Rss

  • stumble
  • youtube
  • linkedin

Archives for : UID

Aadhaar to be mandatory for open school examinations #WTFnews

 

Following the HRD ministry’s approval, the National Institute of Open Learning (NIOS) has decided to make Aadhaar mandatory for candidates appearing for the next exam
The NIOS has decided to make Aadhaar mandatory for those appearing for open school exams to ensure there are no proxy candidates appearing on others’ behalf.

The NIOS has decided to make Aadhaar mandatory for those appearing for open school exams to ensure there are no proxy candidates appearing on others’ behalf.

New Delhi: Aadhaar will now be mandatory for those appearing for open school exams to ensure there are no proxy candidates appearing on others’ behalf.

Following approval from the human resource development (HRD) ministry, the National Institute of Open Learning (NIOS) has decided to make Aadhaar mandatory for candidates appearing for the next examination, a senior NIOS official said.

“During the exams held in March, the inspection teams had found proxy candidates who were appearing on other students’ behalf. To check this practice, Aadhaar has been made mandatory.

“There will also be scanner machines at examination centres and only those students whose thumb prints match with the existing data be allowed to give exams,” the official said.

NIOS, which was set up in 1989, is providing a number of vocational, life enrichment and community-oriented courses besides general and academic courses at secondary and senior secondary levels.

It also offers elementary-level courses through its open basic education (OBE) programmes.

The NIOS has also decided that those schools where CCTV facility is not available will not be made examination centres.

“This has been decided to ensure that videography of the entire examination process is possible and the footage can be checked in future if need be,” the official added.

http://www.livemint.com/Politics/yDQBFHfwpxpihAOGZs9aYJ/Aadhaar-to-be-mandatory-for-open-school-examinations.html

Related posts

How will Abhinav case proceed against a “Zero Loss” claim?

 

 Deccan Herald reports that the Abhinav Srivastava case may result only in a fine and not in imprisonment as per sources inside the Police. It says “IITian may walk free as he only developed ‘innocuous app’” making everyone sit up and wonder what is happening.

If this is true, then did all the media make a hue and cry about nothing? Or is it possible that there is some confusion within the Police circles themselves about how to proceed with the case.?

For the time being I rule out the possibility of media being used by the Police to plant stories so that some information can be elicited from public which can make it possible for them to correct the mistakes in the way the complaint is being handled at present. This is a strategy often used by Police in other criminal investigations.

Probably the media is also confused about the nature of the incident, whether it is a crime? if so is it a civil wrong or a criminal offence? whether it should be the Adjudicator who should lead the investigation or the Police? …etc

We accessed a copy of the FIR filed by the High Grounds Police Station. This was dated 26/07/2017 and records crime number 0130/2017. It is based on a complaint filed by one Mr Ashok Lenin whose address is given as the address of UIDAI at Khanija Bhavan, Reace Course Road, Bangalore.

The details given of the complaint in the FIR are sketchy and indicate in summary that

“one Mr Abhinav Srivastava using a company by name Qarth Technologies Private Limited created a Playstore App and through it misused the information in Adhaar website and was giving it out as e-kyc in association with some unknown person and thereby is creating leakage of Adhaar data.”

The FIR was registered under Sec 65/66 of ITA 2000, Sections 34, 120B, 471 and 468 of IPC. While the complainant seems to have indicated that Sections 37 and 38 of Aadhar Act has been contravened, the FIR itself does not include these sections. The FIR has been submitted at 8th Addl CMM Court, Nrupathunga Road, Bangalore.

However, after this was published in the website of naavi.org, information was received that this FIR is no longer valid since a new FIR has been filed by the Cyber Crime PS after the case was transferred to them. Since ksp.gov.in website does not list Cyber Crime Police Station and its FIRs, the new FIR filed by Cyber Crime PS is presently not available with us. We can neither confirm or deny if the new FIR exists and if so whether any change has been made in the FIR of High Ground PS or will be made in future after another round of investigation.

While investigations will be continued by the Cyber Crime PS and appropriate action will be initiated, from the academic perspective some points come for discussion.

The complaint was filed by a person who is an official of UIDAI. According to the Aadhar Act, complaints under the Act can only be taken note of if filed by UIDAI or by an official under its authority. The FIR does not indicate that the complaint was made by Mr Lenin along with a letter of authority signed by the CEO of UIDAI. So whether it was a personal complaint or a complaint under the Aadhar Act needs to be ascertained. Probably a letter from UIDAI either by the CEO or through a resolution of the Board is required to be filed by who so ever signs the complaint and submits it to the Police. Without this, the FIR/Chargesheet could be considered invalid.

Further UIDAI has made a public statement by the CEO, Ajay Bhushan Pandey himself stating

“No one could get data of any other person through this app. Even though residents were downloading their own demographic data such as name, address etc., yet legal actions were initiated against the owner of the app since it was not authorised to provide such services to people and such acts are criminal offence punishable action as per Aadhaar Act, 2016. It is further reiterated that data of not even a single non-consenting resident has been given by UIDAI through this app.”

Once UIDAI confirmed that there was “no unauthorized data access”, it was clear that the foundation of the complaint itself had become hollow. From the revelations made by Mr Abhinav Srivastava, it was clear that the App would access other websites where there was no restriction on accessing the “Appointment Request through e-hospital app” and place a request along with the Adhar number. This would generate an OTP to the Aadhar owner and once provided, some demographic data would get displayed on the website which can be parsed, filtered and presented in a user friendly format.

The App was actually being used by the Adhar owner himself and hence it was an authorized Aadhar user who was actually using a tool developed by Mr Abhinav and downloading his own data instead of going to the Aadhar website himself and downloading the information.

(P.S:This is based on the information now available unless Police unearth any other way Mr Abhinav was collecting the data for use at his end)

In this process, it was clear that the very basis of the complaint that there was “Unauthorized Access” was perhaps incorrect. Hence the complaint was filed on a wrong understanding of what had happened. Because the complaint had been made by UIDAI, it was immediately acted upon by the Police. While registration of the complaint was fine, the need for actioning an immediate arrest and including clauses from IPC such as 468 and 471 was perhaps unwarranted. An FIR under Section 66 of ITA 2000/8 with a bail in the station would have been a reasonable response from the Police if they had not been pushed by some panic stricken UIDAI official that some national calamity had happened.

