researcher at the Centre for Internet and Society. Aradhya Sethia is a final year law student at the National Law School of India University, Bangalore. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)

For more details visit https://cis-india.org/internet-governance/blog/the-quint-amber-sinha-and-aradhya-sethia-may-1-2017-aadhaar-case-beyond-privacy-an-issue-of-bodily-integrity

En Inde, le biométrique version très grand public

praskrishna — 2017-05-03T16:27:23Z

Initiée en 2010, l’Aadhaar est désormais la plus grande base de données d’empreintes et d’iris au monde. Carte d’identité destinée aux 1,25 milliard d’Indiens, elle sert aussi de moyen de paiement. Mais la sécurité du système et son utilisation à des fins de surveillance posent question.

The article was published by Liberation on April 27, 2017. Sunil Abraham was quoted.

Le front barré d’un signe religieux hindou rouge, Vivek Kumar se tient droit derrière le comptoir de son étroite papeterie située dans une allée obscure d’un quartier populaire du sud-est de New Delhi. Sous le regard bienveillant d’une idole de Ganesh - le dieu qui efface les obstacles -, le commerçant à la fine moustache et à la chemise bleu-gris au col Nehru réalise des photocopies, fournit des tampons ou des stylos à des dizaines de chalands.

Gaurav, un vendeur de légumes de la halle d’à côté, entre acheter du crédit de communication mobile. Au moment de payer, il sort son portefeuille, mais pas pour chercher de la monnaie. Il y prend sa carte d’identité Aadhaar et fournit ses douze chiffres au commerçant. Qui les entre dans un smartphone, sélectionne la banque de Gaurav et indique le montant de l’achat. Le client n’a plus qu’à poser son pouce sur un lecteur biométrique relié au combiné, connecté à Internet. Une lumière rouge s’allume et un son retentit : la transaction est bien passée.

Depuis mars, 32 banques indiennes fournissent ce service novateur de paiement par empreinte digitale. Appelé Aadhaar Pay, il utilise les informations biométriques, à savoir les dix empreintes digitales et celle de l’iris, recueillies par le gouvernement depuis septembre 2010 pour créer la première carte d’identité du pays. Toute personne résidant en Inde depuis plus de six mois, y compris les étrangers, peut s’inscrire et l’obtenir gratuitement.

«Renverser le système»

L’Aadhaar («la fondation» en hindi) représente aujourd’hui la plus grande base de données biométriques au monde, avec 1,13 milliard de personnes enregistrées sur 1,25 milliard, soit 99 % de la population adulte indienne.

L’objectif initial était double : identifier la population - 10% des Indiens n’avaient jusqu’ici aucun papier, et donc aucun droit - et se servir de ces moyens biométriques pour sécuriser l’attribution de nombreuses subventions alimentaires ou énergétiques, dont le détournement coûte plusieurs milliards d’euros chaque année à l’Etat fédéral.

A partir de 2014, la nouvelle majorité nationaliste hindoue du BJP a étendu les usages de l’Aadhaar pour transformer cet outil de reconnaissance en un vrai «passe-partout» de la vie quotidienne indienne : depuis l’ouverture d’une ligne téléphonique à la déclaration de ses impôts, en passant surtout par la création d’un compte en banque, le numéro Aadhaar sera à présent requis. Dans ce dernier cas, l’Aadhaar permet en prime d’utiliser le paiement bancaire par biométrie pour réduire le recours au liquide, qui représente encore plus de 90 % des transactions dans le pays.

Le Premier ministre, Narendra Modi, a fait de cette inclusion financière l’un de ses principaux chevaux de bataille : en 2014, son gouvernement a lancé un énorme programme qui a permis la création de 213 millions de comptes bancaires en deux ans - aujourd’hui, quasiment tous les foyers en possèdent au moins un. Il a continué dans cette voie énergique en démonétisant, en novembre, les principales coupures. But de la manœuvre : convaincre les Indiens de se défaire, au moins temporairement, de leur dépendance aux billets marqués de la tête de Gandhi.

«Le liquide est gratuit, donc il est difficile de pousser les gens à utiliser d’autres moyens de paiement, explique Ragavan Venkatesan, responsable des paiements numériques à la banque IDFC, pionnière dans l’utilisation de l’Aadhaar Pay. Nous avons donc renversé le système pour que le commerçant soit incité à utiliser les moyens numériques.» L’établissement financier a d’abord développé le «microdistributeur de billets» : une tablette que le vendeur peut utiliser pour créer des comptes, recevoir des petits dépôts ou fournir du liquide aux clients au nom de la banque, contre une commission. Comme l’Aadhaar Pay, cette tablette se connecte au lecteur biométrique - fourni par l’entreprise française Safran - pour l’identification et l’authentification. Dans les deux cas, et à la différence des paiements par carte, ni le marchand ni le client ne paient pour l’utilisation de ce réseau. «Le mode traditionnel de paiement par carte va progressivement disparaître», prédit Ragavan Venkatesan.

Défi

Pour l’instant, le système n’en est toutefois qu’à ses débuts. Environ 70 banques - une minorité du réseau indien - sont reliées à l’Aadhaar Pay, et lors de nos visites dans différents magasins de New Delhi, une transaction a été bloquée pendant dix minutes à cause d’un problème de serveur. La connectivité est d’ailleurs un défi dans un pays dont la population est en majorité rurale : le système nécessite au minimum le réseau 2G, dont sont dépourvus environ 8 % des villages, selon le ministère des Télécommunications.

Mais c’est la protection du système qui est surtout en question : «La biométrie réduit fortement le niveau de sécurité, car c’est facile de voler ces données et de les utiliser sans votre accord, explique Sunil Abraham, directeur du Centre pour l’Internet et la société de Bangalore. Il existe maintenant des appareils photo de haute résolution qui permettent de capturer et de répliquer les empreintes ou l’iris», affirme ce spécialiste en cybersécurité.

Le problème tient au caractère irrévocable de ces données biométriques. A la différence d’une carte bancaire qu’on peut annuler et remplacer, on ne peut changer d’empreinte ou d’iris. L’Autorité indienne d’identification unique (UIDAI), qui gère l’Aadhaar, prévoit bien que l’on puisse bloquer l’utilisation de ses propres données biométriques sur demande, ce qui offre une solution de sécurisation temporaire. «Si un fraudeur essaie de les utiliser, on peut le repérer [grâce au réseau internet, ndlr] et l’arrêter», défend Ragavan Venkatesan, de la banque IDFC.

