Skip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

Something strange came to my attention today. An otherwise anonymous Twitter profile, but it had an Aadhaar UID number in the place of the name. The profile said the person was a IITian, a Brajwasi, Swayamsewak, BJPite, Gaurakshak and slave of the Indian state. Oooookay.

After speaking and tweeting and writing critically about the Aadhaar (as well as the Modi government), finding Modi supporters who will go to any extents, however insane to defend whatever he does has sort of started looking like a normal occurrence.

I believed that the Twitter handle was challenging those who claim that Aadhaar to be vulnerable to hack it and prove it. After all, Aadhaar's greatest fake troll profile, run by Sharad Sharma himself had once tossed out a number saying it was an Aadhaar number as a challenge. It wasn't inconceivable that another person would pull a similar stunt.

And honestly, after the brazen arguments the government had made in court to deny Indians a right to privacy, I was pisssed enough to want to show someone just how far a person could go with an access to an Aadhaar number. So, the first order of the day was to check whether the number was an actual Aadhaar number. For those who don't know, this part is easy. UIDAI will do it for you without giving out too much identifiable information without authentication. The number was real.

Okay, so that raised the stakes a bit. Someone's UID was out there. You read "gourakshak" on a profile and given the sort of news making headlines on a daily basis, you want to make sure at the very least that it is their own identity they are compromising and not some hapless other persons. So I decided to find out who he was. It was fairly easy to find his Facebook profile. That gave me his name and surname. Searching for that name and surname along with "Uttar Pradesh" (from the UIDAI website in above screenshot) got me one potential hit on a relatively less known networking site.

I now had an email and phone number. The last three digits of the phone number didn't match those on the UIDAI website - last digit was different. As far as phone numbers go, a non-match is a non-match, but I remember making a note of it. I plugged the number I had into truecaller. That number gave me a domain name as his website.

The .in TLD doesn't offer privacy - I know this as someone who owns .in domains. So the chances were good that the information he provided the registrar while booking, was public. So I checked the whois data of that website, and voila. I had a phone number for him with three digits that matched the UIDAI website, as well as an address. Incidentally, it differed from the first number by only one digit.

Truecaller showed his name for the second number as well. This isn't a careless man. This phone profile hardly had much public information and it was used for what you'd call digital assets - ownership of a site, ownership of digital identity. The other seems to be the one for more casual use. But he'd made a big mistake using it for buying a domain that didn't protect his contact information.

How far can a person go with this information? I don't know. Available information suggests very very far, with some skill and tenacity. But it was about as far as I was willing to go to make a point about an irritation on Social Media. So far everything I had accessed was publicly available information, only collected from various sites and the address and three digits of the phone number matching that gave me the verification of the anonymous profile was publicly available information. The government may not believe citizens have a right to privacy, but I do, so I did not proceed further. I had all this is in less than 15 minutes of idling around on my computer. No major effort needed.

I may have drawn an ethical line, but I wasn't done being irritated with the foolishness and decided that at the very least, a good scare was in order. I would ask him why he had put that number there, and if he issued a Sharad-like challenge to hack it, I'd reply with partial data for his personal information to show how easy it was to know his Aadhaar number and the phone number linked to it and given the straight matches in data, I wouldn't be surprised if the address was correct too.

So I asked him. And I was in for the shock of my life. You may read the Twitter conversation that followed from this tweet on Twitter:

Suffice it to say, this man is batshit crazy. He is also probably the only Modi supporter I respect. He believes in Modi, but he is alarmed about several of his decisions and is definitely against Aadhaar. He is being forced to link his Aadhaar to everything, so in a protest of extreme compliance, he is attaching his Aadhaar to his identity EVERYWHERE. Twitter included. As you see in the thread, once I realized what he is doing, I was uncharacteristically polite with him. Because damn hell, if this isn't a Gandhian Satyagraha being done by a bhakt no less. Talk of the mind benders Twitter can throw at you. Long story short, I tried and failed to convince him to protect himself. I even told him the information I found out about him and how easily, but he did not relent.

