<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Internet in India Archives « Aam JanataSkip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

Press release
12 May 2012

INDIA

Two cyber-activists end fast but campaign against IT Rules gathers  pace  <http://fr.rsf.org/two-cyber-activists-end-fast-but-12-05-2012,42614.html>

More than a year after they came into force, Reporters Without Borders reiterates <http://en.rsf.org/inde-media-freedom-threatened-by-19-04-2012,42334.html> its demand for the repeal of India’s information technology regulations, known as the IT Rules 2011, as activists and Internet users rally to the Save Your Voice <https://www.facebook.com/saveyourvoice> campaign against these repressive measures.

Two of the movement’s campaigners, the cartoonist *Aseem Trivedi* and the citizen journalist *Alok Dixit*, were forced today to end a hunger strike they began on 2 May. Their health had deteriorated considerably and they were hospitalized.

“We have just ended the hunger protest, but not the struggle,” <http://art-leaks.org/> they were quoted as saying. They are demanding the repeal of the IT Rules and support a motion to this effect proposed by Shri. P. Rajeev, a member of the Rajya Sabha, the upper house of the Indian parliament. The motion was due to be discussed on 11 May but was postponed until a later session.

The IT Rules 2011 <http://en.rsf.org/inde-new-rules-reinforce-internet-19-05-2011,40317.html> were adopted in April last year as an addition to the 2000 Information Technology Act, which was amended in 2008. They require Internet companies to withdraw any content deemed objectionable, particularly if its nature is “defamatory,” “hateful,” “harmful to minors,” or “infringes copyright” within 36 hours of being notified by the authorities, or face prosecution.

“This has turned technical intermediaries into Web censorship police informants,” Reporters Without Borders said. Although some content categories are justifiably objectionable, other more vague or subjective definitions could jeopardize informational content.”

The IT Rules also impose on cybercafé owners drastic regulations that violate personal data privacy and place a presumption-of-guilt burden on all Indian netizens.

India <http://en.rsf.org/india-india-12-03-2012,42074.html> was added in March to the list of countries under surveillance in Reporters Without Borders’ latest report on Internet Enemies.

Read online <http://fr.rsf.org/two-cyber-activists-end-fast-but-12-05-2012,42614.html>

1

Aseem Trivedi and Alok Dixit from Save Your Voice completed the third day of their hunger strike to support annulment motion against IT Rules-2011 in Rajya Sabha. We started this hunger strike on 2nd May and we will carry on until we get any satisfactory response from the government and the opposition regarding the annulment of IT Rules-2011.

Government has enacted laws that give it a free pass to censor our Facebook posts, listen to every Skype conversation we have, monitor our tweets or blogs oraccess private photographs and documents we store online, or track our location using our mobile phones or surveil all of your online activity. We want to tell our government that they cannot use vaguely defined laws and loopholes to take away our freedom of speech and expression.

IT Acts are unconstitutional: On 11th April 2011, the Government notified the new Information Technology (Intermediaries Guidelines) Rules, 2011 prescribing various guiding principles to be observed by all internet related companies. These rules will:

  1. Lead to a clamp down on the freedom of speech and expression enshrined in the Constitution of India by providing for a system of censorship/self-censorship by private parties;
  2. Adversely affect the right to privacy of citizens by allowing Government agencies to access their information;
  3. Will severely hamper the growth of internet penetration in India, and consequently lead to a slowdown of economic growth;
  4. Limit the growth of various IT related industries and services (in particular cyber cafes, search engines and bloggers).

In addition, mandatory data retention would force the Internet Service Provider to create vast and expensive new databases of sensitive information about an individual. That information would then be available to the government, in secret and without any court oversight.

Annulment Motion in Rajya Sabha: Sh. P. Rajeev, Hon'ble Member of the Rajya sabha has moved an annulment motion to get these rules abolished and the motion has been admitted and is expected to come up in this budget session. The Bangalore MP Rajeev Chandrashekar has spoken in Parliament in support. It’s also interesting to note that a professor of chemistry of the Jadavpur University was arrested recently along with his neighbour for allegedly posting a cartoon on a popular social networking site and forwarding emails, cases were booked under the IT ACT as well.

Thanks,

Save Your Voice Team,

The notification of the Information Technology (Intermediaries Guidelines) Rules 2011 in April 2011 has resulted in the creation of a mechanism whereby intermediaries (such as Google, Facebook, Yahoo, etc) receive protection from legal liability in return for trading away the freedom of expression and privacy of users.

The Rules demand that intermediaries, on receiving a complaint that any content posted online is considered grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libelous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner, have to disable the content within 36 hours of receipt of complaint. The rules also require the intermediaries to provide the Government agencies information of users without any safeguards.

Under these Rules intermediaries will be forced to disable any and all content that falls foul of the incredibly broad and ambiguous criteria laid above, as non-compliance with such requests will result in their losing the liability protection afforded to intermediaries. In short, the Rules will result in private policing of the internet.  Any content that is critical of state policy, any organization or even any individual could run the risk of being censored, thanks to the Rules.  The Rules violate the right to freedom of speech and expression and the right to privacy of citizens guaranteed by the Constitution of India.

There is no due process of law, any attention to principles of natural justice or a redressal mechanism for the aggrieved victim, whose content is taken down.  The Rules are also ambiguous and arbitrary, disjointed, legislate on disparate areas and are beyond the rule-making power of the Government.

After the Avnish Bajaj case, the Legislature wanted a safe harbor for intermediaries with safeguards and not a system of back door censorship for the Government.  In view of the possible deleterious effects of the Rules, the Honorable Member of Parliament, Shri P. Rajeeve has moved a statutory motion to get the aforesaid Rules annulled. This motion has been admitted and will be coming up before the Rajya Sabha during the second half of the Budget session of the parliament that starts on 24th of April, 2012.

We urge all MPs to support the annulment motion. We also request the Government to draft new rules, that will protect our freedom and  privacy, after holding consultation among all stakeholders.

Further Material:
There is an online petition in favor of the annulment motion at:
http://www.it2011.in

FAQ's of SFLC
http://softwarefreedom.in/index.php?option=com_content&view=article&id=129:faq-on-intermediary-rules&catid=1:latest-news&Itemid=50

http://www.youtube.com/watch?v=HtA194jig3s

Names of Organisations

Knowledge Commons
Software Freedom Law Center, India
Delhi Science Forum
Save Your Voice Campaign
Internet Democracy Project
Center for Internet and Society
Free Software Movement India
IT for Change
Alternative Law Forum