Mais cela risque de ne pas suffire en cas de recel de ces informations : la police vient d’interpeller un groupe de trafiquants qui étaient en possession des données bancaires de 10 millions d’Indiens, récupérées à travers des employés et sous-traitants, données qu’ils revendaient par paquets. Une femme âgée s’était déjà fait dérober 146 000 roupies (un peu plus de 2 000 euros) à cause de cette fraude.

Outil idéal

Le directeur de l’UIDAI assure qu’aucune fuite ni vol de données n’ont été rapportés à ce jour depuis leurs serveurs - ce qui ne garantit pas que cette confidentialité sera respectée par tous les autres acteurs qui y ont accès. En février, un chercheur en cybersécurité a alerté la police sur le fait que 500 000 numéros Aadhaar ainsi que les détails personnels de leurs propriétaires - exclusivement des mineurs - avaient été publiés en ligne. La loi sur l’Aadhaar punit de trois ans de prison le vol ou le recel de ces données. Ce texte adopté l’année dernière - soit six ans après le début de la collecte - empêche également leur utilisation à d’autres fins que l’authentification pour l’attribution de subventions et de services. Et l’UIDAI ne peut y accéder pleinement qu’en cas de risque pour la sécurité nationale, et selon une procédure spéciale.

Reste qu’il n’existe pas d’autorité, comme la Cnil en France, chargée de veiller de manière indépendante à ce que ces lignes rouges ne soient pas franchies par un Etat à la recherche de nouveaux moyens de renseignement. Car les experts s’accordent sur ce point : le biométrique est un outil idéal pour surveiller une population.

En 2010, le gouvernement britannique avait d’ailleurs mis fin à son projet de carte d’identité biométrique, estimant que le taux d’erreurs dans l’authentification était trop élevé et le risque d’atteinte aux libertés trop important. Les Indiens, souvent subjugués par les nouvelles technologies pour résoudre leurs problèmes sociaux, ne semblent pas prêts de revenir en arrière. Surtout si cela peut en plus servir à mieux ficher un pays menacé par un terrorisme régional et local.

For more details visit https://cis-india.org/internet-governance/news/en-inde-le-biometrique-version-tres-grand-public

Aadhaar's the largest biometric database globally but it is leaky by design

praskrishna — 2017-05-12T15:35:00Z

It the largest biometric database in the world and it is fraught with security issues.

The article by Rohith Jyothish was published in the Business Standard on May 5, 2017. This article by Rohith Jyothish originally appeared on Global Voices on May 2, 2017

Over the last few months, the Indian twittersphere has been awash with citizens concerned about government websites leaking millions of individual digital ID numbers.

On May 1, the Centre for Internet and Society, a multi-disciplinary think tank in Bangalore, released a report indicating that faulty information security practices have exposed as many as 135 million ID numbers, leaked from four government databases. The data leaks originated in the process of implementing online dashboards that were likely meant for general transparency and easy administration by the government agencies.

Developed by the Union government of India in 2009, the plan called for the creation a Unique Identification Authority of India (UIDAI) that would issue Unique Identity numbers (UIDs) to all residents of India. Under this scheme, now known as Aadhaar, the UID number ties together several pieces of a person's demographic and biometric information, including their photograph, ten fingerprints and an image of their iris. This information is all stored in a centralized database.

The scheme has so far enrolled 1.13 billion Indians and residents of India, making it the largest biometric database in the world.

This has become a point of pride for government agencies involved in the program. Information Technology Minister Ravishankar Prasad (@rsprasad) tweeted:

Expanding programmes

Aadhaar was built to be used as an identity authentication mechanism that could have multiple services being built on top of it. The scheme was run under an executive order from its inception in 2009 until the Aadhaar Act was passed in 2016. The strategies employed by its supporters generated substantial controversy, and it since has been challenged in the Supreme Court on budgetary grounds. But thus far, it remains in place.

The UIDAI has maintained that the scheme is voluntary. Yet the central government has pushed state governments to include UID for a wide range of essential government services meant to be available to the public.

Independent news portal Scroll regularly covers issues related to UID’s linkages with various welfare programs through its Identity Project. In recent years, Scroll has identified multiple examples of public services being denied to individuals who did not have a UID.

In Delhi in 2015, food rations were denied to those without UID numbers. In April 2016 in the Ajmer district of Rajasthan, UID-enabled food subsidies repeatedly recorded authentication failures.

Six months after Aadhaar was introduced in Rajasthan, state officials report that 10-15% of beneficiaries who normally received food grains from the government (under the National Food Security Act) have been denied some or all of their rations because the system could not authenticate their UIDs. A local farm laborer told Scroll that his rations had been drastically reduced since the arrival of Aadhaar. “In some cases, when we put our fingers, the machine reads out 5 kg, 10 kg, or 15 kg as our entitlement. But we are entitled to 35 kg as per the government norms.”

Advocates are quick to note that there is no adequate avenue to remedy in these situations, leaving citizens with little recourse or ability to seek that these errors be corrected.

In spite of multiple court orders making UID voluntary and limited to selected schemes, the government continues to expand its scope.

Delicate infrastructure and its misuse

According to economist Jean Drèze, the new authentication system requires a lot of fragile technologies to work at the same time, such as a point of sale machine, internet connectivity, biometrics, remote servers and mobile networks. He also maintains that the primary cause of corruption in disbursement of food subsidies is related to the quantity of rations distributed or quantity fraud, which UID doesn't address.

Another economist who has worked extensively on these issues, Reetika Khera points out that the exclusion of large number of people from welfare schemes has not been because of lack of an identity, but rather due to “measly budgets and exclusion errors.“

Contention with the court

The Supreme Court issued two orders in September 2013 and March 2014 which stated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled.” On August 11, 2015, the court issued yet another order which limited the use of UID to food, kerosene and cooking gas subsidies. On October 15, it further expanded it to four more schemes: the National Rural Employment Guarantee Scheme, Pradhan Mantri Jan Dhan Yojana (a scheme for financial inclusion), and policies related to pension and provident funds, after the government argued that it would be difficult to roll back UID now that it is the most used national identity system and is linked to service delivery in several major welfare schemes.

‘Leaky’ by design

Following the repeated arguments by the state that UID makes it possible to weed out ‘ghost beneficiaries’ and ‘de-duplicate’ multiple IDs, revelations of fake ‘UID cards’ began to circulate. These UID cards were reportedly issued under the names of pets, historical figures, one alleged spy and even gods.

More recently, the Indian twittersphere has been vocal in pointing to government websites leaking sensitive information from the UID database. In February, security researcher Srinivas Kodali exposed a parallel database containing UID numbers and other details of 5-600,000 children.

In another case, UID numbers of scholarship-holders sat on a state government website for over a year.

On March 22, 2017, tech worker @St_Hill exposed the severity of the problem by showing spreadsheets of personal data that appear with just a single Google search.

