Skip to content

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.

 

4

"While governments can impose curfew to bring 'offline' life to a halt in times of emergency, why is it unacceptable to do so 'online'?" asked @pragmatic_d

This obviously refers to the government's increasing inclination to police internet use in India in the name of security. The question was the trigger for months and months of thoughts to fall into place.

I wouldn't complain of enforced outage or restrictions of all internet use in an emergency - for example, like the 26/11 attack - though it would only add panic. Say by throttling upload speed very low, so that information can be accessed, but not passed in order to attempt to cut off communication that could aid terrorists. But this is about an emergency. The circumstances must be of a nature that necessitates it. And the call would be a security call - from the cops or Army rather than the government and certainly not in the form of a proposed law for use any time at the discretion of the government.

At the foundation of this dilemma lies the question of credibility and authority. The online life is structured differently from the offline life. They both have their advantages over the other and disadvantages, but mainly, it is about them being distinct from each other in terms of social structure.

I see several aspects to this:

Freedom of Speech and Equality

The online world doesn't recognize boundaries of states. Connections form across the globe in its natural state of being. The expectation is that people meet as equals. Differences in freedom of speech will be experienced and perceived as inequality and injustice. It will be a blot on the human rights record of that country.

Of course, as long as machines exist physically and networks rely on communication services, they can be throttled - like China, for example. But that is more like taking a chunk out rather than influencing the nature of the web.

Right and Responsibility

The general idea of accepting the restrictions or rules imposed by an authority is a psychological exchange for the protection and maintenance of environment by that authority. This is not true on the internet. The government is incapable of ensuring protection - be it social (trolls, slander, etc), information security (viruses, hacking, attacks, etc) or financial (scams, fraudulent billing/transactions, etc). It is unclear what advantage conformity will bring to the netizen for the restrictions it places.

Colonial thinking versus democracy

For a netizen to give up freedoms for a vaguely described possibility in the real world doesn't cut it. It is colonial thinking to expect one world to give up for the convenience/whim of another. For it to be democratic, it would need to have a buy in by the netizens. Such a buy in has never even been attempted or considered. And yes, the "worlds" are different enough that rules can't simply be imposed and accepted across them.

Authority

An authority is generally considered as one with enough knowledge and/or power to be capable and credible as a decision maker and enforcer for all it controls. Or the control breaks. The Indian government hasn't shown any kind of competence in the virtual world. Neither is it influential in terms of leading thought (and thus power), nor is it competent enough to hold its own in terms of security. Government websites are routinely hacked and not just hacked, but hacked using the same flaw again - which simply never got fixed... what command can be claimed, that people can follow?

For example, Google, Twitter, Facebook, WordPress, W3C, Microsoft, Apple, Wikipedia, and such popular sites are a more realistic "authority", because the value they provide gives them tremendous following and thus they actually have teeth to ban or bar something and actually expect it to hurt.

Disproportionate effort for result

This, of course is more social boycott than censorship, but censorship itself is near impossible to enact on the net. There are ways over, under, around, through... data is fluid. And a person silenced tends to speak out and use different strategies. It would take disproportionately large force to even create an adequately dampened effect and would be too easy to find a new way around it - in other words, a battle guaranteed to be lost on any magnitude worth making a law for.

The US failure to make Wikileaks disappear on the net should be a learning point for this.

Relevant Authority

The government doesn't investigate, monitor or collect intelligence. We have agencies for that. Agencies that get their sites hacked routinely and mostly don't have enough computers to begin with. Why does the government need access to my information? I don't see any reason why the government should be initiating this at all, without people who might actually need this access first making such requirements known. This makes me suspicious that this is more of an access to power to control rather than a legitimate intelligence need.

Vague, all encompassing access

Passwords are encrypted, access to bank accounts, email, and many other things is encrypted for security. It is beyond irresponsible to say we want access to unencrypted everything. Either irresponsible, or ignorant of the nature of their own demand.

Trust

There is no trust for the government's intent or ability. The government has consistently and unhesitatingly used all power it has access to at will and with disregard for the citizen's wishes, and often in harm for the citizens. It makes absolutely no sense to agree to give it power over personal information. That would be masochistic.