Now we understand that the total commercial benefit that the person gained was around Rs 40000/- from advertisements running on the App and not from selling of unauthorizedly accessed data. This also is insignificant for any serious commercial gain case to be made out.

The Complaint said “Some unknown person” collaborated with Mr Abhinav. But where was this “Unknown person”? ….. Is it the Hospital? Is it the NIC? Is it Google Ad supplier? or is it the persons who downloaded the App? or is it the company Qarth technologies which is a subsidiary of Ola Cabs (ANI Technologies Ltd)?. It appeared that this “Unknown Person” was added only to ensure that Section 120B could be added and a “Conspiracy” could be brought in.

When the case was transferred to Cyber Crime Police Station, we can expect that they identified that the FIR was not properly filed and without the case being also filed on the e-Hospital website and/or NIC as the e-Hospital platform owner, the complaint only against Abhinav would be difficult to sustain. They also would have pointed out that if UIDAI maintains that “There is no data loss, No data Breach” etc., then the Courts may frown at the Police for registering a Case against a “Zero Loss” incident.

It is also necessary that information was available in the public domain through an article in www.naavi.org which was a reasonable notice of such incident occuring several months ago. This article was  titled “Online Registration System for Indian Hospitals.. No Privacy Policy?” and was published on  4th November 2016. On the same day, I had sent an e-mail to [email protected] and [email protected] drawing their attention to the article and expecting them to check with their Information Security department on the issues raised. The article focussed on the lack of a “Privacy Policy” but any professional Information Security professional in say NIC would have understood that the application enables dispensation of aadhar information without the information seeker committing himself to any terms of use or NIMHANS protecting itself with a privacy policy/privacy statement.

Though everybody in the information security loop had a notice through this published article nearly 9 months ago, no body seems to have had the intelligence to recognize that there was a vulnerability in the system which could create a risk.

If the Police now try to pursue the case, there will definitely be a question of the role of “Lack of Due Diligence” by the Hospital site/s which were accessed by the Abhinav App and in the absence of any “Terms of use” how it can be considered as a criminal offence that Mr Abhinav created an app to help the Aadhar owner to access their personal data through the use of these websites.

We can question that Mr Abhinav was also not aware of Cyber Law Compliance as otherwise he should have sensed that he should have sought some kind of permission to use the hospital app for a purpose other than seeking an appointment for which it was primarily meant.

But if the hospitals as an organization, NIC as an institution and UIDAI as a National Critical infrastructure with the nation’s best security officials in their roles did not recognize any threat nor had the system to monitor such articles which  can be accessed simply with a google alert in the name of UIDAI or e-Hospital or NIMHANs etc , then how can an individual like Abhinav be more resourceful?..could be his defense.

If Police pursue their case against the intermediaries such as the hospitals and NIC and ask them questions on “Lack of Due Diligence” or “Negligence”, there will be embarassment for these organizations. At the same time, without the UIDAI admitting that there was some kind of a breach, it is difficult to question any downstream user including NIC, Hospitals or Abhinav.

If the Police try to pursue the case only against Abhinav and does not open the pandora’s box of “Due Diligence by Intermediaries”, then obviously there will be a charge of unfair targetting of the individual in a discriminatory manner which would be an embarrassment for the Police itself.

If the Case needs to be pursued therefore UIDAI should first admit that there has been a “Security Breach” with or without “Data Breach”.

If not, they should withdraw their complaint and a fresh complaint has to be filed by all the hospitals which have been used by the Abhinav App on different occasions which should say that their platform was not meant for public to use it as an aadhar information extraction device even if it was their own. But then they will have to answer why they could not say so on their website in the form of terms of use or privacy policy document. Will they admit that all these organizations donot know the basics of Section 79 requirement of ITA 2000. Their pride will not allow them to admit.

Hence they may not be interested in filing a complaint.

If UIDAI withdraws its complaint and no body else is prepared to register the complaint, what action can the Police take?… They also would not perhaps be interested in inventing some reason to keep the case going since anyway at some point of time in future it may be dismissed by some Court with perhaps some strictures.

In the light of the above, I am not surprised at the indication of the Deccan Herald Report that the complaint would be reduced into a non criminal violation. May be it may be diluted further and even be dropped altogether.

We need to wait an watch…

Naavi

https://www.naavi.org/

Related posts

Use Aadhaar to check entry of non-Hindus at garbas: Hindu body

The Hindu Utsav Samiti (HUS) put forward its demand at a peace committee meeting called by the district administration ahead of the festival.

Written by Milind Ghatwai | Bhopal

aadhaar card, aadhaar for garba entry, Hindu Utsav Samiti The HUS put forward its demand at a peace committee meeting called by the district administration ahead of the festival.

ALLEGING THAT non-Hindus participate in garbas with the intention to “entice” girls, the Hindu Utsav Samiti (HUS) has said that entry should be restricted to only Hindu men, and their identities should be confirmed through their Aadhaar cards.

Admitting that this is an attempt to keep Muslim participants away, HUS president Kailash Begwani said: “It’s not easy to make a fake Aadhaar card, unlike other documents like voter identity cards. The moment one furnishes his Aadhaar card, there will be no doubt about his identity.”

“We get several complaints after the festival is over about exploitation of Hindu girls by those belonging to other religions. They befriend Hindu girls during practice sessions, and then entice them during the festival,’’ said Begwani.

The HUS put forward its demand at a peace committee meeting called by the district administration ahead of the festival. The district administration, however, did not give the HUS any guarantee in this regard. Till a few decades ago, the HUS, which has over 6,000 members, used to organise nearly all the big Hindu festivals. While it does not organise garbas, it is still involved in other festivals like Holi and Dussehra.

The samiti also submitted a memorandum demanding that meat and liquor shops should be closed during Ganeshotsava and the Jain community’s Paryushan Parva, and strict action should be taken against those transporting meat illegally.

However, the samiti’s demand to restrict the size of Ganesh idols to nine feet was rejected by festival organisers. The samiti said that organisers who want taller idols should be made to sign bonds, taking full responsibility if something goes wrong during processions. Last year, two boys were electrocuted during the event.

“We are not criminals to be made to sign a bond. There are many processions other than the one taken out by HUS,’’ said peace committee member and zanki committee president Pramod Nema.http://indianexpress.com/article/india/use-aadhaar-to-check-entry-of-non-hindus-at-garbas-hindu-body/

Related posts

India – What is data colonisation and why it matters to us

Colonising a country no longer requires its physical invasion with military strength

Hacking
Colony (n) is a country or area under the full or partial political control of another country and occupied by settlers from that country.