This was immediately taken down. But new ones continue to appear with other simple Google searches.

Under the hashtag #AadhaarLeaks, Twitter users have reported numerous such cases on various government websites. The leaks gained popular attention on social media when former Indian men’s cricket team captain MS Dhoni’s UID appeared in a tweet sent by a UID enrollment operator.

The government response

The UIDAI responded to the uproar with a campaign entitled #AadhaarStars, in which parents of young children were encouraged to post 30-second videos of what UID meant to them.

This was rejected by angry twitterati through the hashtag #AadhaarFail which now offers a compendium of tweets about UID-based authentication failures.

In the last couple of months, after the privacy and security-related concerns became louder, the UIDAI has shut down enrollment operators, websites and payment applications for misuse of biometrics data. The central government has even warned state departments against leaking UID data on their portals.

As the uncertainty looms, privacy researcher Amber Sinha and aforementioned security researcher Srinivas Kodali estimated the size of #AadhaarLeaks.

For more details visit https://cis-india.org/internet-governance/news/business-standard-rohith-jyothish-may-5-2017-aadhaar-the-largest-biometric-database-globally-but-it-is-leaky-by-design

Why Aadhaar leaks should worry you, and is biometrics really safe?

praskrishna — 2017-05-12T15:48:48Z

What’s worrying is that the UIDAI seems to always be in denial mode over security concerns.

The blog post was published by the News Minute on May 4, 2017. Amber Sinha was quoted.

If you’ve paid the slightest bit of attention to news about Aadhaar, you’ll have heard about a series of leaks of Aadhaar data from multiple government websites. Some of the latest government websites to leak Aadhaar and demographic data, were the Jharkhand Directorate of Social Security and the Kerala government’s pension department.

Shockingly, a report by The Centre for Internet and Society (CIS) revealed that the Aadhaar details along with demographic details and financial information of around 135 million people in the country has been leaked by four government portals. And this could just be the tip of the iceberg.

However, the public response to these revelations has been muted. The government and the UIDAI, the authority behind Aadhaar, have retreated behind the defence that only Aadhaar numbers have been leaked, and not biometric details, and hence there is no major problem.

However, experts warn that Aadhaar numbers by themselves pose a sufficient risk when leaked, and that the UIDAI has been consistently underplaying the risks of such leaks and overplaying the security of biometric identification.

Amber Sinha, who co-authored the CIS report, points out that it’s not just Aadhaar numbers that have been leaked on government websites, but also demographic information as well as financial details. Various such bits of data can be aggregated by fraudsters and used to steal identities and commit financial fraud online or through phones.

“We see a lot of examples of social engineering techniques where fraudsters collect data from various sources and impersonate people,” he says. The report points out that one of the most common techniques is to call persons impersonating bank officials requiring sensitive information, and provide Aadhaar and demographic details to make the bid for this information convincing.

Amber also points out that in online and phone verifications, it is possible to impersonate other persons with such information.

“Somebody can call the bank pretending to be me, and he could also authenticate himself as me if he has all the data about me. The bank will ask him some four questions and if he has all that information, then the bank has no reason to believe that he is not me,” he explains.

Co-Founder of HasGeek, Kiran Jonnalagadda, an active voice on net neutrality, freedom of speech and privacy, points out that one of the main problems is that the Aadhaar system assumes biometric verification in every transaction, but Aadhaar cards are often used as identity documents without biometrics particularly for many non-financial transactions.

“Somebody can apply for a SIM card with your Aadhaar number, and if the place that is issuing the SIM card didn't do a biometric verification then your card is good enough, because now they can do anything they want in your name,” Kiran said. In such cases, he points out, impersonation is almost ridiculously easy because the Aadhaar card, just a colour printout with no security features, can be faked by almost anyone.

He points out that, particularly in cases of online verifications, the problem of fraud is acutely heightened. “The thing is that if they have your number and your demographic details, if the government does a verification online, the details will match. Which means that the ID is not fake. It's just that you didn't actually authorise any of this. In a perfect world, everybody would do biometrics. The problem is that that does not exist right now.”

One of the major flaws of the current security practices of Aadhaar is that the UIDAI only takes responsibility for the security of data stored within its Central Identities Data Repository. However, explains Amber, over the last five years, the UIDAI has proactively seeded Aadhaar data across multiple government databases. However, the UIDAI has not exercised strict disclosure controls on these government databases, and there are no clear standards for publicity of information.

The CIS report points to the example of the Andhra Pradesh portal of the NREGA, which carries information on Aadhaar numbers and disbursal amounts on a simple text file, with no encryption or other security measures. The report argues that this system could easily be exploited to transfer illegal sums of money into these accounts, making beneficiaries liable for them.

Importantly, Amber points out that the recent publications of Aadhaar details cannot properly be called leaks. A leakage occurs, he points out, when information is treated as secret and stored accordingly and then breached from the outside or leaked by abusing access.

“Here the websites that we looked at are designed in such a way that anybody without any technical knowledge can access information. They are available for download as spreadsheets, how much simpler could it get?” he asks.

Even with the much-vaunted infallibility of biometric verification, experts warn, there are some scarily large loopholes present. While the UIDAI regularly goes to town with the claim that the biometric data stored in the CIDR is well protected behind multiple firewalls, detractors point out that biometric data collected at each transaction point is not similarly secure.

Other kinds of financial transactions such as card transactions , explains Amber, use two-factor authentication (a physical card and a pin number or card details and an OTP, for instance). With Aadhaar, however, authentication is possible with just biometrics.

This is risky because biometric data is not duplication-proof. When biometric data is collected for authentication, he says, there are ways in which this data can be stored for re-use. “At the end of the day, the way the biometric authentication works is by comparing two images. There is a copy of an image which is collected at the time of enrolment which is stored by the UIDAI, and every time you authenticate yourself you give a fresh image. As far as the CIDR is concerned, it has nothing to do with how that image is being created at that stage,” says Amber.

This can and has led to what is called a “replay attack”, where stored biometric images are used to complete transactions without the presence of the actual owner of the biometric data. This is what happened in the case involving Axis Bank, Suvidha Infoserve and eMudhra in February.

Such situations arise, says Kiran, because Aadhaar confuses two very separate functions–authentication (establishing that I am who I am) and authorisation (certifying that I want an action done in my name). “It’s the difference between signing a cheque and showing a photo ID to prove that you are who you are,” explains Kiran. The problem with biometrics is that both processes are combined in one, and there is nothing to verify that the person to whom the biometrics belongs to is actually present for each transaction.

While the UIDAI has now proposed registered and encrypted biometric devices to overcome this problem, some detractors argue that a way around this is not impossible to find either.

