Centre for Internet and Society

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit https://cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

UIDAI goes after org that disclosed government departments were releasing Aadhaar data

Nikhil Pahwa — 2017-05-20T10:46:36Z

If there was ever a case of shoot the messenger, it is this.

The blog post by Nikhil Pahwa was published by Medianama on May 19, 2017. Pranesh Prakash was quoted.

The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet is owed to a hack-attack, reports the Times of India. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.

Read the full story on Medianama

For more details visit https://cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar

Experts stress on need for enhanced security

praskrishna — 2017-05-20T06:13:19Z

With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.

The article was published in the New Indian Express on May 6, 2017. Pranesh Prakash was quoted.

Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.

“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.

The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.

Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.

He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”

Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security

135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers

praskrishna — 2017-05-20T06:19:12Z

This was published by Counterview on May 5, 2017.

A top study by the Centre for Internet and Society (CIS) has estimated that “estimated number of aadhaar numbers leaked” through top portals which handle aadhaar “could be around 130-135 million”. Worse, it says, the number of bank accounts numbers leaked would be “around 100 million”.

The study, carried out by researchers Amber Sinha and Srinivas Kodali, adds, “While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used aadhaar for direct bank transfer (DBT) could have leaked personally identifiable information (PII) similarly due to lack of information security practices.”

Pointing out that “over 23 crore beneficiaries have been brought under aadhaar programme for DBT”, the study, titled “Information Security Practices of Aadhaar (Or Lack Thereof)”, says, “Government schemes dashboard and portals demonstrate … dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures.”

Claiming to have a closer look at the databases publicly available portals, the researchers identify four of them a pool of other government websites for examination:

A welfare programme by the Ministry of Rural Development, the National Social Assistance Programme (NSAP) portal, even as seeking to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement, offers information about “job card number, bank account number, name, aadhaar number, account frozen status”, the researchers say.

Pointing out that “one of the url query parameters of website showing the masked personal details was modified from nologin to login”, they say, the “control access to login based pages were allowed providing unmasked details without the need for a password.”

In fact, they say, the Data Download Option feature “allows download of beneficiary details mentioned above such as Beneficiary No, Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”
They add, “The NSAP portal lists 94,32,605 banks accounts linked with aadhaar numbers, and 14,98,919 post office accounts linked with aadhaar numbers. While the portal has 1,59,42,083 aadhaar numbers in total, not all of whom are linked to bank accounts.”

Also giving the example of the national rural job guarantee scheme, popularly called NREGA, the researchers say, its portal provides DBT reports containing “various sub-sections including one called ‘Dynamic Report on Worker Account Detail’,” with details like “Job card number, aadhaar number, bank/postal account number, number of days worked”, and so on.

“As per the NREGA portal, there were 78,74,315 post office accounts of individual workers seeded with aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502”, they add.

Providig similar instances form two other sources, the researchers insist, “The availability of large datasets of aadhaar numbers along with bank account numbers, phone numbers on the internet increases the risk of financial fraud.”

Underlining that “aadhaar data makes this process much easier for fraud and increases the risk around transactions”, they say, “In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of aadhaar numbers and other related data available.”

Click to read the original published by Counterview on May 5, 2017.

For more details visit https://cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million

India’s Supreme Court hears challenge to biometric authentication system

praskrishna — 2017-05-20T06:44:02Z

Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.

The post by John Riberio, IDG News Service was mirrored by IT World on May 3, 2017.

Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and payment systems.

Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.

Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.

The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.

The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.

The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.

"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the top court ruled.

The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.

The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners “fight this battle with one arm tied behind their backs!,” wrote lawyer Gautam Bhatia in a blog post Wednesday.

For more details visit https://cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system

Details of 135 million Aadhaar card holders may have leaked, claims CIS report

praskrishna — 2017-05-20T08:42:57Z

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

The news from the Press Trust of India was published in the Hindustan Times on May 2, 2017.

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS said.

Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

“Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it cautioned.

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

“The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern,” the report added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-may-2-2017-details-of-135-million-aadhaar-card-holders-may-have-leaked-claims-cis-report

Aadhaar data of over 13 crore people exposed: New report

praskrishna — 2017-05-20T08:57:24Z

Ajay Bhushan Pandey, CEO of UIDAI, the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

The article was published in the Indian Express on May 3, 2017.

UP TO 13.5 crore Aadhaar numbers are exposed and are publicly available on government websites and approximately 10 crore of these are linked to bank account details, according to a new report published on Monday. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — published by non-profit organisation The Centre for Internet and Society (CIS) has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and National Rural Employment Guarantee Act (NREGA), both under the Ministry of Rural Development. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the Andhra Pradesh government: a daily online payments report under NREGA by the state government, and Chandranna Bima Scheme.

The report states: “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at.” Ajay Bhushan Pandey, CEO of Unique Identification Authority of India (UIDAI), the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

Since the CIS report focused on websites of only four schemes, it is possible that many more Aadhaar cards may be available on other government websites. At least nine other instances were reported in April alone. Section 29(4) of Aadhaar Act prohibits making Aadhaar number of any individual public.

Pandey said, “Aadhaar numbers and bank accounts have been independently collected from people by other agencies for their own usage, not related to UIDAI.” Asked if UIDAI will take action against errant government departments, he said the “police will need to take action”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-may-3-2017-aadhaar-data-of-over-13-crore-people-exposed-new-report

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে

praskrishna — 2017-05-20T11:45:42Z

খোদ সরকারি পোর্টাল থেকে কয়েক কোটি আধার নম্বর ও যাবতীয় তথ্য ‘ফাঁস’!

This was published by Amar Bazar Patrika on May 2, 2017.