(n) is a process by which a central system of power dominates the surrounding land and its components.


By those definitions, neither India nor any region of it is a colony of a dominant society, community or country anymore. However, India and its population is no longer a nation that is defined by its physical presence alone either. We are all living our lives within the geographical boundaries of India and within the virtual boundaries of Facebook, Twitter, Instagram, Google, Airbnb, Uber, and hundreds of other mobile apps.
Our lives today are as much about our physical being as they are about our data. The only difference is that while we are conscious of our physical lives, we are seldom aware of how our data is being used by its custodians, which may not necessarily be a government but could very well be a multinational company based in a developed country.


When an individual lives within the territorial boundaries of a country, the latter is expected to safeguard the former’s identity, information, and privacy. However, who guarantees the same when lives (and their data) are no longer restricted to geographical boundaries but co-exist at multiple virtual locations in a ‘connected world’? More importantly, how much control do they have over their identity and data? As more and more individuals go online and more and more information is turned digital, a strong race to compete for the ownership of data will be visible, if traces of it are not visible already. And the strength of the “coloniser” would be judged by the vastness of the data “colonised”.


Let’s take the example of  Although it is not a country, the American company holds data, including personal and private information, of more than 150 million Indians. In this sense, India could very well be a colony of the popular social networking site, which not only holds our personal information but also tracks our daily routine, habits, behaviour, and communication. This extent of information about 150 million Indians is enough to help the social networking giant influence decisions, both democratic and consumerist, taken by individuals. All this is already visible today. is influencing individual choices when it comes to what product they are buying next or which party will they vote for.


So, it does not come as a surprise that five of the top 10 companies of the world, in terms of market share, are US tech giants. Further, all these companies are investing heavily in artificial intelligence, internet of things, and cloud computing. From your cars and weighing machines to mobile phones and wrist watches, almost every tech-enabled device or gadget we use is collecting massive amounts of data. In fact, technology is driving growth in almost every sector. Earlier this year, the Economist rightly said, “Data are to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and—crucially—new economics.” Governments in various parts of the world are already fighting battles with tech giants for fear of losing sovereignty over their people or jeopardising their security.


Let’s not forget that be it the British, Dutch, French, Portuguese or Spanish, they all initially entered the countries that they later colonised to do business. It was only gradually that they extended their business interests and started intervening in governance, eventually taking complete control over the countries.


Colonising a country no longer requires its physical invasion with military strength but can simply be done by controlling activities through networks and databases with a single click.


The use of the internet has exponentially increased in the last decade, exposing individuals to thousands of benefits of a connected world, starting from making communication faster to accessing services easier. When we give our data to Maps, we know we’re giving our private information in exchange of a traffic-free route to our destination — and we do this without thinking how our personal data may be used by 


Let’s take the example of Aadhaar now. It is one of the largest databases of information about individuals and it is not restricted to data of connected people but extends beyond to those who are not connected, are poor, and are illiterate. There is a huge potential for this information being used to catch people in a virtual captivity.


Today our data is controlled as much by the Indian government as it is by  This dominance of data online is increasing the hegemony of multinational corporations over individuals all around the world. Gradually, borders will not decide control over people or their nationality. In stead, control over data will. The future of control over humanity will be decided by who owns how much of our data.


Therefore, I completely agree with Infosys Co-Founder Nandan Nilekani when he says, “Time is running out and India needs to take a strategic view on data colonisation, privacy, and data dominance, it is a policy issue and not a technology issue that needs to be addressed soon.”
http://www.business-standard.com/article/economy-policy/who-owns-your-data-india-needs-to-tackle-data-colonisation-soon-117081700234_1.html

Related posts

Activists, Scholars’ Respond to various issues raised by Dr. Ajay Bhushan Pandey, CEO UIDAI

Image result for Dr. Ajay Bhushan Pandey, CEO UIDAI

In response to the press conference, the media reported Dr. Ajay Bhushan Pandey, CEO UIDAI, as saying that our findings “arise from a skewed approach” and “misinterpretations”. Further, it was reported that according to him, “to claim that Aadhaar is responsible for denial is a misconstrued fact presented with malafide intent”.

 

Dr. Ajay Bhushan Pandey
CEO
UIDAI

Dear Dr. Pandey,
We are a group of activists who have been working for many years with socially and economically
marginalized communities in rural and urban India. We write to you with reference to the comments made
by you, as reported in the media, in response to a press conference organized in Delhi by Satark Nagrik
Sangathan, Mazdoor Kisan Shakti Sangathan, Right to Food Campaign and Delhi Rozi Roti Adhikar
Abhiyan on the 8th of August 2017.