“The larger problem is that the UIDAI constantly plays a game of denial and catch up. They keep pretending like other people are stupid and their system will never be broken. And other people keep pointing out that they've forgotten the most obvious things about security in any information system. They are currently in denial mode, where they insist such things are not possible until after it happens, and then they say oh it's happening, let's go do something to fix it,” Kiran says.

What’s more, Kiran and Amber point out that biometrics can even be physically duplicated. On iris scans, Amber argues, “Now, with a lot of CCTV cameras, if their resolution is high enough it is possible to capture things like an iris scan. So the means for biometric authentication can be used covertly, and that is a technological truth,” he asserts.

Duplicating fingerprints, says Kiran is even easier, pointing out to attendance fraud carried out by students of the Institute of Chemical Technology in Mumbai. These students used a resin adhesive to make copies of their fingerprints, which their friends used to give them proxy attendance in the biometric attendance system.

“Lifting fingerprints is ridiculously easy. Anything you touch will leave fingerprints on it. All it requires is some cello-tape to make a copy of your fingerprints. And then you can apply some wax to it and you get an actual impression of your finger. You can go place that on any fingerprint reader and it'll be fooled,” says Kiran.

It’s not as if such duplication is not possible with devices like credit cards. However, says Kiran, there are two key differences. Firstly, credit card companies have built up elaborate checks and balances over years to tackle fraud. Secondly, and far more importantly, credit cards that have been compromised can be cancelled. “Revocability is a feature in the credit card system. In Aadhaar you can't revoke anything. If fraud happens, you are stuck with fraud for the rest of your life,” explains Kiran.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-rakesh-mehar-may-4-2017-why-aadhaar-leaks-should-worry-you-and-is-biometrics-really-safe

In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online

praskrishna — 2017-05-12T15:59:31Z

The Modi government has been trying to make Aadhaar mandatory for everything from Income Tax return, buying a SIM card, bank transaction, train ticket, air travel, mid-day meal government subsidies etc.

The blog post by Bobins Abraham was published by India Times on May 3, 2017.

While the government claims that the move will increase security and ensure that the benefits are reaching to real people and not syphoned off. But security experts have been pointing out the possibility of security breach in the system resulting in the sensitive biometric data reaching in the hands of those, who could misuse them.

A study by Bengaluru-based think tank, Centre for Internet and Society has once again cemented these concerns. According to its report titled, "Information Security Practices of Aadhaar (or lack thereof): A documentation of the public availability of Aadhaar Numbers with sensitive personal financial information," Aadhaar data of as many as 13.5 crore card holders have already leaked online.

The study revealed that the mass data leak happened due to security flaws in four government websites:

National Social Assistance Programme
National Rural Employment Guarantee Act (NREGA)
Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh)
Chandranna Bima Scheme run by Government of Andhra Pradesh

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

The report was published even as the government continue to defend Aadhaar in the Supreme Court saying that the move to link Aadhaar with PAN cards was meant to put a stop on the number of individuals in possession of multiple PAN cards by putting a robust identification system in place. Attorney General Mukul Rohatgi said that this will help in curbing money laundering, the flow of black money and controlling the funding of terror.

For more details visit https://cis-india.org/internet-governance/news/india-times-bobin-abraham-may-3-2017-in-the-biggest-data-leak-info-of-13-crore-aadhaar-card-holders-has-been-compromised-and-is-available-online

India is building a biometric database for 1.3 billion people — and enrollment is mandatory

praskrishna — 2017-05-12T16:22:35Z

Inside the buzzing enrollment agency, young professionals wearing slim-fitting jeans and lanyards around their necks tapped away at keyboards and fiddled with fingerprint scanning devices as they helped build the biggest and most ambitious biometric database ever conceived.

The article by Shashank Bengali was published in the Los Angeles Times on May 12, 2017.

Into the office stepped Vimal Gawde, an impoverished 75-year-old widow dressed in a floral print sari. She had come to secure her ticket to India’s digital future — to enroll in the identity program, called Aadhaar, or “foundation,” that aims to record the fingerprints and irises of all 1.3 billion Indian residents.

Nearly 9 out of 10 Indians have registered, each assigned a unique 12-digit number that serves as a digital identity that can be verified with the scan of a thumb or an eye. But Gawde came to the enrollment office less out of excitement than desperation: If she didn’t get a number, she worried that she wouldn’t be able to eat.

Designed as a showcase of India’s technological prowess — offering identity proof to the poor and reducing waste in welfare programs — Aadhaar’s grand promises have been muddied by controversy as the government makes enrollment mandatory for a growing number of essential services.

Indians now need an Aadhaar number to pay taxes, collect pensions and obtain certain welfare benefits. The rapid expansion of a program that was originally described as voluntary has sparked criticism that India is vacuuming up citizens’ personal information with few privacy safeguards and creating hardship for the very people the initiative was supposed to help.

Like many Indians living in poverty, Gawde uses a ration card to purchase her monthly allotment of subsidized rice and cooking gas. But the shopkeeper told her that starting next month, he would sell to her only if she produced an Aadhaar number.

She had visited the enrollment agency three times but had yet to be approved, for reasons she did not understand. (Enrollment agents would not comment on individual cases.)

Reaching into her canvas bag, Gawde pulled out the familiar panoply of documents — ration card, voter card, electricity bill, income tax ID — that Indians use to navigate a dizzying bureaucracy. Aadhaar, she was told, would supplant all these papers.

But she had to get the number first.

“I’m nervous,” Gawde said outside the enrollment office on a sweltering morning. “I first applied three years ago and submitted all my documents, but didn’t follow up. Now that it’s becoming compulsory, I’m doing everything I can to get it.”

Indian Prime Minister Narendra Modi, who had criticized Aadhaar as a “political gimmick” before he took office, has embraced the futuristic idea of an all-in-one digital identity. His party pushed through a law last year that paved the way for a dramatic expansion of Aadhaar, allowing government entities and private businesses wide latitude to access the database, which collects not just people’s names and birth dates but also phone numbers, email addresses and other information.

Soon, as more private companies use the database, it could become difficult to open a bank account, get a new cellphone number or buy plane or train tickets without being enrolled.

Supporters say the program, which has cost about $1 billion to implement, will save multiples of that by curbing tax evasion and ensuring that welfare subsidies are not stolen by middlemen.

“Aadhaar was always meant to be an instrument of inclusion,” Nandan Nilekani, a tech billionaire and the program’s first chairman, said in an interview. “I’m really happy that the current government is completely endorsing Aadhaar and using it for a wide variety of services that will transform governance.”