It would be too simple for the government to victimize people by using their personal information. Ugly thoughts coming to mind include electoral rolls in the hands of the killers of Sikhs in 1984 on an extreme level, or accessing private information to harass RTI activists asking inconvenient questions... for example.

There is also lack of trust in the government's ability to safeguard the access to data that it has. If the government's security systems are so easily breached, what is to say that they won't be used as information backdoors - or even sold, seeing our propensity for scams? Would the government, in its current state of cluelessness even know how to troubleshoot security?

Moral Policing and Political Suppression

There are already signs of the internet being censored to suit taste and interfere with freedom of information. For example Savita Bhabhi is blocked, while most porn sites are accessible, or reports from Google of requests for censorship of dissent or criticism of politicians from the ruling party. This is different from - say - all terrorist websites or child pornography being blocked - which is something few will have a problem with. Even with what they can do at the moment, there are signs of irresponsible and self-serving use of censorship.

To extend it to being able to persecute all bloggers at will - for example - for having content or even comments that are perceived as being against National interest would be a disservice to the Constitution of our country and Freedom of Media. It is also ironic that in a country where media is free, but perceived as sold to power lobbies, a law like this will threaten the smaller independent media - which indeed is what blogs and social networking sites are - and will serve to complete the destruction of free speech and freedom of media at the hands of vested interests (government included).

For example, this blog could be declared anti-national for its constant and multi-faceted criticism of existing systems in the country. It is not, but then, the proposed law is vague enough for subjective interpretation to be used. It would become possible to coerce me into ignoring certain subjects or tempering certain opinions at the cost of losing the entire readership from the country I am writing for. In other words, it would be possible to silence me if someone in the government didn't like what I said. There may be ways for such a law to edge around it in the constitution, but it is obvious to anyone that it will violate the spirit of the constitution in any democracy.

But really, it boils down to Freedom of Speech and the inherent wrong for the state to have unquestioning access to the personal life of anyone, or the capacity to control or silence anyone.

I think the government should abandon this idea completely, and first make the internet a widespread and excellent quality phenomenon in the country. Make it so that Indians don't find Californian servers better and cheaper than Indian ones. Shift to IPv6. Create a learning environment for cutting edge security and intellectual capital on the internet. Have an official interactive presence with its citizens, and then try and influence reforms, engage with and resolve dissent or simply provide a countering view and leave it to citizens to educate themselves - like in offline life.

It is a continuing failure of our government to engage with people and to substitute laws for social intervention and engagement with dissent to find solutions. This power will not help. It will harm and make the problem less visible, but far more dangerous.

As I read the Wikileaks and newspapers on Kashmir and a hundred other places, one big thing stands out.

Where the human rights suffer, the wars are exercises in frustration. An Army hurting civilians is an Army actively creating enemies and making its own job harder. It seems tempting to ignore abuses. Who would know unless we told them that x number of civilians died? Why demoralize soldiers by punishing them?

Yet, we see over and over. Other civilians know. And they take opportunities to strike back. They may appreciate the purpose of the Army, but it becomes less important than finding justice. If they fail, eventually, the purpose becomes undesirable, and a thirst for unending 'justice' builds up.

In Kashmir, the Indian Army is doing a magnificent job of maintaining security. For all that it is the most militarized zone in the world, it is an enduring operation, one that has actually caused less casualties for comparable scope than anywhere else in the world. Yet, what is it that the people remember? What is it that drives the Kashmiris to fall victim to Pakistan sponsored elements trying to destabilize the region? Listen to the protests. Their people got killed, and the perpetrators got away with it. They don't believe that India has their safety in mind.

If we read the Wikileaks, we see the Pakistani Army doing similar things in Swat and Balochistan. Civilians killed feeds the Taliban, soldiers killed feeds revenge killings. Unending conflict that feeds itself.

Earlier Wikileaks describe similar issues in Afghanistan and Iraq. Human history is filled with stories like this, with one common factor. It is overwhelmingly difficult to violate human rights and win.

I think it is high time human rights violations were ruthlessly proscecuted, because failing to do that will only explode war expenses on a purely un-emotional level and increase unnecessarily all the grief and devastation of war for people who were not the real targets to begin with.