At the press conference, the following documentation and evidence was presented:
1. Information obtained under the RTI Act which showed that there was no official data to corroborate the
Prime Minister’s statement made in the Lok Sabha on February 7, 2017 that nearly 4 crore bogus ration
cards had been detected through use of technology and Aadhaar.
2. Statistics indicating that as of July 2017, only 67% of NFSA ration card holders in Rajasthan (identified
by Government and seeded with Aadhaar) were able to procure their rations from the PDS outlets. The
figures discussed (33% exclusion) were from the Food Department website of Government of Rajasthan.
3. Interim findings from a field study conducted by IIT Delhi in collaboration with Ranchi University
indicating continued quantity fraud, higher transaction costs and hardship as well as outright exclusion of
the most vulnerable since the introduction of Aadhaar-Based Biometric Authentication (ABBA) in the
PDS in Jharkhand.
4. Testimonies of people from Delhi, including homeless people, some of whom have also filed affidavits
in the Delhi High Court, explaining the different ways in which they have been unable to access ration
entitlements since Aadhaar was been made mandatory for obtaining a ration card in Delhi.
On the 10th of August 2017, the media (Times of India and syndicated feed from PTI) quoted you as
saying that our findings “arise from a skewed approach” and “misinterpretations”. Further, the report
states that according to you, “to claim that Aadhaar is responsible for denial is a misconstrued fact
presented with malafide intent”.
We were surprised and distressed to read these comments for many reasons: Some of us belong to
organisations and networks who have been working for peoples’ empowerment for decades. We have
carefully watched Aadhaar and its impact on the ground as it has been rolled out. Had Aadhaar in fact
been a means of inclusion, empowerment, anti-corruption and efficiency in delivering entitlements to the
poor and marginalized, we would have had no hesitation in presenting what we saw, and congratulating
the government for its success. However, what we have seen is that as a result of the multiple government
directions making Aadhaar mandatory for accessing rights and entitlements, countless numbers of people
have been put through great distress to access their entitlements. We see it as our duty to put this
information in the public domain, and hope that Government officials, such as yourself, would take
cognizance and try and immediately find a remedy.
2
Unfortunately, you have been reported as questioning our presentation, and as having stated, that we have
“malafide intent”. We would like to know what you base your comments upon, including having
determined the malafide nature of our intent.
The suffering caused to people due to mandatory Aadhaar linking and biometric authentication can be
witnessed across the country. However, we confined ourselves to Delhi, Rajasthan, and Jharkhand,
because this was information backed by official statistics and/or detailed enquiry and testimonies. We
would like to point out that in an ongoing matter before the Delhi High Court, scores of affidavits have
been filed by people documenting how either they themselves or members of their family have been
excluded from the National Food Security Act as they did not possess Aadhaar at the time when ration
cards were being made.
The data available on the website of the Department of Food, Rajasthan shows that since September 2016,
when Aadhaar based biometric authentication was made mandatory in the state, 25% to 33% per cent of
ration card holders are not getting their rations. That amounts to more than 25 lakh families, or more than
a crore of the most vulnerable people (http://food.raj.nic.in/). Similarly, according to publicly available
data on the state food department website of Jharkhand (http://aahar.jharkhand.gov.in/), a substantial
proportion of households in the state are not getting their monthly grain entitlements since Aadhaar based
biometric authentication was introduced in the PDS – even 10% exclusion would mean 25 lakh people. It
is distressing to note that despite such large scale exclusions of the poor and marginalised, the government
has not been able to explain the reasons why these people have been unable to access their ration
entitlements and has not taken adequate steps to remedy the problems.
Despite, official government data and evidence from the ground to the contrary, we are surprised to note
that the report quotes you as saying, “Aadhaar is a technology of people’s empowerment and not a tool of
exclusion or denial as claimed by some activists”. All the points put forth at the press conference were
backed by evidence which is publicly available, and have been shared by us through multiple platforms
and fora. As you know, the Supreme Court has repeatedly stated that Aadhaar cannot be made mandatory
for availing services. The Rajasthan High Court also passed an order that no beneficiary could be denied
rations due to Aadhaar. We regret that the Government continues to audaciously violate the orders of the
Courts. In addition, it is disturbing that instead of resolving to take corrective action on account of
exclusion cased due to Aadhaar linking and biometric authentication, the Government and the UIDAI are
focusing their energies on denial and escaping from dealing with redressing the core issues.
The report quotes you as saying that Aadhaar “has never claimed to be a panacea for all ills and
dishonesty or acts of unscrupulous elements”. In fact, we have, for the last several years, been pointing
out that Aadhaar cannot help address problems of quantity fraud, quality fraud and overcharging, which
form the bulk of the corruption in the PDS. Such corruption can only be addressed if there are proper
mechanisms of transparency, accountability and grievance redress which in real terms empower people to
report problems in accessing their entitlements and getting redress in a time-bound manner. Grievance
redress mechanisms, if any exist, remain completely ineffective, an issue on which the Supreme Court
also recently expressed its disappointment and summoned chief secretaries of various states.
Further, as per the media report you said, “if a person is denied because he does not have Aadhaar or he
is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the
3
government and such violators have to be punished”. Even people like us do not know where to go, and
have little knowledge of any such punishment that might have been ordered and carried out. We would
like to request you to make public a copy of all such instructions issued by the government, especially in
the context of Delhi, Jharkhand and Rajasthan, including the punishment that violators are liable to face.
Also, kindly put the list of violators who have been punished in the last 3 years in the public domain. The
information being requested for is mandated to be put out in the public domain by UIDAI as a public
authority as per Section 4 of the Right to Information Act. With this letter we are enclosing a copy of the
RTI application we have filed in this regard.
We would urge the UIDAI and Government of India to organize a platform for public discussion where
evidence on the impact of biometric authentication and use of Aadhaar in the delivery of public services
can be presented in the public domain. We would appreciate if you would also invite us to the public
discussion so that we could present our findings. In any case, we would like to organize a public dialogue,
which we would like to request you to attend. If you agree, we will fix a mutually convenient time and
place.
Thank you
Best wishes and regards,
Anjali Bhardwaj, Nikhil Dey, Dipa Sinha & Amrita Johri

Related posts

Latest Aadhaar leak exposes security flaws in app developed by NIC

In recent months, websites maintained by NIC have inadvertently published the Aadhaar numbers and financial details of millions of citizens.

 

Aman Sethi and Samarth Bansal
Hindustan Times, New Delhi
Woman applying for Aadhaar card.
Woman applying for Aadhaar card.(File Photo)

Crucial security flaws in the eHospital app developed by the National Informatics Centre (NIC) gave a Bengaluru-based software developer access to the Aadhaar numbers and personal details of thousands of citizens, officials said.

These flaws meant the Universal Identification Authority of India (UIDAI) servers were unable to distinguish between legitimate requests for Aadhaar data from NIC’s eHospital app, and unauthorised requests from “Mygov”, a free android app created by the developer, Abhinav Srivastava.

When Srivastava was arrested on July 26 this year, his app had already been downloaded 50,000 times, while the flaws he exploited had been live for two years. It is unclear if Srivastava is the only one to allegedly exploit the NIC vulnerability, but a senior NIC official admitted that it was possible.

“Some harm would happen if loopholes are exploited,” a NIC official told HT. “If someone finds a bug, they should report to NIC rather than exploit it.”

The UIDAI did not reply to requests for comment.

NIC is a government body that builds and maintains the digital networks that link every department and ministry of India’s central and state governments, and also extends Aadhaar-enabled services for numerous welfare programmes. But in recent months, websites maintained by NIC have inadvertently published the Aadhaar numbers and financial details of millions of citizens.

The eHospital app reveals in a nutshell how the headlong push to digitise government services at the cost of cybersecurity can put the personal data of citizens at risk.