Nilekani calls Aadhaar “hugely empowering” for the poor, but not long ago even he argued that enrollment should remain optional so that no Indians were prevented from accessing essential services. India’s Supreme Court agreed, ruling in 2015 that the government could not require Aadhaar for any benefit to which a person was otherwise entitled, as long as they could prove their identity by some other means.

Yet the court has stayed silent as Aadhaar creeps into every facet of Indian life, even for children.

A 12-year-old girl named Saiba is a case in point. After the girl’s grandmother passed away in their family’s ancestral village in northern India, Saiba’s mother moved her and her four siblings to a crowded neighborhood on the rough fringes of New Delhi, near a car parts market thick with the smell of grease.

When Saiba’s mother, Rani, went to the local school in April to register her for the sixth grade, administrators turned her down, saying every student must have an Aadhaar number.

But to get a number, a child usually needs a birth certificate — and like one-quarter of children born in this country, Saiba and her siblings did not have them because their village did not routinely register births.

Sitting with her mother in the cramped offices of the local advocacy group Pardarshita, above a noisy street lined with vegetable sellers, the girl puffed her round cheeks in an expression of helplessness.

“I don’t know anything about this,” said Saiba, who, like many Indians, has only one name. “I just want to go to school.”

Rakesh Thakur, a board member of Pardarshita, is trying to obtain Aadhaar numbers for dozens of children barred from Delhi schools. He called the policy “a clear violation” by the municipal government of both the Supreme Court order and India’s Right to Education Act, which guarantees every child younger than 14 free schooling.

A Twitter account called “Rethink Aadhaar” logs new instances almost daily of Indians who have suffered because scanners couldn’t read their fingerprints or because of errors in the database.

In Jawhar, a forested zone about 60 miles north of Mumbai, administrators have told local tribal communities that they will soon use Aadhaar to distribute welfare rations and school lunches. But the area lies outside cellphone range, leading residents to wonder how scanners will connect to the Internet to verify their identities.

“The idea of Aadhaar and the technology may be good, but do we have the infrastructure to make it mandatory?” said Vivek Pandit, a former lawmaker who runs a nonprofit group in the area. “The law is city-centric, and it would only lead to the social exclusion of rural India.”

This month lawyers opposing Aadhaar argued before the Supreme Court that the government could not force Indians to share their biometric data. Atty. Gen. Mukul Rohatgi countered that Indians had no constitutional right to privacy and could not claim an “absolute right” over their bodies.

Without privacy protections, activists worry that as Aadhaar numbers are linked to more and more services, intelligence agencies could use the database to more easily track Indians’ calls, travels and purchases.

“It’s become very clear that this is not a project about the poor,” said Usha Ramanathan, a lawyer and anti-Aadhaar activist. “The government’s ambitions have gotten greater over time.”

This month, the Center for Internet and Society, a New Delhi think tank, reported that federal and state agencies had published up to 135 million Aadhaar numbers — some including sensitive information such as a person’s caste and religion, or details of pension payments — on unsecured websites accessible through just a few clicks.

It’s become very clear that this is not a project about the poor. — Usha Ramanathan, a lawyer and anti-Aadhaar activist

Pranesh Prakash, the center’s policy director, said that when Indian authorities can’t even keep Aadhaar numbers private, as the law requires, it suggests the entire database is vulnerable — particularly after sensitive information involving 22 million Americans was exposed when federal databases were hacked in 2015.

“When these kinds of leaks are happening, it’s rather foolhardy to maintain a database of 1.2 billion people’s biometrics, because once this gets breached, it becomes completely unusable,” Prakash said.

“If your PIN number or password leaks, you can change it. You can’t change your fingerprints.”

Praveen Chakravarty, a former investment banker who worked with Nilekani to launch Aadhaar, believes the lack of safeguards undermines the project’s ideals of efficiency and empowerment. He said many Indians were right to worry that Modi’s government, which has cracked down on political activists and nonprofit groups it opposes, could use Aadhaar to snoop on citizens.

“Maybe Aadhaar didn’t need to be this big,” Chakravarty said, adding that the government could simply have worked to fix inefficiencies in individual welfare programs.

“People could ask, ‘Did we need this at all?’” he said. “It’s a good question.”

For Gawde, the widow, Aadhaar remained an idea of the future. She left the enrollment agency that day empty-handed, told by a young employee that her number had not been assigned. But she retained hope that the new ID would make life easier.

“We are just poor people,” she said. “We have to trust what the government tells us.”

For more details visit https://cis-india.org/internet-governance/news/los-angeles-times-shashank-bengali-may-12-2017-india-is-building-a-biometric-database-for-1.3-billion-people-and-enrollment-is-mandatory

Aadhaar security: Here's how your private information can be protected

praskrishna — 2017-05-19T10:05:25Z

Lock Aadhaar, and notify UIDAI if you get a one-time-password for a transaction you did not initiate

The article by Sanjay Kumar Singh was published in the Business Standard on May 11, 2017. Udbhav Tiwari was quoted.

The linking of Aadhaar — the 12-digit unique identification number for Indian residents — across various benefits is going through a roller-coaster ride. On one hand, the government, keen to make it mandatory, is linking it with filing of income-tax returns and benefits. But, on the other, many are uncomfortable with it because of privacy issues and leakages that have been reported recently. The Supreme Court, on Tuesday, referred another fresh plea challenging the Aadhaar Act and its mandatory use in government schemes to a larger Constitution bench.

There has been several reports that say that Aadhaar numbers and other personal data are being leaked. Bengaluru-based Centre for Internet and Society (CIS) has published a report (titled Information security practices of Aadhaar, or lack thereof) where it lists four government departments that have posted Aadhaar numbers and other personal information of people. According to the report, an estimated 130-135 million Aadhaar numbers and 100 million bank account numbers were posted on the four portals that the CIS researchers checked. Normally such data should be kept on the government’s intranet, where only authorised people can access it. However, a few government departments have uploaded this data on their websites. In many cases, the data was in excel format, making it all the more easy for people to download and misuse it. The worst part: If your data is stolen, you cannot file even a First Information Report with the police. Only the nodal body, the Unique Identification Authority of India (UIDAI), can file a police complaint.

Your data can be misused: Experts say that leakage of Aadhaar numbers and other personal information into the public domain violates peoples’ privacy. “Your name, phone number, address, bank account number and Aadhaar number are personal information. Only you have the right to decide whether to release such information to others. Such data shouldn’t be complied in excel sheets in large numbers and be freely accessible on the internet to everyone," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Tele-marketers and advertisers will have access to the personal information of all those people. More serious problems such as identity theft can occur. Says Smitha Krishna Prasad, project manager, Centre for Communication Governance at National Law University, Delhi: “The more sensitive information a person has about you, the easier it becomes to impersonate you when that person is speaking to, say, a bank." The impersonator could open a bank account or even take a loan in your name.

