<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Thomas Archives « Aam JanataSkip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

icall emotional distress helpline
iCall Helpline for people in emotional distress as quoted fraudulently by Free Press Journal as betraying caller confidentiality.

Free Press Journal has published a story claiming that mental care helplines got increased calls in the week leading to Valentines Day. The article claims that mental health helplines are getting 20-25 calls per day from the heart broken and lonely and goes on to describe such calls and quote authoritative sources. The glitch? At least two of the sources are completely fake.

Paras Sharma, counselling psychologist and coordinator at iCall - a nationwide psycho-social helpline by TISS for people in emotional and psychological distress by Tata Institute of Social Sciences, who has been quoted in the article denies having spoken to any journalist from Free Press Journal.

Paras Sharma is described in the article as having disclosed confidential details about a phone call made to the helpline by a fourteen year old depressed girl in love with her friend's boyfriend:

“She said that her friend and friend’s boyfriend were celebrating each day of Valentine’s week which she can only dream of as she is not that pretty. She said that she can never fall for someone else and will die out of the envy that she has for her friend,” said Paras Sharma, co coordinator of icall, which is under Tata Institute of Social Sciences.

“It was shocking for me as this girl couldn’t see that she has all time in world for falling in love and that many Valentines like this will come and pass by,” said Sharma.

Paras completely denies having said any such thing or even having spoken with any reporter at all about such a call, which to his knowledge did not happen at all and is a story invented by the journalist. He categorically states that their helpline routinely gets calls of emotional distress and relationship problems and there is no special increase for Valentines Day.

Aasra suicide prevention helpline quoted in this story too denies having given such an interview. This entire part is invented:

AASRA has also been getting calls from married ladies and divorcees.

A lady in her late 40’s called up AASRA saying she is feeling ignored by her husband off lately. Now that it’s Valentine’s week she was feeling even more left out as her twin sister who was married one year after her was going out with her husband and celebrating Valentine’s Day.

“She said that whenever she checked her sisters’ Facebook profile, there were many pictures which made her envious. She felt that in the ten years of her marriage she has grown older. However, her sister was still young. That is why her husband was ignoring her,” said Thomas.

Thomas said that the calls in the days nearing Valentine’s Day have risen because many people are preferring late marriages due to which feeling of insecurity has dawned upon them due to ageing and loneliness.

“The only support left with these people is of their friends who on such days are busy with their spouses, fiancées or boyfriends and girlfriends. Besides, due to monotony that life endows on these souls, they feel more detached from the world and purpose of their life in the absence of love,” said Thomas.

Thomas also said that feeling of being worthless and unimportant endows on such people.

Paras Sharma of iCall Helpline says that calls made to a helpline are confidential and while their organization does publish anonymized statistical information or other studies, it is unlikely any professionals will divulge salacious personal details of an individual caller in this manner.

It is irresponsible to publish invented news pieces that create a perception that calls to helplines are not confidential and that cases can be casually discussed in this manner and demands that Free Press Journal takes appropriate action against the reporter and editor of this story, whose names were not told to Paras.

It is unclear if the other sources quoted in this story are true or false.

Update: After Paras Sharma publicly denied speaking with the Free Press Journal reporter and asked for action to be taken against her, a reporter called Swati Jha has called up iCall to speak with him, accusing him of lying and denying what he told her.

According to Paras, when asked to prove he gave her the quotes, she said, "This is the problem with us in the media. We don't record calls sometimes. Now I have no proof" on being asked to show her caller logs, "My cellphone only shows the last dialled number". What sort of a reporter is this?

It is unclear why Paras Sharma and Aasra both would deny giving this reporter quotes. Also unclear why she does not have his personal number and calls Paras Sharma "Prashant".