"First they ignore you, then they laugh at you, then they fight you, then you win." - Mahatma Gandhi

Done ignoring him, laughing at his folly, fighting to convince him, I had to concede he won. So I am now helping make sure his sacrifice does not go in vain. Yep. Let history note this moment, I'm openly supporting the actions of a staunch supporter of Modi - of all people.

Here is his explanation for why he is doing this. I hope the Modi and his cartel realize the kind of faith gullible people invest in them and try to serve citizens honestly instead of this digital colonization being imposed on the country without regard for individual or national safety.

I am an IITian. I studied Computer Science & Engineering for about half a decade at IIT Kharagpur. I thereby am quite initiated into the innate nuances and implications of the universe of computing. However my personal convictions took me to serve my homeland in Braj - the land of Sri Krishna - where I have been fighting relentless battles to protect, preserve and restore the heritage associated with Krishna's pastimes.
 
I have been chased by mining mafia on gun point for resisting their attempt to decimate the heritage hills of Krishna frequented by millions from across the globe; have been wounded by encroachers in our bid to transform sludge tanks back to their natural splendour; have been extended death threats by the goons of religious organisations for pressing the practice of the precept; have been booked under various malicious sections of the IPC by errand officials of the state who couldn't respond to the intellectual contest thus posed. I have been a fighter who has put my entire self to risk to bring home a point. So I don't fear anything.
 
I do revere Prime Minister Narendra Modi, have immense respect for his sincere hard work, original thinking and political gravitas, but am getting extensively alarmed with his inordinate push for policies, projects and platforms without mulling over their far reaching implications both internally and internationally. Developing India within a single generation is a laudable vision, but can it be advanced at once by pushing the simpleton citizenry of this country to a precipice, remains a perpetual concern for me as a die-hard nationalist, developmental professional and technical insider.
 
Aadhar is one such platform which never had had enticed me since inception. I have seen it as an abrogation of personal liberties in consonance with Gandhi's discomfort of carrying a fingerprinted ID paper while being in South Africa. Gandhian protest of those times sufficed with the doctrine of Passive Resistance and mass scale Civil Disobedience. But the dynamics in an ever inter-connected information age call for a different set of techniques to protest the supposed wrong doings on the part of powers of the day where citizens are being robbed off their basic liberties by a host of sinister but smart machinizations. You can only offer a creative resistance to such an oppression which does unfurl itself in ennobling eccentricities and eclectic excuses.
 
I thereby have chosen to 'purge' this all pervading monster of Aadhar by laying it open in the public domain. I chose this 98th Anniversary of Lokmanya Bal Gangadhar Tilak's death as it's somewhere the death of the ideal of Swaraj which he propounded and charged up the nation toiling under the clutches of British tyranny. The Aadhar tyranny is not going to be any different, it would be even worse.
 
If this is the ID, which would ensure my very existence, let it be out in the open. Let I surrender and forfeit my social identity of my name, surname, caste, religion et al and simply graduate to this all powerful ID. If this ID is required to make India a surveillance state, I am all out eager to wear a badge to this effect and to take a gps tracer injected in my blood stream so that the agents of the state can keep track of me in real time - What all I do, how much I do, how much more productive I can be.
 
I am all out to surrender myself as the Slave of Indian State, a condemned inmate who has got no rights & liberties. Let this Creative Resistance of mine be explicitly known to the mandarins of the state whose fetish for power is incessantly insatiable. Let me persecute & purge my own self dignity which was dearer to me more than my physical life for this incessant striving for a supposed national transformation. I invite the Indian State and all its actors to pounce upon me and squeeze out the minutest strands of self-pride, honor and self-respect left in me. I am after all an inmate of World's largest prison called India. I am all out to celebrate this. Are you game?

~ Raghav

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.