<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">UID Archives « Aam JanataSkip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

1

While there is nothing new about problems emerging with the government pushed Aadhaar Cards, the scheme is dogged by recurring problems. Cobrapost has done a devastating sting that should put Aadhaar in its grave and see several people arrested, if there is accountable governance in this country.

Unraveling the ‘Uniqueness’ of UIDAI

What was supposed to be a unique identification number providing identification and access to a host of government benefits and services to Indian residents, ‘Aadhar’ has almost unvaryingly been extended to immigrants who have illegally crossed into the Indian border. Almost anyone, be it Indian or an illegal immigrant can get an Aadhar Card made without any proof of identity. More importantly, they get an Indian identity. The Unique Identification Authority of India (UIDAI), the nodal agency that issues Aadhar cards however seems oblivious to all this. Cobrapost, exposes the underbelly of Aadhar, which was for long touted as Government of India’s most ambitious programme.

The Inside Story:

Posing as a conduit or an immigrant applicant, our Cobrapost reporter poses as a benefactor of refugees from Nepal, Bangladesh, and Pakistan, and approached a dozen Aadhar offices. He tells them that these immigrants have no proof of identity or proof of address but need help in getting an Aadhar card. The convenience, with which almost each of the Aadhar enrolment officers gave assurances to not only provide the Aadhar Card but also a proof of Indian identity, wasn’t surprising. Without a prescribed rulebook for the fraud it was up to these officers to make their demands. Most of them were reluctant initially, but gave in when the applicant agreed to the prescribed fees. The negotiations happened and a time was fixed for the applicant to come. Almost in all cases, the Aadhar officers asked for a photograph and address written on a piece of paper for the purpose of making an affidavit, as proof of identity. The affidavit had to be countersigned by the local MLA or a gazetted officer thus making it valid. No one bothered to check the antecedents of our immigrant applicants.

From charges as high as Rs 500 to as low as Rs 2500, the ‘Aadhar officers’ agreed to make Aadhar Cards for applicants without any proof of identification or proof of address. These are the same people who have been entrusted to securely collect and send the biometric and demographic data of an individual to UIDAI’s data collection centre in Bangalore, Karnataka.

In a recently filed RTI query by a former defence scientist and RTI activist, Mathew Thomas, it has been found that UIDAI has not cared to check the antecedents of the companies that have been enlisted to collect biometric data. He alleges that the RTI made it clear that the data is being made accessible to foreign countries as these companies are owned by former CIA and FBI officials. Thus, clearly enough our personal data may just be sold to these companies who may use it in any manner they fancy.

In an interview published on 14th January, 2011 in the Hard News Magazine, Mr. Nandan Nilekani, Chairman UIDAI, on being reminded that biometrics have been known to malfunction when such a large number of people are involved said, “I think it will work despite the problems. Obviously, when you implement a brand new technology, there will be challenges. But, fundamentally, it will work. In a context where many people have no identity and the ways of authenticating identity are not very robust, the fact that we are taking this to 99.99 per cent of the population is in itself a huge improvement. We must look at the programme's progress in terms of where we are and where we are going.”
With no or extremely feeble privacy laws in place, it has become imperative for India to declare ‘Right to Privacy’ as a fundamental right. A draft bill, which was introduced by the then law minister, M. Veerappa Moily in 2011 has still not been passed by the parliament. Indian citizens cannot defend themselves in the wake of a loss of privacy. For now, agencies like the UIDAI, who have vast deposits of the biometric and demographic details of billions of Indians can function without any trepidation. Evidently, the Government of India is not bothered about malfeasance and neither does it care if common citizens like us, who have unknowingly given their personal details, have any right to disclosure.

UIDAI knew India had a population of more than a billion and with a growth rate of almost 1.5% per year, it was bound to increase. Providing a unique identification number is not wrong but the manner in which UIDAI collected biometric data and proof of identity was. With enrolment centers functioning as fly-by-night operators, charging varying amounts of fees for manufacturing Indian identities for non-Indian applicants, capitalizing on their nexus with their local MLAs in generating a parallel line of business, Aadhar has failed on all parameters it was based on. It has yet again proved that populism oriented, government mandated schemes do not work in a country with such humongous demographics. Perhaps, Nandan Nilekani should first accommodate more questions to justify UPA’s most ambitious programme than to blatantly promote his candidature for the Lok Sabha 2014 elections.

We are providing small excerpts from the twelve cases where Cobrapost has exposed the business of making Aadhar cards for illegal immigrants who approach without any proof of identity.

[mapsmarker layer="16"]