Suppose a hacker gets your email ID. “He will use the ‘password reset or forgot password’ feature to change your password and get access to your account. This feature poses questions based on personal info about you. Any such data collected about you comes useful here. Such hackers mine a lot of data about potential victims from all possible sources," says Shomiron Das Gupta of NetMonastery, a threat management provider. In the email, he could find info about your bank account, credit card account, etc, and cause financial losses to you.

Serious risks can also arise if someone manages to breach the biometric authentication or one-time password (OTP) required for using the Aadhaar system. “It is possible to copy an individual’s fingerprints, and replicate them using very commonly available resins. It is also possible for hackers to capture the data being communicated between a telephone tower and a mobile phone, especially if it is poorly encrypted. This will allow the hacker to see the OTP. Admittedly, this does require expertise and a targeted effort vis-a-vis an individual," says Tiwari. Now that the Aadhaar numbers of so many people have been divulged, someone could utilise their identities to steal their government-granted benefits, or obtain a SIM card, which could then be misused. Raman Jit Singh Chima, policy director, Access Now, says at many places where the Aadhaar number is required today, no biometric authentication is done. So just the number can be used to impersonate you.

Lock your biometrics: If your Aadhaar number and other personal information have been leaked, here are a few steps you can take to safeguard yourself. One, be wary of any calls you receive asking for additional details, which may not have been leaked already. Be equally wary if you receive a call wherein someone rattles off your personal data and asks you to verify it. The caller could pretend to be calling from your bank. It is best not to reveal or confirm any information over the phone at all. Two, you have the option to lock your biometric data online. Even if someone manages to steal your fingerprint, he will not be able to use it if you have locked your biometric data (see table). Also, if you get an OTP on your phone for an Aadhaar utilisation that you did not initiate, notify the UIDAI, and thus ensure that no transaction is carried out using your Aadhaar account.

Need for a privacy law: To prevent data leaks in the future, the government needs to sensitise state government officials who work with Aadhaar data about the need to protect the its privacy. More importantly, India needs a comprehensive data protection law. At present, there is limited provision in the Information Technology Act of 2008 under which you can file a civil case against a corporate that has leaked your personal information. “The person affected by data leakage has to show that he has suffered wrongful loss, or somebody else has enjoyed a wrongful gain, and then claim compensation," says Prasad.

After the Radia tapes incident, the government had said it would pass a comprehensive privacy law. “This law would lead to the creation of a data protection authority with enforcement powers, which would be able to penalise both companies and government bodies violating privacy principles. Despite the process beginning in 2012-13, and multiple drafts being leaked into the public domain, there has not been much progress on this count," says Chima. He adds that when the privacy law becomes a reality, any part of the Aadhaar Act that is contrary to it should also be amended.

How to lock your biometric data online

Go to the UIDAI web site: https://uidai.gov.inGo to Aadhaar services, then Lock/Unlock Biometrics Enter Aadhaar number Enter security code that appears below the Aadhaar numberYou will receive an OTP on your registered mobile number. Enter it Click ‘Verify’Click box against ‘Enable biometric lock’Click on Submit buttonSame procedure can be repeated to disable biometric lock.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-aadhaar-security-here-is-how-your-private-information-can-be-protected

Taking Cognisance of the Deeply Flawed System That Is Aadhaar

praskrishna — 2017-05-19T14:52:58Z

Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.

The article by Shreyashi Roy was published in the Wire on May 10, 2017.

With the leak of 130 million Aadhaar numbers recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.

SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.

Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.

The leaks

The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.

He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.

The system

One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.

Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.

The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?

The legal aspect

One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.

There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?

Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.

With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?

Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.

What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar

Aadhaar data leak: Take precautions while sharing info on websites, MEITy tells all depts

praskrishna — 2017-05-19T14:59:38Z

‘Publishing identity info is in clear contravention of the provisions of the Aadhaar Act, 2016’

The article was published in the Indian Express on May 11, 2017.

In light of various Central and state government departments making public Aadhaar information of several users on their websites, the Ministry of Electronics and Information Technology (MEITy) has written to secretaries of all government departments asking them to sensitise the officials and take precautions while publishing or sharing data on their websites.

“It has come to notice that there have been instances wherein personal identity or information of residents, alongwith Aadhaar numbers and demographic information and other sensitive personal data such as bank details collected by ministries/departments, state departments for administration of welfare schemes etc. have been
published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24.

“Publishing identity information i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act, 2016 and constitutes an offence punishable with imprisonment up to three years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act, 2000 with violations liable to pay damages by way of compensation to persons affected,” she noted.

According to media reports, Aadhaar numbers of hundreds of thousands of pension beneficiaries were published on a state government website, and was followed by Chandigarh’s Food and Civil Supplies Department revealing the Aadhaar information of beneficiaries of public distribution system. Following Sundararajan’s letter, various central government ministries have issued advisories to sensitise the officials and the web information managers to comply with the IT Act.

Earlier this month, a report by non-profit organisation The Centre for Internet and Society noted that up to 13.5 crore Aadhaar numbers were exposed and were publicly available on government websites, with about 10 crore of these being linked to bank account details. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and Mahatma Gandhi National Rural Employment Guarantee Act, both under the rural development ministry. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the AP government: a daily online payments report under MGNREGA by the state government, and Chandranna Bima Scheme.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at,” the report stated.

The letter

“It has come to notice that there have been instances wherein…information of residents, alongwith Aadhaar numbers and demographic information…have been published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24

For more details visit https://cis-india.org/internet-governance/news/the-indian-express-may-11-2017-aadhaar-data-leak-take-precautions-while-sharing-info-on-websites-meity-tells-all-depts

Aadhaar assurances fail to assuage privacy concerns

praskrishna — 2017-05-20T06:23:32Z

While Aadhaar may be secure from external attacks, a failsafe system hasn’t been developed to protect it from Edward Snowden-style leakages and hacks.

The article by Anirban Sen was published by Livemint on May 5, 2017. Pranesh Prakash was quoted.

As calls for a privacy and data protection law grow louder with each passing day amid reports of a central government ministry having made up to 130 million Aadhaar numbers public on its website, widespread concerns continue to emerge over loopholes in the security of the unique identification programme, though the man who created the system continues to defend the security and integrity of the system.

Most worryingly, a consensus is emerging among security and privacy experts, who have argued that while the Aadhaar system may be secure from external attacks, a failsafe system has not been developed to protect it from Edward Snowden-style internal leaks or hacks.

