Skip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

Long overdue news. Wikileaks, which had gotten targeted in many ways by the US government over its exposes of war crimes was literally being starved of funds by the refusal of credit card companies to process donations to them. This Press Release from them is very good news. Strike one for whistleblowers!

In a case against Valitor, formerly VISA Iceland, Reykjavík District Court just ruled the company had violated contract laws by blocking credit card donations to Wikileaks. After WikiLeaks' publications revealing U.S. war crimes and statecraft in 2010, U.S. financial institutions, including VISA, MasterCard, Bank of America, erected a banking blockade against WikiLeaks wholly outside of any judicial or administrative process. The blockade stripped away over 95% of donations from supporters of WikiLeaks, costing the organization in excess of USD 20M.

The court ruled that the donation gateway should be reopened within 14 days otherwise Valitor will be penalized with a fine of 800 000 ISK daily. WikiLeaks is persuing several actions against the blockade and a European Commission preliminary investigation into the blockade was started last July. A Commission decision on whether to pursue the financial services companies involved in the blockade is expected before the end of August.

WikiLeaks founder Julian Assange, said "This is a significant victory against Washington's attempt to silence WikiLeaks. We will not be silenced. Economic censorship is censorship. It is wrong. When it's done outside of the rule of law its doubly wrong. One by one those involved in the attempted censorship of WikiLeaks will find themselves on the wrong side of history."

I had said when the persecution of Wikileaks began that India was walking down the wrong path. How i had hoped that mine could be the country to offer Assange asylum. At least with this news, other, more ethical countries may take the chance...

I am utterly disgusted (as usual) with the obsession with rhetoric among Indian newspapers and politicians. NONE of the Indian newspapers quote any actual cables saying anything - only claims that "wikileaks says". This is journalism?

The news with the real concerns has less focus than gossip about politicians. Of course, with out "Made in US" understanding of ourselves and the world, it is more important to know what Rahul Gandhi told US diplomats about Hindu terrorism or what the US diplomats thought of Sonia Gandhi's leadership. Congress moves on to calling wikileaks a conspiracy, while BJP is out for Rahul Gandhi's blood saying that he speaks for Pakistan.

In the meanwhile, how many people have paid attention to the detailed perspective we got on Kashmir? Reports of Red Cross concerns with numbers of prisoners suffering from different kinds of torture are met with zero accountability. The media doesn't attempt to even question the government on this matter, nor do we hear any political statement other than denial.

The only newspaper to remotely have some ethics of journalism left seems to be the Hindu. This is the time for an ordinary citizen to ask why is he not provided the information from the cables in the words of the diplomats themselves? Why all this indirect reporting, why all the rhetoric without knowing what it is about?

If the government has asked for this kind of censorship, on whose authority? If the news agencies are doing it themselves, why are they calling themselves newspapers or news channels? Might as well call them propaganda and publicity and increase their readership because supporters will buy them based on political affiliations, and opposers will buy to keep an eye, no?

Is this journalism? FAIL!

As I read the Wikileaks and newspapers on Kashmir and a hundred other places, one big thing stands out.

Where the human rights suffer, the wars are exercises in frustration. An Army hurting civilians is an Army actively creating enemies and making its own job harder. It seems tempting to ignore abuses. Who would know unless we told them that x number of civilians died? Why demoralize soldiers by punishing them?

Yet, we see over and over. Other civilians know. And they take opportunities to strike back. They may appreciate the purpose of the Army, but it becomes less important than finding justice. If they fail, eventually, the purpose becomes undesirable, and a thirst for unending 'justice' builds up.

In Kashmir, the Indian Army is doing a magnificent job of maintaining security. For all that it is the most militarized zone in the world, it is an enduring operation, one that has actually caused less casualties for comparable scope than anywhere else in the world. Yet, what is it that the people remember? What is it that drives the Kashmiris to fall victim to Pakistan sponsored elements trying to destabilize the region? Listen to the protests. Their people got killed, and the perpetrators got away with it. They don't believe that India has their safety in mind.

If we read the Wikileaks, we see the Pakistani Army doing similar things in Swat and Balochistan. Civilians killed feeds the Taliban, soldiers killed feeds revenge killings. Unending conflict that feeds itself.

Earlier Wikileaks describe similar issues in Afghanistan and Iraq. Human history is filled with stories like this, with one common factor. It is overwhelmingly difficult to violate human rights and win.

I think it is high time human rights violations were ruthlessly proscecuted, because failing to do that will only explode war expenses on a purely un-emotional level and increase unnecessarily all the grief and devastation of war for people who were not the real targets to begin with.