And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn’t have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure. No, Aadhaar most certainly doesn’t have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).
Aadhaar system has stringent security features to prevent any unauthorised transmission of data.
This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles – I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the “misinformation” in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?
“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”
This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.
Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.
This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access “as part of its job“. This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project. Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security. (update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)
“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”