“(What has been suggested by the Unique Identification Authority of India and Nandan Nilekani) is that there will never be a data breach like what we saw in the US with the National Security Agency, Central Intelligence Agency, or Office of Personnel and Management breaches (data of federal government personnel, including more than 5.6 fingerprints, was leaked), or in Mexico or Turkey, or even in India when the department of defence was breached for cyber-espionage for multiple years without detection,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“While the system may be secure from external attacks, there is no failsafe system to make it invulnerable to Snowden-style breaches,” he added.

In an interview, former UIDAI chairman and Infosys Ltd co-founder Nandan Nilekani continued to defend the security of the system and said steps are being taken everyday to enhance the failsafe processes surrounding the system.

“I think the Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted—not compared to the original data, but to a digital minutiae. The point is that the system is very, very secure. So, if the objection is to centralization, then you should not have clouds. Clouds are also centralized,” said Nilekani. He added that Aadhaar was also safe from internal breaches, an assumption that is being challenged by security experts all across.

“Within seven years of its launch, the Aadhaar system has made a remarkable leap in terms of its security and privacy and it will keep improving things. Technology does not come through immaculate conception, where one morning some perfect technology is born. It has to evolve. It’s called learning by doing,” added Nilekani. He added that improving the security of the system is an ongoing process and conceded that a data protection and privacy law needs to be in place to supplement the current Aadhaar law.

“I know the government has sent a notice to everyone. If somebody has done it; they ought not to have done it—there’s a law for that,” said Nilekani when asked about recent instances of Aadhaar numbers being made public by government departments.

“We should have a data protection and privacy law which is an umbrella law, which looks at all these phenomena and certainly Aadhaar should be part of that. That’s perfectly fine—but people are behaving as if Aadhaar is the only reason why we should have a privacy law,” added Nilekani.

The last few weeks and months have witnessed a steady stream of negative news surrounding Aadhaar and three main cases are currently being fought in the Supreme Court, including one challenging the government’s decision to make the 12-digit ID mandatory for filing income tax returns as well as for obtaining and retaining a PAN Card.

Meanwhile, as Mint reported in April, questions are being raised on the Aadhaar biometric authentication failure rate in the rural job guarantee scheme in areas such as Telangana.

The report of Aadhaar numbers being listed on the government ministry website has caused widespread uproar, although a lawyer pointed out that it is not due to a breach in the Aadhaar system.

“It’s a misnomer to say this a leak because this was voluntarily, very actively put up there. A leak is when some information being kept securely gets breached somehow and comes out. Now, why is this information up on government websites? This is the problem of our government’s perception of transparency...The fact that the Aadhaar numbers are on the government website is not a flaw of the Aadhaar system, but it is a flaw of the understanding of what needs to be done to demonstrate transparency,” said Rahul Matthan, partner at Trilegal.

In a column in Mint, Matthan had also pointed out that while Aadhaar has been a transformative project, there remains enough scope of misusing the database.

“There is a legitimate fear that this identity technology will open us all up to discrimination, prejudice and the risk of identity theft,” Matthan wrote. “Aadhaar has given us the tools to harness data in large volumes. If used wisely, this technology can transform the nation. If not, it can cause us untold harm. We need to be prepared for the impending flood of data—we need to build dams, sluice gates and canals in its path so that we can guide its flow to our benefit.”

Even as both sides debate the issue of Aadhaar’s security, calls are getting louder to revamp the unique identification database.

“The point is that the UIDAI knows the device ID of the machine with which the biometric transaction took place along with the time and date, which means that by just using basic data analytics, any one with access to the transaction logs from the UIDAI (which have to be kept for a period of 5 years and 6 months) can have a complete view of a person’s Aadhaar-based interactions that are increasing day by day.”

“Further, the UIDAI has built up a biometric profile of the entire country. This means that courts can order UIDAI to provide law enforcement agencies the biometrics for an entire state (as the Bombay high court did) to check if they match against the fingerprints recovered from a crime scene. This too is surveillance, since it collects biometrics of all residents in advance rather than just that of criminal suspects,” said Prakash of CIS.

“The UIDAI could have chosen to derive unique 16 digit numbers from your Aadhaar number and provide a different one to each requesting entity. That would have prevented much of these fears. But the UIDAI did not opt for that more privacy-friendly design,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-5-2017-anirban-sen-aadhaar-assurances-fail-to-assuage-privacy-concerns

Will Aadhaar leaks be used as an excuse to shut out scrutiny of welfare schemes?

Anumeha Yadav — 2017-05-20T07:09:51Z

Aadhaar data of all 23 crore beneficiaries of Direct Benefit Transfer schemes could be publicly available, says a report by Centre for Internet and Society.

The blog post by Anumeha Yadav was published on Scroll on May 20, 2017.

In the past three months, there have been several reports about caches of Aadhaar data being publicly displayed on government websites across the country.

Personal information associated with the biometric-based 12-digit unique identification number, which the government wants every Indian resident to have, is mandated to be confidential under the Aadhaar Act, 2016.

But exactly how much Aadhaar data has been compromised by negligent government departments?

On May 2, researchers at the non-profit Centre for Internet and Society released a comprehensive report on the extent of the data breaches. They documented four government portals using Aadhaar for making payments and found that sensitive personal and financial information of nearly 13 crore people was being displayed on them, including details of about 10 crore bank accounts.

Two of the portals, for the Mahatma Gandhi National Rural Employment Guarantee Act and the National Social Assistance Programme, belong to the Union rural development ministry. The others are run by the Andhra Pradesh government for the workers’ insurance scheme Chandranna Bima and for filing Daily Online Payment Reports of MNREGA.

The researchers estimated that Aadhaar data of all 23 crore beneficiaries of the central government’s various Direct Benefit Transfer schemes could be publicly available. This means nearly a fifth of India’s population is potentially exposed to irreversible privacy harm, and financial and identity fraud.

The Unique Identification Authority of India, the agency which manages the Aadhaar database, however, and had earlier denied any breach of confidential data, has now reportedly said that such a data leak could only be the result of a potentially illegal hack attack and asked CIS to provide details of the persons involved in the data theft.

The rural development ministry, on its part, has changed how its MNREGA database is accessed, redacting Aadhaar numbers and bank account details of the beneficiaries. Senior officials of the ministry, however, denied making systemic changes in the wake of the Centre for Internet and Society report.

“The researchers claimed that financial information of over 10 crore individuals was available publicly, on pension and MNREGA portals,” said Nagesh Singh, additional secretary in the ministry, “but bank account details were displayed only on two state department websites of Andhra Pradesh and Telangana as these states are far advanced in transparency practices.”