অভিযোগ, গত কয়েক মাসে প্রায় ১৩ কোটি আধার নম্বরের যাবতীয় ব্যক্তিগত ও সংবেদনশীল তথ্য ফাঁস হওয়ার ঘটনা ঘটেছে। আর এসবই হয়েছে চারটি সরকারি পোর্টাল থেকে তথ্যপ্রযুক্তি সুরক্ষার ঘাটতির জেরে! যা ঘিরে এখন তোলপাড় দেশ।

সম্প্রতি, এমনই বিস্ফোরক রিপোর্ট প্রকাশ করেছে অলাভদায়ক সংগঠন সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটি (সিআইএস)। তাদের আশঙ্কা, চারটি সরকারি পোর্টালের মাধ্যমে ১০ কোটি মানুষের ব্যাঙ্ক অ্যাকাউন্ট নম্বরও ফাঁস হয়ে থাকতে পারে।

সংস্থার দাবি, যে চারটি পোর্টাল থেকে এই সব তথ্য ফাঁসের অভিযোগ, তার মধ্যে দু’টি অন্ধ্রপ্রদেশ সরকারের ওয়েবসাইট। বাকি দুটি পোর্টাল হল ন্যাশনাল সোশ্যাল অ্যাসিস্ট্যান্স প্রোগ্রাম এবং ন্যাশনাল রুরাল এমপ্লয়মেন্ট গ্যারান্টি স্কিম-এর।

এই গোটা ঘটনার জন্য ইউনিক আইডেন্টিফিকেশন অথরিটি অফ ইন্ডিয়া বা ইউআইডিএআই–কেই দায়ী করেছে সিআইএস। তাদের দাবি, আধার নিয়ন্ত্রক সংস্থার ‘দায়িত্বজ্ঞানহীনতার’ জন্যই এই উদ্ভুত পরিস্থিত সৃষ্টি হয়েছে।

সিএনআই-এর আরও দাবি, বিভিন্ন সরকারি ও বেসরকারি পোর্টাল—যারা আধার তথ্য ব্যবহার করে থাকে, তাদের নিজস্ব সুরক্ষা-ব্যবস্থা খতিয়ে দেখেনি ইউআইডিএআই। ফলত, এই বিপত্তির সম্মুখীন কয়েক কোটি মানুষ।

যদিও, ইউআইডিএআই -এর দাবি, তাদের ডেটাবেস থেকে কোনও তথ্য ফাঁস হয়নি।

For more details visit https://cis-india.org/internet-governance/news/amar-bazar-patrika-may-2-2017-13-crore-aadhaar-leaked-due-to-poor-security-in-4-govt-websites

135 MEELLION Indian government payment card details leaked

praskrishna — 2017-05-20T11:51:14Z

Legislation coming to beef up Aadhaar card privacy, security.

The article by Richard Chirgwin was published in the Register on May 3, 2017.

If you're enthused about governments operating large-scale online identity projects, here's a cautionary tale: the Indian government's eight-year-old Aadhaar payment card project has leaked a stunning 130 million records.

Aadhaar's role in authenticating and authorising transactions, and as the basis of the country's UID (unique identification database) makes any breach a privacy nightmare.

India's Centre for Internet and Society (CIS) made their estimate public in a report published on Monday.

It's not that there was a breach related to Aahdaar itself: rather, other government agencies were leaking Aadhaar and related data they'd collected for their own purposes.

The research paper drilled down on four government-operated projects: Andhra Pradesh's Mahatma Gandhi National Rural Employment Scheme; the same state's workers' compensation scheme known as Chandranna Bima; the National Social Assistance Program; and an Andhra Pradesh portal of Daily “Online Payment Reports under NREGA” maintained by the National Informatics Centre.

In total, the CIS says, the portals leaked 135 million Aadhaar card records linked to around 100 million bank account numbers.

Given India's enthusiasm to try and eliminate cash, it's a big deal: the Aadhaar card funnels benefits to recipients' linked bank accounts. As the report states: “To allow banking and payments using Aadhaar, banks and government departments are seeding Aadhaar numbers along with bank account details”.

The centre says the leaks represent significant and “potentially irreversible privacy harm”, but worse they also open up a fraud-ready source of personal information.

Online databases examined by the CIS included “numerous instances” of Aadhaar Numbers, associated with personal information.

The Indian government responded through Aruna Sundararajan, secretary at the Union Electronics and Information Technology Ministry, who announced amendments to the country's IT legislation to beef up the system's privacy and security.

“Aadhaar has very strong privacy regulation built into it”, she told the Hindu, but it needs better enforcement.

Sundararajan said those issues will be addressed in the legislative amendments.

For more details visit https://cis-india.org/internet-governance/news/the-register-richard-chirgwin-may-3-2017-135-million-indian-government-payment-card-details-leaked

'Aadhaar' Of Your Existence Or Card Of Controversy?

praskrishna — 2017-05-20T12:24:20Z

recent report estimates that details of 13 crore Aadhaar card holders have been leaked from four government websites. These include bank account details, income levels, addresses, even caste and religion details.

This was telecasted by NDTV on May 3, 2017. Amber Sinha was a panelist.

As the Supreme Court questioned the government about this, the centre admitted for the first time that the leaks had taken place but passed the onus on to state governments. It also argued that no technology was a 100 per cent foolproof but that couldn't be the basis for a constitutional challenge. Those who have petitioned against making Aadhar mandatory for filing income tax say no other democratic country has such a requirement and allege that it shows the sinisterness of the government.

Video

For more details visit https://cis-india.org/internet-governance/news/ndtv-may-3-2017-aadhaar-of-your-existence-or-card-of-controversy