Skip to content

2

On August 24th 2017, WikiLeaks published secret documents from the ExpressLane project of the CIA pertaining to the cyber operations the OTS (Office of Technical Services), a branch within the CIA conducts against liaison services. The OTS provides a biometric collection system to liaison services around the world with the expectation for sharing of the biometric takes collected on the systems. Additionally, the CIA has developed ExpressLane - a covert information collection tool to secretly exfiltrate data collections from these systems without the knowledge of the vendors as well.

ExpressLane installs and runs covertly behind a benign splash screen indicating a software upgrade and is used when OTS agents perform on site upgrades on the biometric system. The installation raises no suspicions other than the minor notices which don't appear to be out of the ordinary for a software installation.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan. This company also provides biometrics collection systems for UIDAI's Aadhaar in India.

The response to these revelations in India has been astonishingly muted. A foreign government having access to confidential and highly accurate information on citizens of India amounts to an attack on India's sovereignty. The existence of Aadhaar itself now becomes a government sanctioned weapon against the country and citizens. The Aadhaar must be destroyed.

The few reports in media restrain themselves to very conservative reporting of the actual leaks without committing themselves to stating the implications for the country. This too is concerning, because it indicates an inadequate comprehension of how tech works in the media and renders the media toothless when it comes to providing public oversight on the highly insecure progression of the Digital India project.

On its part, the UIDAI has issued its standard voodoo denials. No explanations, no data, no alarm, no need for any investigations, nothing. Assurances that "all is well, don't worry" is all the UIDAI appears to have on any of the mounting concerns about the Aadhaar being illegally imposed on the citizens of India with blatant disregard to repeated orders of the Supreme Court. And of course, flat out lies - the hallmark of anything supported by the Modi government. Here are some claims debunked.

Aadhaar system has stringent security features to prevent any unauthorised transmission of data.

And here we thought UIDAI filed a case against Abhinav Srivastava, co-founder ofQarth Technologies Pvt. Ltd, who released an entire app that made unauthorized use of Aadhaar data e-kyc, then let him go, because he didn't have bad intentions. And oh, they complained about unauthorized access and then also claimed that no data was breached. We get it. There was no breach. He was using an authorized api without being authorized. No breach. Just reading news on the UIDAI is enough to give anyone who understands tech security high blood pressure.

No, Aadhaar most certainly doesn't have stringent security features to prevent unauthorized transmission of data. Aadhaar devices were not even encrypted till well after UIDAI started claiming 90% enrolment across the country (another dubious claim, for another day).

“Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others.”

This is complete bullshit. The vast majority of people objecting to Aadhaar have nothing to gain from its failure (other than national and personal security). In contrast, the vast majority of people defending Aadhaar without any data, independent audit, robust explanations of technology and worse are invariably employed by UIDAI or its affiliates or have founded them (or, in a recent trend, are anonymous handles - I wonder who, other than Sharad Sharma could be behind those). Where is the misinformation in CIA being a spy agency, or it being known to engage in illegal and digital spying or it being known to subvert democratic governments in countries? Where is the "misinformation" in a leak of secret documents on a site that so far has never been questioned on the authenticity of leaked information it publishes?

Aadhaar biometric capture system has been “developed within our own country and it has adequate and robust security features to prevent any possibility of any such unauthorised capture and transmission of data regardless of any biometric device that may be used”.

This statement can be true, only if the UIDAI spokesman is a US national, because even the UIDAI website offers driver downloads for Cross Match and L-1 devices. The same Cross Match and L-1 that have apparently got biometric capture systems from the OTS branch of CIA on the understanding of data sharing. And the Express Lane is the data theft on top of that.

“In addition, there are many other rigorous security features and processes within UIDAI ensuring that no biometric data of any individual is unauthorized accessed by anyone in any manner whatsoever,”

This is a breathtaking lie, because the CONTRACT UIDAI had with L-1 Identity Solutions Operating Co Pvt Ltd, Morpho and Accenture Services Pvt Ltd, says that the company was given Aadhaar data access "as part of its job". This contract has also been reported and objected to in the past and on this blog as well in 10 big problems with the Aadhaar UID card project.

Golden rule in C-Sec is: If physical access is compromised, everything is gone. Wikileaks talks about physical access. It is about installing a backdoor on the source where biometric is acquired at the device driver level. Encryption argument is useless in that case. But encryption != Security.

(update: UIDAI has made some vodoo argument about how access is secured on UIDAI premises and what not. It is nonsense. Aadhaar data is collected out in the real world where the espionage would be happening. Whether UIDAI pickles the data or freezes in some on premises further access to foreign companies it makes no difference to that)

How much Aadhaar data and how much access do foreign BSPs have?

And this information is from an RTI filed by Col. Thomas, that the BSP (Biometric Service Provider) "may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..." Further, Clause 3, which deals with privacy, says that the BSP could "collect, use, transfer, store and process the data".

Excerpt from UIDAI contract with Biometric Service providers
Excerpt from UIDAI contract with Biometric Service providers

In other words, the UIDAI has been deliberately undermining Indian security using Indian funds and flat out lying about its activities. The entire organization must be dismantled and its leaders investigated.

Under the Aadhaar system, all Indian citizens are being allotted a unique twelve-digit identity number by the State upon obtaining biometric data including fingerprint and iris scans and upon submission and verification of certain demographic data including the name, date of birth and residential address.

The new identity is different from all previous identity documents issued by the State. While a driving license or a passport were identity ‘documents’ that once issued were in the possession and under the control of the citizen as “original documents”, the Aadhaar number and associated demographic and biometric data is a data entry in a digital database in the possession and under the control of the State and any other entities who might gain access to this database whether with legal authority or otherwise.

Further the nature of the information that the State uses to identify a person under the Aadhaar system is entirely different from that used under earlier systems of identification. Until now the State relied upon photo-identity cards to determine someone’s identity. Under the Aadhaar system, the markers for identity determination include fingerprints and iris scans. For the first time, biological data not visible to the human eye and inaccessible to and non-decipherable by a lay person or a non-expert, is being obtained from citizens and is being stored digitally in a central repository for all 1.3 billion Indians with the ostensible purpose of identifying them.

Yes, the citizen is issued an Aadhar card with a number on it, but that card and the photograph on it and the face of the person presenting that card are no longer sufficient for the State to accept that the person is who he or she says they are. The biometric data must match. If the biometric data match fails, then the State will refuse to accept the identity of that person.

Also, the Aadhaar based identity is ultimately a number in a digital database. That number can be deactivated or even deleted. The database is outside the possession and control of the citizen. If his Aadhaar number in the database ceases to exist, the citizen has no proof of his identity as a citizen. The citizen ceases to exist for the State.

The Aadhaar related debates have focused on the right to privacy and on the apprehension of surveillance by the State and on issues of the security of Aadhaar databases. But there are more deep-seated concerns about the Aadhaar biometric identification system that I discuss here and which are important to understand how great a threat the Aadhaar biometric identification system poses to the privacy, liberty and security of Indian citizens.

There are several scenarios in which this digital biometric identification database can fail, be modified, be stolen, be leaked, be misused or be manipulated by State or non-State interests to the detriment of citizens and their rights. I discuss how the centralized and digital nature of this database as well as its use of biometric markers of identity which by their very nature are not accessible to or verifiable by ordinary individuals, creates many such scenarios where citizens can lose control over their identity and their very person-hood and be left with no recourse in extremely harmful situations. The greatest threat posed by the Aadhaar system is that citizens will lose control over their identity, they will be unable to establish their identity under certain circumstances, and they will also be exposed to an exponentially higher risk of identity theft.

The digital Aadhaar biometric identification system it is argued not only violates the right to privacy, but it creates significant risks that threaten the very right to identity and person-hood of Indian citizens and thus the right to citizenship itself. The Aadhaar system fundamentally alters the social contract underlying the Constitution of India by enabling a potentially malevolent State to deny the very identity of “inconvenient” citizens. A cost-benefit analysis of the Aadhaar system, even accepting its stated advantages, cannot justify such immense risks to citizens.

This post was originally published here by Seema Sapra.

1

With a new wave of trolls being unleashed to counter criticism of Aadhaar card with wholly original technical arguments like "but it is perfectly safe" "you just want to complain" and "I don't mind, so why should you", it gets irritating to reply to people over and over. So here is a very simple infographic with very easy to understand information. Use it as an educational tool or use it as a handy link/image to dump at irritating people with near zero capacity for independent analysis.

Aadhaar card and security risks
Aadhaar card and security risks

This is by no means comprehensive. Nor is it meant to be. It is simply intended to drive home the point that Aadhaar has glaring issues, some of them with very serious implications for national security that are simply being overlooked in order to create a big data asset for whoever is pulling the strings behind the scenes.

2

Recently, I attempted a tweetstorm on why I think the 2016 Aadhaar Act does not override, or render useless, the orders passed in Oct 2015 by the Supreme Court. I argued that all of the recent notifications by various central government authorities making Aadhaar mandatory to avail the respective service of those authorities, are in manifest violation of the Supreme Court’s orders.   This post is to explain those points in a little more detail and provide a rebuttal to counter-views that are being tweeted out such as this.

Here is a brief timeline of the events leading up to the recent Govt. notifications making Aadhaar mandatory for availing for services like food grain under PDS, mid-day meals for school children, girls rescued from human trafficking and many others.

  • The unique identification authority of India (UIDAI) was established by an executive notification in January 2009 and had been running/overseeing the operations of data collection, enrolment, deduplication through biometrics, assigning of Aadhaar numbers. It also provided Aadhaar authentication and related services.
  • The authority operated under executive notification until it was reincarnated into its present statutory form after the coming into force of the 2016 Aadhar Act.
  • Nearly a dozen petitions challenging the Aadhaar/UID project have been pending in the Supreme Court since 2012.  The petitions challenged the project on a number of grounds including :
    • The Authority operating without a legal sanction and in legal vacuum;
    • The unconstitutional irrationality of using Biometrics – not just unproven but provably inappropriate technology for deduplication and authentication; and tying the same for the purposes of identification for essential services such as food, NREGA lead to unconstitutional exclusion of people from accessing those services;
    • The enablement of surveillance, convergence of data without constitutionally sufficient statutory protection being an unconstitutional infringement of the right to privacy;
    • National security implications of employing foreign companies with link to foreign national governments and intelligence agencies for biometric operations, endangering the right to life of the entire population of the country;
    • Unconstitutional Irrationality of employing private contractors as enrolment agencies and having them handle sensitive personal data without constitutionally adequate techno legal safeguards;
    • Unconstitutional irrationality of using Aadhaar authentication or KYC for financial products or inclusion schemes as it facilitates money laundering; promotes exclusion even as it paints a picture of inclusion; and importantly threatens economic sovereignty of the nation;
    • The unconstitutional denial of dignity to Indian residents for using unlawful coercion to have then queue up to part with their biometrics and other personal data;  and
    • The lack of competence, under the constitution of the union executive in operating the project.
  • Supreme Court passed the first interim order in the matter in September 2013 prohibiting any government body from insisting Aadhaar as mandatory for any of its services irrespective of any circular or notification that may have been issued in that regard.
  • It reiterated that position a number of times thereafter – November 2013,  March 2014, March 2015, August 2015 (after Attorney General for India famously claimed before the Supreme Court, the highest constitutional court of the land, that Indian citizens do not have the right to privacy under the constitution and the matter was sent before a constitutional bench of a minimum of five judges, even as the matter raised grave questions of constitutional interpretation and is “of some urgency”) , and again  in October 2015.
  • The August 2015 order limited even voluntary use of Aadhaar to two schemes viz PDS and LPG.  The October 2015 order permitted four more schemes for voluntary usage of Aadhaar.
  • The October 2015 order categorically made it clear that Aadhaar scheme shall be “purely voluntary” until the matters are finally heard and decided one way or the other.
  • In March 2016, Aadhaar Act was passed as a Money Bill, bypassing the Rajyasabha.  The unconstitutionality of such introduction and passage has also been challenged in the Supreme Court and that challenge has also been admitted and tagged along with earlier petitions before the SC.
  • Starting January 2017, more than sixty different government authorities issued notifications under Section 7 of the Act, apparently making Aadhaar mandatory for various purposes.

In my humble but considered view, such notifications are unlawful and are in violation of the Oct 2015 order which still holds the field.

I argue that :

  1. The primary basis of a court passing an interim order is the pending dispute before the court. As long as such a dispute  is still pending, the orders would ordinarily hold force.  In this case, the petitions are still technically pending before the Constitution Bench of the court, even if the Govt thinks they have become infructuous/ useless. The government has not moved the court for such a declaration or dismissal of the petitions or vacation of the orders citing the new law.
  2. Note that this case is different from instances like the Shah Bano story in which a final judgment of the court was sought to be undone by an Act of parliament.  In this Aadhaar case, the central government is still before the court and is subject to the jurisdiction and specific restraint imposed by the court.  If any authority wants to exercise power, (even newly found power) contrary to such restraint, it cannot do so without the permission of the court.
  3. I am not suggesting that a parliamentary legislation cannot in any case override interim directions of the supreme court.  However, I argue that the following are the necessary (but not sufficient) ingredients for that:
    1. There should be an express statement in the objects of the Act as introduced in parliament or elsewhere during the legislation process that this seeks to undo interim directions of the court; or
    2. It is impossible for a person to comply with the later legislation as well as the orders of the court.

In this case, the Act has neither of these ingredients. While Section 7 confers power on various authorities to insist on Aadhaar as a mandatory pre-requisite, it does not impose a duty to do so. The authorities therefore can comply with the Act without being in contravention of the orders of the court, by simply not exercising the powers under Section 7.   If any authority is desirous of exercising the newly found power, they can do so - but only with the leave of the court.

Moreover, when the interim orders were passed, the absence of law was not the only issue in consideration.  In fact, the central government had argued that the Appropriation Act at the time read with Allocation of Business Rules under Article 77 provided the legislative basis for the project and that IT Act and the Rules under IT Act have enough statutory safeguards for data protection; and therefore there was no legislative vacuum under which the project was operating.

Government of India, and others seem to take a view that the 2016 Act did not exist before October 2015 and that there is no principle of automatic stay of an Act of parliament that did not exist at the time of passing the order and therefore, October 2015 order would not prohibit authorities from exercising power under Section 7 of the newly enacted Act.

That argument does seem to be appealing on the face of it. However, a plain unqualified application of that argument leads to absurd results.

Assume for one moment, that the 2015 Act did stay the operation of a law – lets call it Aadhaar Act-1.  Say parliament passes another identical Act and lets call it Aadhaar-Act-2.  Can the government continue to implement and enforce Act-2 believing that there is no automatic stay? Such a result would be absurdity. Why have constitutional courts at all if legislatures can simply reiterate their earlier position and escape orders of such a court? My point is that the question as to whether or not an earlier interim restraint prohibits persons from exercising powers under a future Act depends on the facts and circumstances under which the earlier orders were passed and the contents of such future Act.   For instance, SEBI applied to the Court to modify the 11th august order complaining that the 11th August imposed a restraint on its statutory powers even though they were not in challenge before the Court. On the face of it one may argue that there is also no principle in constitutional law to put restraints on statutory powers when such a statutory provision is not under challenge. But the court did not accept such a contention in its 15th Oct 2015 order and disallowed SEBI's application.

I also argue that the Act was incorrectly introduced and passed as a money bill in the parliament in brazen disregard for the qualifications of being a money bill under Article 110 (3) of the Constitution and in glaring violation of the principle of Federalism, which is a part of what is called “Basic Structure” of India’s constitution. I am of the view that the Act is still-born and people are not bound by it.    Note that this is different from an Act which is contrary to provisions of Constitution such as any fundamental right etc.   In such a case, people are required to act as though they are bound by it until such a law is declared unconstitutional by the court.  However, because this Act is no valid legislation at all i.e. it is void ab initio, people are free to act contrary to it.  It is no different from a random resolution passed by your neighbour’s family – to give a crude example 😉

Prasanna S is one of the advocates acting for some of the petitioners in the Aadhaar petitions before SC.

3

The government of India doesn't seem to be interested in getting security vulnerabilities fixed. A CS engineer, Bhavyanshu Parasher, has been spending his time understanding the current security standards deployed by the government of India in most of its data-critical apps and websites. Last year, in September, he disclosed a security flaw in Prime Minster Narendra Modi's web API that exposed user identifiable information like e-mail addresses and also that there was no proper authentication check for API endpoints. During that disclosure, he faced challenges because it was difficult for him to get in touch with concerned authorities. He mentioned on his blog that e-mail address mentioned on Google's Play Store were not working. We had to contact @buzzindelhi (the handle used by BJP's Arvind Gupta on Twitter) to help him get in touch with the concerned authorities.

"The e-mail address provided on Google's Play Store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via Twitter."

Now, the same thing is happening again. He wants to disclose vulnerabilities in two major applications deployed by the Government of India but he is struggling to get in touch with the concerned authorities. He has published a post on his blog about it though he has not mentioned the specifics of the vulnerabilities yet, as he is hoping the government will patch them before he discloses them. However, this may be rendered moot, as our searches showed that at least one of the vulnerabilities has already been publicly disclosed, but not by Bhavyanshu. That security flaw is in an unpatched version of server software and there is a CVE assigned to it. Fix has been rolled out but developers are not aware of any of this. But then why wouldn't it be so? UIDAI website still uses SSLv2 and SHA1 encoding in a world where SSLv2 has been phased out for over a decade now, and even free SSL certificates like the one used on this site come with SHA2 encoding because SHA1 isn't considered secure. You can go to the UIDAI website and check this for yourself in your browser details for the SSL certificate.