“For all other states,” Singh added, “financial information and Aadhaar numbers were removed or masked last year. For pension schemes we masked the data in June 2016, and for MNREGA this data was removed in December. Even if any data was showing, it would only be for the particular block the resident is in, not for any other state workers.”

All this was done, he said, “because the UIDAI communicated to us that this information is sensitive and should not be displayed and the Aadhaar regulations prohibit display of Aadhaar numbers”. The Aadhaar (Sharing of Information) Regulations were introduced last September.

Contrary to Singh’s claims, social activists outside Andhra Pradesh and Telangana confirmed they could access bank account details of MNREGA workers until May 3. Only on May 4, two days after the Centre for Internet and Society report was released, did the details stop showing on the Management Information System.

“We could no longer access the electronic muster roll, and it started returning error messages,” said Ashish Ranjan of Jan Jagran Shakti Sangathan, a registered union of unorganised workers in Araria, Bihar. But until early May, he added, the Management Information System allowed anyone in any state to access the personal information of workers, even from other states.

Activists and beneficiaries relied on this system for two things. “Several of the new bank accounts have errors, and accessing this information directly helped get the discrepancies corrected without going to block level officials,” Ranjan explained. “It also helped track where the wages of workers were stuck.”

When activists asked why the data was no longer accessible, Ranjan said, rural development department officials said the Management Information System was changed “on the directions of the Supreme Court and the Union cabinet secretary.”

“This has been the pattern with the MNREGA MIS for long,” Ranjan said, referring to the information system. “Senior officials change access to a feature as they wish without clear processes or explanations.”

James Herenj, an activist with NREGA Watch, a non-profit which monitors the implementation of MNREGA in Jharkhand, had the same experience. “Bank account details were removed from the website last week,” he said, “this is a problem as we can no longer help MNREGA workers get data entry errors corrected.”

The Centre for Internet and Society researchers too contested the rural development ministry’s claim that Aadhaar numbers and bank account details were displayed only on Andhra Pradesh and Telangana government websites. They released a video clip showing them accessing bank account details and Aadhaar numbers of 801 MNREGA workers of Agara panchayat in Bengaluru through an internet search on March 25.

Screenshot of a Chandigarh Union Territory website displaying Aadhaar information.

Consent, please?

The Aadhaar Act, 2016 requires both government and private agencies to take informed consent before using a person’s Aadhaar for authentication, but there is little evidence that consent is sought before Aadhaar is seeded with personal and financial information.

Indeed, when the Supreme Court first permitted the voluntary use of Aadhaar for MNREGA in October 2015, Aadhaar numbers of 2.36 crore workers had already been seeded to their bank accounts, without the consent of over 99% of them.

The rural development ministry’s data shows that until June 2016, only about 4,10,000, or less than 1% of the 10.7 crore MNREGA workers, had agreed to Aadhaar-based payments. The ministry worked around this by organising “consent camps” to retrospectively collect proof of consent.

Poor standards

Writing in The Economic Times, Ram Sewak Sharma, chairperson of the Telecom Regulatory Authority of India and former director general of the Unique Identification Authority of India, argued that the reports about “Aadhaar leaks” on government websites failed to account for provisions of the Right to Information Act, 2005. Section 4 of this law provides for proactive disclosure of government decisions while Section 8 mandates public authorities to publish all information on welfare schemes, including details of beneficiaries.

This has created a situation, Sharma pointed out, where the transparency law may require even Aadhaar numbers of beneficiaries to be made public even though the Aadhaar Act mandates them to be confidential.

Right to Information activists, however, said the authorities were anything but devoted to the transparency law. Crucial information they seek on the efficacy of Aadhaar in welfare schemes is routinely denied.

“The government is willfully manipulating information systems to subvert details of biometric failures,” said Amrita Johri, a member of the National Campaign for People’s Right to Information and an activist with the Right to Food campaign, which has petitioned the Delhi High Court against Aadhaar being mandatory for food rations. “We have come across instances of ration cardholders being turned back because of fingerprints being falsely rejected, or network failure, but on the Delhi government’s website, this is shown as the beneficiaries not having come to the ration shop at all.”

“Similarly, the government claims it has removed bogus ration cards through Aadhaar,” Johri added, “but they do not show any administrative action if such bogus cards were really found through Aadhaar even though Section 4 of the RTI Act requires disclosure of such decisions.”

Jharkhand Directorate of Social Security displayed Aadhaar numbers, bank accounts numbers and transaction details of over 15 lakh pensioners.

Johri is concerned that the “Aadhaar leaks” could become an excuse to deny people “other useful information”. “When we requested officials to display how many biometric transaction were not successful, they told us that in a few days, they will remove the entire MIS as there had received orders from the food ministry to not display demographic data associated with Aadhaar,” she said. “But we pointed out that it was the creation of a single identification number that is the problem. Why should information on all other government schemes be removed?”

The Centre for Internet and Society report points out that while the law now makes Aadhaar numbers confidential, the government has failed to specify data masking standards. Section 6 of the Aadhaar Regulations lays down that no government or private agency should publish Aadhaar numbers unless they are redacted or blacked out “through appropriate means”.

But this is too vague, the report points out. “In some instances, the first four digits are masked while in others the middle digits are masked,” Srinivas Kodali, one of the authors of the report, explained, “which means someone with access to different databases can use tools for aggregation to reconstruct information hidden or masked in a particular database.”

Kodali said that for information other than Aadhaar numbers, each ministry and department is required to classify the data that is sensitive, restricted or open, which they have failed to do. “The National Data Sharing and Accessibility Policy, 2012 requires securing information of sensitive and restricted data but it does not recommend the ways to do it,” he said. “The standards around information disclosure and control do not exist, and the Ministry of Statistics expert committee on this was unable to suggest one last month.”

“Even for MNREGA data,” Kodali continued, “the Ministry of Rural Development’s chief data officer should have classified the financial information as restricted or open when the database was first created. But did they do this.”

Nagesh Singh, the additional secretary, however said his ministry “does not have a chief data officer to do this”. “The ministry’s economic advisor is the official responsible for categorising data and advises us on this,” he added.

For more details visit https://cis-india.org/internet-governance/news/scroll-may-20-2017-anumeha-yadav-will-aadhaar-leaks-be-used-as-an-excuse-to-shut-out-scrutiny-of-welfare-schemes

Aadhaar data leaks not from UIDAI: Centre

praskrishna — 2017-05-20T08:27:28Z

Aadhaar is foolproof, it tells SC

The article by Krishnadas Rajagopal was published in the Hindu on May 3, 2017.

Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.

“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.

The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.

Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.

The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.

A-G’s assurance

On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.

For more details visit https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai