In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Sunday, April 1, 2018

13160 - ‘I Found A Security Lapse In Aadhaar That Could Allow A Major Chunk Of Information To Be Stolen’ - India Spend


Alison Saldanha, March 30, 2018

Views
1597

Mumbai: For the second time in the first three months of 2018, the vulnerabilities of the Aadhaar programme–the world’s largest biometric database–were exposed when American business technology website ZDnet reported on March 23, 2018, that the personal data of millions of enrolled Indians could be accessed through unsecure websites and mobile apps of third-party agencies that use the identification system for authenticating transactions.

Aadhaar comprises a unique 12-digit number assigned to Indian residents. As of March 29, 2018, more than 1.2 billion Indians–or 99.7% of the population–have enrolled in the programme. The database, which is fast becoming an integral part of Indian policy, includes fingerprints, iris scans and demographic details of every enrolled individual. From July 1, 2018, the system will also include facial recognition for identity authentication purposes.

One night in mid-February 2018, in 30 minutes, data security expert Karan Saini, who identifies as a “white-hat” hacker (one who improves security by exposing vulnerabilities before malicious hackers or “black-hat” hackers can detect and exploit these), found the vulnerable point in the Aadhaar database through Indane, a commercial distributor of liquefied petroleum gas (LPG), owned by Indian Oil, a public-sector company. Indane, the second-largest marketer of LPG globally, caters to 110 million households across the country.

Fearing prosecution from the government, Saini reached out to a reporter at ZDnet to notify the Unique Identity Authority of India (UIDAI), in-charge of programme, of the security lapse.

Through Indane, not only could Saini gain access to the Aadhaar numbers, demographic data of several Indian residents, but also view details of where these individuals hold bank accounts, and what other services their Aadhaar numbers are linked to.

Prior to this, on January 3, 2018, The Tribune, a Chandigarh newspaper, alleged in an investigation that unrestricted access to details of over one billion Aadhaar numbers could be purchased for as little as Rs 500.

Since its inception in 2011, Aadhaar has been caught in several debates, especially over privacy issues and information leaks. In the absence of a privacy law, lawyers and activists, who have challenged the Aadhaar Act, which essentially now mandates the enrollment of all citizens, as IndiaSpend reported in March 2017, argue that once the programme is linked to various services it will offer the government too much information too easily about individuals.

The UIDAI has dismissed these fears, maintaining that the central database, guarded by a 13-feet-high and five-feet-thick wall, is safe and insists the programme is a “serious effort to end corruption”. Arguing for the constitutional validity of Aadhaar, the UIDAI has denied Saini’s finding and The Tribune report of security lapses in the system during a Supreme Court (SC) hearing on Tuesday, March 27, 2018.

“There has not been one data leak till date,” Ajay Bhushan Pandey, chief executive officer of UIDAI, told the SC.  

In an interview with IndiaSpend, Saini, a freelance information-security professional based in New Delhi, discusses data security and privacy concerns in Aadhaar. Saini, occasionally also participates in “bug bounty programs” that involve identifying and reporting security vulnerabilities to companies. He has worked with Twitter, Uber and the US department of defense.

What prompted you to check the third-party security of Aadhaar data and what exactly did you find?

I started looking into the vulnerabilities of Aadhaar on a whim. On the Apple App Store, I found this mobile application ‘Aadhaar Status’ offered by Indian Oil, which claimed to allow you to check your Aadhaar seeding status with Indane. I started to dig into the app and the API [Application Program Interface] it used to access and retrieve Aadhaar data. I wanted to see if it had any security measures in place, and if so, whether and how they could potentially be bypassed. In a few minutes, I was able to determine that a few key countermeasures could be put in place to access the data for an endpoint as sensitive as this.

I found that by cycling through permutations of possible Aadhaar numbers–rapidly, since there was no limit on that like a Captcha or anything–I could get Aaadhar-linked data of other people, without the need for a one-time-password (OTP). After thoroughly checking that the Indane API was not blocking requests, especially when a large number of them were sent rapidly–I could send 5,000 requests in 5-10 minutes–I concluded that it would be possible for a malicious party with sufficient computing power and time to harvest vast amounts of Aadhaar-linked data in no time.

The app, which was also available on the Google PlayStore, has since been removed and the Indane API has been taken down but there is still evidence of it existing on several other third-party services as can be seen in this Google cache:



On paper, the intent of Aadhaar is to plug leaks and ensure that benefits reach the right individual, and also provide a one-stop verification process for service providers. In a way, sharing of personal data is inevitable in today’s world–so how do you think the government should negotiate big data and privacy needs?

We have to look at the Aadhaar infrastructure as a whole–it’s not just the government’s database to protect. With banks and third parties using the programme for identity verification, Aadhaar data remains partially compromised because it might be shared with parties who do not take data security issues seriously. We need a more comprehensive system to ensure these vendors–and other companies who have data related to or coming from Aadhaar–follow stringent norms to ensure they cannot use the data without taking the needed steps to protect it. Otherwise, it would be a violation of information that was originally provided to the government in good faith.

Do you think the Aadhaar programme adequately acknowledges the role third parties play in data security?

As of now, I don’t believe that these security issues are being properly addressed and remediated by the people in charge. However, they should be concerned. Right now, in not demanding and enforcing stricter data protection measures, neither the third parties with access to Aadhaar data nor the UIDAI are taking responsibility for significant security issues and concerns. This is highly problematic because the personal information of millions is at stake.

At the Supreme Court on Tuesday, March 27, 2018, UIDAI’s CEO Ajay Bhushan Pandey insisted that except for third parties, the main database itself is well-protected and has not had a single breach yet. What are your findings?




ABP says software is secure and there hasn't been one data leak till date. Tells court to not believe media reports. Denies recent report of breach by ZDnet




ABP rubbishes the report by tribune also.


I agree, the main Aadhaar ‘database’ itself might not compromised. However, through third-party sharing there is potential for the data to become compromised–that should be a primary concern for the UIDAI. If Aadhaar did not exist, verification of identity, while more tedious, would restrict the amount of data a services company could hold about me. So if I sign up for a gas connection, or telephone service, one would not have access to information about which bank I use. In fact, the CEO himself wrote to banks warning them to be more careful with Aadhaar authentication as the nature of data it holds could compromise the security of bank accounts, as The Hindu reported. With the information made publicly available through unsecure third parties, the UIDAI is introducing potential for misuse. One could commit financial fraud or forge another Aadhaar card using its number and demographic details since the card that holds the Aadhaar number does not have any security features of its own–it’s just a card with a number, and in many cases a two-step verification process with OTPs or fingerprints is not in place.

On the process of enrolment for Aadhaar, Pandey told the Supreme Court on Tuesday, March 27, 2018, that there is no question of misuse because a 2048-bit encryption on Aadhaar data has been sent to the Central Identities Data Repository (CIDR). “It will take the whole universe’s strength to break this encryption,” he said. What does your assessment show?

I can’t comment on the CIDR’s susceptibility to misuse since I am not aware of it but again, for argument’s sake, (even if) the UIDAI is encrypting its data to this extent it has not clarified if third parties accessing the data for authentication are also encrypting it similarly. While a 2048-bit encryption is very good, that’s a standard requirement for the kind of data the central Aadhaar database holds. Further, we don’t seem to have clarity on how much of the data is encrypted or how the encryption has been carried out. At this point, it seems to be jargon thrown at the audience.

Not restricted to Aadhaar, privacy breaches and security incidents are occurring more often and are increasingly involving larger amounts of personal data. What do you make of the UIDAI’s response to these incidents?

I started looking at the Indane app in early February, and approached a reporter to take the matter up with Indane and the UIDAI instead of approaching them myself fearing prosecution, given how similar matters have been dealt with in the past.

These last few months have shown that India is getting more serious about privacy and data security, and that citizens want accountability for when incidents such as these take place. Increasingly, since we’re now generating so much more data than we ever have before, people have started becoming more concerned about protecting their data, especially when violations come to light.

The UIDAI’s response, when we approached them a month ahead of the story, notifying them of the vulnerable endpoint, was to do nothing. This could have been either because of lack of interest or because they felt that the problem was not too severe. But with more and more security issues being pointed out, there seems to be a clear need for proper redressal techniques. In this particular case, many publications have inadvertently and inaccurately called this an ‘Aadhaar database breach’. This was not my intent. I found a security lapse which could have allowed for a major chunk of Aadhaar information to be stolen, if someone with that intent wanted to and knew of Indane’s issues.

There are problems with implementation of almost every technology, so understandably there will be errors with Aadhaar to work through as well. But if in the future, those that are responsible continue to deny issues and attempt to shut down conversations with the public, researchers may eventually just stop reporting bugs to them. The issues which are not captured by their internal security teams would simply remain vulnerable to malicious attacks. The government is more likely to succeed in keeping Aadhaar data safe by keeping the channels of communication open.

Distinguishing between the Aadhaar card and a smart card, Pandey said the central database of biometrics plays a key role in ensuring uniqueness and preventing identity theft. Surveillance is not possible with CIDR as silos are not merged but in smart cards, it is still possible by merging databases, he has said. What do you make of the CEO’s arguments on surveillance and identity theft?




ABP: there's no identity theft if Aadhaar is lost. The same cannot be said of smart cards.
Surveillance is not possible with CIDR as silos are not merged. Surveillance is possible by smart cards by merging databases.


While Aadhaar’s central database might be offline and secured, its online data-stores, which are significantly large too, are still merged with third parties like banks and telecom companies. So surveillance through them could still very much be a possibility.

Facial recognition for the sole purpose of authentication–where consent is given–should be completely fine, but only as long as it is used for just that and not for clandestine surveillance and tracking of individuals. If there are no laws in place to protect our rights and guarantee personal liberties, such as privacy, then our society and our very way of living would be put at risk. To quote Edward Snowden: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” You don’t need to have anything to hide to be opposed to the idea of government surveillance.

It has been argued that privacy is a First World privilege. India is plagued by problems of poverty and deprivation and issues of privacy are ‘elitist’. Do you agree?

This is not just a rich man’s problem; financial fraud through data breaches could affect the lives of anyone– in fact it would impact the middle and working class the most, as it would be harder for them than others to recover from it.

I believe that by bringing these problems to light and discussing our rights as citizens we don’t digress from issues such as poverty and deprivation. The reality is that more Indians, regardless of their socio-economic status, are now connecting to smart phones and banking services — just as the Indian government had planned with its digital inclusion program — so obviously, the scope of those susceptible to security and privacy invasions, is growing too. This can no longer be dismissed as an “elitist” problem.

(Saldanha is an assistant editor with IndiaSpend.)

Update: An earlier version of the story said that through third-party mobile application Indane, Karan Saini could access Aadhaar numbers, demographic and biometric data of several Indian residents, including details of their bank accounts, and what other services their Aadhaar numbers are linked to. Saini has since clarified that biometric data were not accessible.

We welcome feedback. Please write to respond@indiaspend.org. We reserve the right to edit responses for language and grammar.
__________________________________________________


“Liked this story? Indiaspend.org is a non-profit, and we depend on readers like you to drive our public-interest journalism efforts. Donate Rs 500; Rs 1,000, Rs 2,000.”