UIDAI ssl fail
UIDAI SSL fail

Bhavyanshu sent emails on March 24 and then again on April 4, but he hasn't received any response. This time @buzzindelhi isn't showing much enthusiasm in getting the vulnerabilities fixed either. In response he just directed him to the public Twitter handle of Akhilesh Mishra (Director, myGov). Hardly an acceptable process for initiating discussion about security breaches!

https://twitter.com/buzzindelhi/status/714658965703958528

One would expect Mr. Mishra to contact Bhavyanshu immediately, but the truth is that even he isn't interested.There is, as yet, no reply from him.

It is cases like these which make the whole concept of Digital India look ugly. There are no dedicated e-mail addresses for security response teams. Official e-mail addresses don't work and the apps are poor on security. It is a goldmine for unethical hackers and a complete deterrent for ethical hackers who would like to help the government fix security leaks. There is no way for the researchers to get in touch with the concerned authorities. A concept like Digital India, without guaranteed user data security and user privacy, should not be promoted by the Government of India as it puts many people at risk.

Considering the complete lack of interest in securing the vulnerabilities, we cannot provide too many details. However, people looking to exploit government data would already have found these and would be using them by now. This isn't exactly rocket science. What data is vulnerable? Let us just say that I have seen e-mail addresses, Aadhaar numbers (where provided) and street addresses and can confidently say that a malicious hacker could write a script that replicates the data for all profiles. And before you think that such things are not done, just today, Madhu Menon posted a link to the hacked and leaked Turkish citizenship database.

A similar database of MyGov.in users could prove devastating to BJP, given that their supporters are disproportionately more likely to have signed up. And while Bhavyanshu stresses that he would not do it, it isn't outside the realm of belief that more malicious hackers not just could, but definitely would. And there seems to be no way to prevent this short of raising a public stink, because a government that claims to be interested in a Digital India does not seem to have the foggiest on digital security and the need to have developer teams rapidly rolling out fixes in the event vulnerabilities are found.

"Seems like the government doesn't have dedicated security team for projects that need immediate attention to security flaws. Instead, people who wish to disclose vulnerabilities have to rely on Twitter handles to get in touch with them. I am doing a lot of volunteer work like this because I like the concept of Digital India but I don't want it without data security and privacy. I have written a web app that will help eliminate this communication gap between researchers and authorities but whom to contact? Who are the concerned authorities after all? Don't give me another Twitter handle!" , Bhavyanshu told me when asked about the current status of vulnerability disclosure. He also pointed us to privacy policy of MyGov and why people should push government for better data security.

The page for MyGov.in on HackerOne - a bug bounty program by security leaders of top internet companies like Facebook, Microsoft and Google (that rewards hackers for finding and reporting vulnerabilities so that they can be fixed) says it all "There are no known guidelines for reporting potential security vulnerabilities to this organization." Even the fact that the app has no known process for reporting vulnerabilities is an immediate flag. It tells hackers that there is no one keeping an eye on it or worried about security. The most beginning programmer puts a working address on Google Play for contacting the developer. Yet, the official application of the largest democracy in the world fails to do it.

Contrast this with the Hack The Pentagon challenge that is actively rewarding hackers to break in and expose security vulnerabilities so that they can be fixed. This is the country where, a few days ago, our Prime Minister gave a speech at the nuclear summit on April Fool's Day explaining the need to fight terrorists using 21st century technology with modern technology.

Yet, his government seems supremely unconcerned about unauthorized access to confidential information. As the UK just saw, in a country that uses technology extensively, a security breach can be used as an attack vector, when hackers hack into the water supply and change the composition of chemicals put into the tap water. A more famous example to recall could be the Stuxnet worm that damaged Iran's nuclear facilities. Yep. Code resulting in real time damage to equipment. We have, in the past seen that banks too can be hacked. We have seen that election equipment can be rigged. What will it take for us to wake up before our money, our vote, our voice and even our physical location is compromised?

It is completely insane to push for a Digital India and inaugurate three websites a month without having the requisite push to secure the data that will now be vulnerable to theft, or facilities to access. If Digital India must be, then it must be preceded by a culture of taking technology seriously or the whole country will inevitably suffer.

MyGov privacy policy claims to protect user identifiable information. Below are the excerpts from their policy page.

1. "MyGov do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided on MyGov will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction. MyGov gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. MyGov make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage MyGov has been detected."
(https://mygov.in/simple-page/terms-conditions/)

2. "Please note that MyGov do not share any personally identifiable information volunteered on this site with any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access, disclosure, alteration, or destruction."
(https://mygov.in/mygov-faq/)

Turns out that like many other things, this privacy policy is a jumla as well.