“NIC is the biggest government implementer of e-governance, it is an unpardonable offence that they have made such a huge mistake,” said Dr Sandeep Shukla, head of the Computer Science department at IIT Kanpur, “NIC is incompetent but unfortunately all government activities happen through NIC.”

“eHospital was started in 2015,” said the NIC official, “People didn’t have confidence in Aadhaar…so the idea was to demonstrate the power of Aadhaar.”

The app uses UIDAI’s ‘know your customer’, or eKYC service, to let patients book appointments at government hospitals. As eHospital was designed for in rural areas with poor connectivity, the official said, NIC prioritised performance over security.

When security experts analysed eHospital, they found the app did not encrypt its communication with NIC’s servers. Second, the password was hardcoded in the eHospital application.

“This meant anyone could figure out the password and use NIC servers to get information from UIDAI,” explained Anivar Aravind, a technology consultant who has analysed the code, “The UIDAI servers would assume that the request is coming from NIC and would provide the information.”

In effect, Srivastava could build a replica of eHospital and NIC’s own servers could not tell the difference. And as UIDAI trusts agencies like NIC to act as gatekeepers, it released personal data of citizens on request. As Srivastava controlled the app, he could record the eKYC data of everyone who used his app.

“The problem is we are creating a huge ecosystem,” said Shukla, the IIT professor, explaining that such problems are likely to multiply as private and government agencies offer more Aadhaar-enabled services. “UIDAI authorities have created core security and encryption mechanism very well, but as you go outwards into the ecosystem, your control over those entities starts loosening.”

http://www.hindustantimes.com/india-news/latest-aadhaar-leak-exposes-security-flaws-in-app-developed-by-nic/story-aOIrolw9SOvgoZdaXFB5ZP.html

Related posts

Resisting coercion to link Aadhaar to mobile and bank accounts #mustshare

Resisting linking your mobile or your bank account to Aadhaar is not just about rejecting Aadhaar, it is about your safety and protecting national interest
The orders of the Supreme Court of India
On 23 September 2013 the Supreme Court ordered that “no person should suffer for not getting the Aadhaar card inspite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar Card voluntarily”. On 24 March 2014, the apex court had reiterated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities are directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by this Court forthwith”.
In its order of 11 August 2015, the SC ordered that Aadhaar may not be used for any purpose other than the PDS Scheme, for the distribution of foodgrains, and cooking fuel, such as kerosene and LPG. This was extended to allow its use for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister’s Jan Dhan Yojana (PMJDY) and Employees’ Provident Fund Organisation (EPFO) in its orders of 15 October 2016. The court also stated that the information about an individual obtained by the Unique Identification Authority of India (UIDAI) while issuing an Aadhaar card shall not be used for any other purpose.
In its orders of 15 October 2015 passed by a five-member bench headed by the then Chief Justice the Supreme Court emphasised that, “We impress upon the Union of India that it shall strictly follow all the earlier orders passed by this Court commencing from 23 September 2013. We will also make it clear that the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court one way or the other”.
On 14 September 2016 in the matter of WP 686 of 2016 the apex court stayed the operation and implementation of  that or Pre-Matric Scholarship Scheme, Post-Matric Scholarship Scheme and Merit-cum-Means Scholarship Scheme to the extent they have made submission of Aadhaar mandatory.
The orders of government authorities mandating Aadhaar
In a blatant contempt of the Supreme Court of India and in disrespect for the rule of law, the Telecom Regulatory Authority of India (TRAI) on 20 January 2017, issued a letter to Department of Telecommunications (DOT) to ask for linkage of an Aadhaar number to each mobile number. On 1 June 2017, the Ministry of Finance issued a notification mandating the linkage of all bank accounts with Aadhaar numbers before 31 December 2017, failing which they shall be frozen. This is despite the fact that the Reserve Bank of India (RBI) had repeatedly indicated that the Aadhaar is not an acceptable KYC under international banking practices as at best it is a third party identification, not acceptable in banking. The RBI had maintained that the use of the Aadhaar number was in conflict with the Prevention of Money Laundering Act (PMLA), the Basel Standards for maintaining customer information and its own extant guidelines.
Furthermore section 29 and section 8 of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 prohibit the linkage, retention, storing and publishing of the Aadhaar number. Any requirement to link the Aadhaar number with any other database, service or right is therefore illegal under the Aadhaar Act, the orders of the Supreme Court, national interests and the interests of the citizens of India.
At least a dozen petitions, including several contempt petitions remain unheard by the Supreme Court and are expected to be heard once the nine-member bench decides on whether Indian’s have a fundamental right to privacy. Irrespective of the hearing or its outcomes, it is evident that the linkage of Aadhaar is neither legal nor does it serve any national interest. It is also widely established that apart from being exclusionary, it makes individuals vulnerable to identity fraud and the nation to crime and anti-national interests.
Most service providers express helplessness as they force customers, as they, in turn, receive orders over “phone-calls” and are made to give explanations for non-linkage of Aadhaar. They need the consumer to join the resistance to this blatant disrespect of the law in order to be able to protect the country and its citizens from the Aadhaar Frankenstein.
What can you do? 
Here are draft notices, modified from a previous letter used by thousands across the country, you could use to refuse to link Aadhaar to your mobile or with your bank account. Edit appropriately, use and share widely.
Notice to your mobile service provider/bank:
Name/Address of concerned mobile service provider/bank that is forcing for linkage of Aadhaar number
Dear Sir/Madam,
Subject: Contempt of Rule of Law and the orders of the Supreme Court of India
As per the Supreme Court order dated 15 October 2015, Aadhaar cannot be made mandatory for the purposes of linking to mobile phones/bank accounts. As Supreme Court orders take precedence over Acts of Parliament in the hierarchy of law, I am not compelled to obtain or link an Aadhaar to avail of mobile or banking services. Furthermore, the use of Aadhaar for linking to other databases, retention, storage or publishing is not only prohibited but also a punishable offence under the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016
I request you kindly accept to continue my mobile/ banking services uninterrupted and acknowledge receipt of this letter.
Furthermore, I would like to bring to your attention the following:
1. Aadhaar is not a verified or audited database, neither the UIDAI nor any other government authority certify it as a proof of identity, address, resident status or even the existence of any person.
2. The linkage of Aadhaar to mobiles/ bank accounts will result in the innocent losing money, reputation and access to justice, dignity and livelihood as their Aadhaar numbers can act as mules for obtain SIMs, opening bank accounts and facilitate money laundering. Their subsidy and other Aadhaar enabled payments can be easily compromised. Their access to their own bank accounts be denied, or they can be framed for economic offences. Helpless citizens and businesses may also find themselves at the receiving end of covert human rights violations as even their access to money and existence is disabled by deactivation or blocking of Aadhaar leaving no recourse to survival.
3. Linking Aadhaar to mobiles/bank accounts or PAN converts India into the new tax haven for money launderers as it becomes easy to remotely create benami accounts and operate benami transactions while claiming complete legitimacy. This will destroy India’s economy and governance.
4. Financing crime and terrorism will grow uncontrollably as it becomes increasingly difficult to discover, report or close down such operations. This will make it impossible to ensure national security as the rule of law is destroyed.
5. Corruption will increase as it becomes easier when proceeds will not be traceable to the corrupt. It will be increasingly difficult to restore swarajya and impossible to ensure surajya.
6. Banks will not be able to contain non-performing-assets, fraud and financial misappropriation as the real users of banking services will be untraceable. The economy will be completely out of control as the black and white economies become indistinguishable.
In light of these facts, and to ensure that you do not get embroiled in needless controversy and criminality that you kindly take up the matter with the highest offices of the Government of India and not proceed further with Aadhaar-mobile/bank linking.
We trust your will not cause me, or anyone, suffering for not linking the Adhaar inspite of the fact that some authority had issued a circular making it mandatory. We urge you to publish widely your decision to abide by the orders of the Supreme Court, the Aadhaar Act, the national interest and the interest of the citizens of India. We trust your commitment to abide by the rule of law will not require us to seek other remedies and relief or cause any failures to respect the rule of law. 
Sincerely yours,
CC 
 
 
Notice to the UIDAI: 
 
Here is a draft notice of contempt you should also send to the UIDAI along with copies of the relevant orders of the Supreme Court for contempt of the orders of the Supreme Court.
 
Dr AB Pandey
Chief Executive Officer (CEO),
Unique Identification Authority of India -UIDAI
3rd Floor, Tower II, Jeevan Bharati Building,
Connaught Circus,
New Delhi – 110001
 
Subject: Contempt of Rule of Law and the orders of the Supreme Court of India
 
On 23rd September 2013 the Supreme Court ordered that “no person should suffer for not getting the Adhaar card inspite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar Card voluntarily”. On 24th March 2014 the court had reiterated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities are directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by this Court forthwith”.
 
In its order of 11th August 2015, the court ordered that Aadhaar may not be used for any purpose other than the PDS Scheme, for the distribution of foodgrains, and cooking fuel, such as kerosene and LPG. This was extended to allow its use for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister’s Jan Dhan Yojana (PMJDY) and Employees’ Provident Fund Organisation (EPFO) in its orders of October 15th, 2016. The court also stated that the information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose.
 
In its orders of 15th October 2015 passed by a 5 member bench headed by the then Chief Justice the court emphasised that, “We impress upon the Union of India that it shall strictly follow all the earlier orders passed by this Court commencing from 23.09.2013. We will also make it clear that the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court one way or the other”.
 
On 14th September 2016 in the matter of WP 686 of 2016 the court stayed the operation and implementation of  that or Pre-Matric Scholarship Scheme, Post-Matric Scholarship Scheme and Merit-cum-Means Scholarship Scheme to the extent they have made submission of Aadhaar mandatory.
 
Despite this, in complete contempt of the Supreme Court of India and in blatant disrespect of the rule of law, you have been allowing the access to the UID numbers for uses beyond those permitted by the court or allowed under the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.
 
We require that you:
 
1. Immediately cease providing any authentication and/or KYC or support and use of the Aadhaar number for purposes other than those permitted by the Supreme Court of India.  
2. Cease to provide any Aadhaar authentication or KYC to any organisation mandating or requiring the use of Aadhaar number beyond the permitted purposes.  
3. Issue notifications and wide publicity in the electronic and print media including radio and television networks, as required by the orders of the Hon’ble Supreme Court dated August 16, 2016, to make it clear that you will not 
  A. Provide authentication and KYC services beyond those permitted by the Supreme Court or 
 
B. Cause or allow any agencies to cause anyone to require registering for an Aadhaar number or 
 
C. Allow anyone to suffer for want of Aadhaar and that Aadhaar number. 
 
We trust you will share your compliance of the orders within 7 days, publish widely your decision to abide by the orders of the Supreme Court and not cause us further suffering or require us to seek other remedies and relief for any continued contempt of the Supreme Court of India and failure to respect the rule of law. 
 
Sincerely yours,
 
CC: 
 
1. Shri Nripendra Mishra, Principal Secretary to Prime Minister, 152, South Block, Raisina Hill, New Delhi-110011
 
2. Chief Justice of India, ℅ Chief Justice’s Conference Secretariat, Supreme Court of India, Tilak Marg, New Delhi-110 201
 
3. You can tweet it to the CEO of UIDAI and @ceo_uidai and @UIDAI with #Contempt
 
4. You can send emails to UIDAI’s Chairman UIDAI at [email protected]CEO UIDAI [email protected] OSD to CEO at [email protected]
 
While there is talk about digitisation, it is better if you can send these complaints through registered post. This will help you get an acknowledgement and you can also file an application under the Right to Information (RTI) Act to know progress of your complaint. 
 
 
Please ask others who face the same scene as you to complain. Do please tweet your complaints with #UIDContempt. 
 
 
Notice to the Governor RBI:
Do use the template below to write to the Governor of the Reserve Bank of India.
 
The Governor,
Reserve Bank of India
Main Building
Shahid Bhagat Singh Marg
Mumbai – 400 001
 
Dear Dr. Urjit Patel,
 
Subject: Contempt of Rule of Law and the orders of the Supreme Court of India
 
The Reserve Bank had resisted the use of Aadhaar for KYC citing international banking practices and highlighting that at best it is a third party identification, not acceptable in banking. The RBI had maintained that the use of the Aadhaar number was in conflict with the Prevention of Money Laundering Act (PMLA), the Basel Standards for maintaining customer information and its own extant guidelines. We bring to your attention that file records of RBI indicate clearly the use of Aadhaar has been coercive through the Department of Revenue, Ministry of Finance.
 
On 23rd September 2013 the Supreme Court ordered that “no person should suffer for not getting the Adhaar card inspite of the fact that some authority had  issued a circular making it mandatory and when any person applies to get the Aadhaar Card voluntarily”. On 24th March 2014 the court had reiterated that “no person shall be deprived of any service for want of Aadhaar number in case he/she is otherwise eligible/entitled. All the authorities are directed to modify their forms/circulars/likes so as to not compulsorily require the Aadhaar number in order to meet the requirement of the interim order passed by this Court forthwith”.
 
In its order of 11th August 2015, the court ordered that Aadhaar may not be used for any purpose other than the PDS Scheme, for the distribution of foodgrains, and cooking fuel, such as kerosene and LPG. This was extended to allow its use for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister’s Jan Dhan Yojana (PMJDY) and Employees’ Provident Fund Organisation (EPFO) in its orders of October 15th, 2016. The court also stated that the information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose.
 
In its orders of 15th October 2015 passed by a 5 member bench headed by the then Chief Justice the court emphasised that, “We impress upon the Union of India that it shall strictly follow all the earlier orders passed by this Court commencing from 23.09.2013. We will also make it clear that the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court one way or the other”.
 
On 14th September 2016 in the matter of WP 686 of 2016 the court stayed the operation and implementation of  that or Pre-Matric Scholarship Scheme, Post-Matric Scholarship Scheme and Merit-cum-Means Scholarship Scheme to the extent they have made submission of Aadhaar mandatory.
 
Furthermore, section 29 and section 8 of the  The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 prohibit the linkage, retention, storing and publishing of the Aadhaar number.
 
Despite this, in complete contempt of the Supreme Court of India and in blatant disrespect of the rule of law, various banks have been coerced to cause linkage of the Aadhaar to bank accounts.
 
Furthermore, I would like to bring to your attention the following:
 
1. Aadhaar is not a verified or audited database, neither the UIDAI nor any other government authority certify it as a proof of identity, address, resident status or even the existence of any person.
2. The linkage of Aadhaar to mobiles/bank accounts will result in the innocent losing money, reputation and access to justice, dignity and livelihood as their Aadhaar numbers can act as mules for obtain sims, opening bank accounts and facilitate money laundering. Their subsidy and other Aadhaar enabled payments can be easily compromised. Their access to their own bank accounts be denied, or they can be framed for economic offences. Helpless citizens and businesses may also find themselves at the receiving end of covert human rights violations as even their access to money and existence is disabled by deactivation or blocking of Aadhaar leaving no recourse to survival.
3. Linking Aadhaar to mobiles/bank accounts or PAN converts India into the new tax haven for money launderers as it becomes easy to remotely create benami accounts and operate benami transactions while claiming complete legitimacy. This will destroy India’s economy and governance.
4. Financing crime and terrorism will grow uncontrollably as it becomes increasingly difficult to discover, report or close down such operations. This will make it impossible to ensure national security as the rule of law is destroyed.
5. Corruption will increase as it becomes easier when proceeds will not be traceable to the corrupt. It will be increasingly difficult to restore swarajya and impossible to ensure suraiya.
6. Banks will not be able to contain non-performing-assets, fraud and financial misappropriation as the real users of banking services will be untraceable. The economy will be completely out of control as the black and white economies become indistinguishable.
 
We require that you:
 
1. Immediately issue a notification requiring that all banks cease to link Aadhaar to bank accounts.
2. Immediately ensure that all Aadhaar linkage to any bank account is removed and destroyed.
 
We trust you will share your notifications within 7 days, publish widely your decision to ensure banks abide by the orders of the Supreme Court and not cause us further suffering or require us to seek other remedies and relief for any continued contempt of the Supreme Court of India and failure to respect the rule of law. 
 
Sincerely yours,
 
CC: 
 
Chief Justice of India, ℅ Chief Justice’s Conference Secretariat, Supreme Court of India, Tilak Marg, New Delhi-110 201
 
Email to [email protected] and [email protected]
Tweet to @RBI
 
 
(Dr Anupam Saraph is a renowned expert in governance of complex systems and advises governments and businesses across the world. He can be reached @anupamsaraph.)

Related posts

Point Cownterpoint- Cow as Proxy #Aadhaar

 

-Avay Shukla

There is a supreme irony and incongruity in the fact that the most docile, humble and giving of animals- the cow- has in India become the symbol of hate and intolerance on one side and of fear and intimidation on the other. I do not want to get into politics this week- frankly, I’m sick of it as no doubt you too are, dear reader- but the extreme positions adopted on this meek animal speaks volumes of the crudeness and ignorance that has entered public discourse in these trying times. The Middle Path espoused by Buddha is no longer an option, it appears; instead, the words of a spoofed-up Confucius make more sense: ” Man who walk in middle of road get run over !”

The BJP will have us believe that the cow is a threatened species: nothing can be further from the truth. The last cattle census puts their population at 180 million, and growing at a healthy 6% annually. More cows die of starvation in gaushalas, cattle pounds and on the streets (mainly by ingesting plastic) than are smuggled abroad- another bug-bear claim by the govt. Most of the big abattoirs and automated meat packing companies are owned by Hindus. And yet an impression is being sought to be spread that the cow is in danger (from a certain community, by implication) and all true Hindus must come to its succour. And so comedy becomes farce. The VHP has demanded a Cow Ministry at the center. Madhya Pradesh has introduced an Ambulance service for cows. The Union govt., having biometricised (not the same as circumcised) every living (and dead) Indian, and has launched a pilot project for an Aadhar type ID for cows. This is endemic lunacy on a sub continental scale.

The other side of the divide is equally bonkers and ridicules for each and every dimension of the raging cow debate: opposing gaushalas as a waste of public funds and ridiculing the age-old beliefs in the value of the cow’s by-products. On the 10th of August this year hundreds of scientists across the country took out a “March for Science” urging the govt. to stop the propagation of “obscurantist and unscientific” ideas. They were particularly incensed at the govt. providing funds to the CSIR for “Panchgavya” – research to establish scientifically the beneficial properties of cow products, including its urine and dung. Why this cloistered mind set ? Tradition and ancient literature should not be scoffed at under the guise of science. I have been personally using a number of cow based products of the Patanjali range for some time now: GONYLE (a phenoil substitute made out of cow urine), MOSTICK (a herbal mosquito repellent) and an agarbatti (dhoop) made out of cow dung. I find them far superior to the standard branded stuff in the market, especially because they are completely free of any harmful chemicals. My maid, in fact, refuses to use any phenoil except Gonyle because, she says, it doesn’t irritate the skin on her hands like the chemical based phenoils do!

I am convinced that the cow is an economic power-house if only we approached its potential rationally and not for electoral purposes with hare brained schemes. I recollect that in 2008-09 I had, on the instructions of the then Chief Minister, visited a number of gaushalas and “sansthas” in UP to study at first hand the many uses of cow products. I was so impressed with the potential that I had submitted a detailed report to him on my return, recommending that we also start pilot projects on similar lines in HP. Establishing “gaushalas” or “gausadans” as economic (not political) units would serve a double purpose- provide a hospice for ailing and/or abandoned cows and produce Panchgavya products as an alternative to the harmful, chemical based stuff that we are exhorted to consume by TV ads. everyday. Over time these units can become financially self sufficient. Why must we perpetually wait for a Baba Ramdev to come up with new and novel economic models ? Unfortunately, I never heard anything about my proposal thereafter, even though the gentleman was a BJP Chief Minister- but I guess cow politics was not in fashion then!

With a long weekend here, I don’t want to end on a dismal note about the long suffering bovine; so, in order to cheer up the reader, I’m sharing below a vision of the future sent to me by an old school pal ( yes, some of them are still alive and kicking!): No, his name is not George Orwell.

Cow Aadhar Card

Phone rings……..
Municipal Corporation Delhi (MCD): Haalo?
Ram: Haan hello, there is a dead cow lying outside our house — can you please come and remove it?
MCD: Are you sure it’s a cow?
Ram: What?
MCD: Are you sure it’s a cow – not a horse, or goat?
Ram: Well, looks like a cow, has two horns, an udder…
MCD: Forget all that. Does it have a Cowdhaar bar code on its ear?
Ram: A what?
MCD: A Cowdhaar bar code. Just as your Aadhaar card has biometric information, every registered cow is now required to have a bar code attached to its ear that contains all relevant details.
Ram: ‘Wait, let me check — no I can’t see any bar code.
MCD: An unregistered cow — that’s going to be a problem.
Ram: Is there something I can do — I don’t want it lying outside the house?
MCD: You need to get a ‘No Objection Certificate’ from the local Gau Rakshak Dal leader, duly attested by the panchayat head or district magistrate as well as the local police chief.
Ram: Why do I need that?
MCD: You don’t, Sahib, but I do. See, if I take away a cow that does not have a valid Cowdhaar code, then someone later can claim it was taken illegally. And the Gau Rakshaks will not spare me.
Ram: I don’t even know there was a local Gau Rakshak Dal — how do I get hold of them?
MCD: Dial 1800 Gau Mata — they will assist you.
Ram: Okay, then you will come to pick up the cow?
MCD: Sure, as long as you have the death certificate.
Ram: For a cow? Who will give me a death certificate from a cow?
MCD: Any licensed Gau-ne-cow-logist, with a Hindu priest as a witness.
Ram: What’s a Gau-ne-cow-logist?
MCD: A doctor who specialises in bovine medicine — it’s the latest field of study in our medical schools. With over 180 million potential patients, whose lives are all very valuable to society, there is a lot of money to be made!
Ram: Ok, so NoC, followed by death certificate — then you pick up the cow?
MCD: We need a release form from the district animal welfare unit — basically that the cow is not someone else’s property and that you have the right to ask me to take it away.
Ram: But it’s dead!!
MCD: And that makes it even more important — if it were a live cow, would you even be calling me?
Ram: No, but this is ridiculous — how long will it take to get the release form?
MCD: It depends, some animal welfare officers require you to place the ad for 14 days, others for an entire month.
Ram: An ad??? What kind of ad?
MCD: Basically like a missing person’s ad — you place it in two local papers, one English and one vernacular — asking if anyone has claim to the cow. Take a picture of the cow and submit it along with any identification marks.
Ram: But in 14 days, the carcass would rot completely — what’s the point of your coming then?
MCD: The point is that we need to follow the rules and regulations so that everyone’s interest is protected — especially that of the cow!
Ram: This is ludicrous. You know what, I’m just going to get a few people and pick it up myself and move it.
MCD: I would strongly advise you against doing that.
Ram: Why — who’s going to stop me?
MCD: Your local Gau Rakshak Dal, for one — all calls to this number are being recorded. So the fact that you have a dead cow at your house is already known to the various authorities, and they will expect you to contact them for the relevant forms. And fees.
Ram: Fees?
MCD: Of course — do you think the NoC, death certificate etc. come for free? It will cost you 5-15,000 rupees by the time you’re done.
Ram: That’s extortion!
MCD: No, just the new e-cow-nomics!

 

Avay Shukla retired from the Indian Administrative Service in December 2010. He is a keen environmentalist and loves the mountains…..he has made them his home. He blogs at http://avayshukla.blogspot.in/

Related posts

JNU refused to accept dissertation as I didn’t have #Aadhaar number: Shehla Rashid

Former JNUSU Vice President Shehla Rashid today alleged that her dissertation was not accepted by the varsity as she did not produce her Aadhaar number on the submission form.

“The JNU administration has sent back my dissertation to my centre because I haven’t mentioned my Aadhaar number on the submission form,” Rashid said, adding that the varsity was pushing Aadhaar through the backdoor despite there being no mandate for it.

Alike Rashid’s, dissertations of others students who did not provide their UID numbers were also sent back in the recent past.

However, JNU Registrar Pramod Kumar said mentioning Aadhaar was made mandatory in JNU after the UGC issued a notification on March 21.

“Following a March 21 UGC notification this year, in April we issued a circular that Aadhaar and photograph will be printed on the certificate of the student as it will be deposited in National Academic Depository (NAD) system,” Kumar said.

UGC secretary Jaspal S Sandhu in a notification issued on March 21 to Vice Chancellors of all the varsities said – “I request you to introduce identification mechanisms like photograph and Unique lD/Aadhaar number in students’ certificates.

“Such inscriptions, you’d agree, will go a long way in uniformly marking a student’s personal identity and other associated details.”

However, Rashid contended that making Aadhaar mandatory was “illegal” as the government was yet to respond to privacy concerns.

“I’m not going to give in to this illegal harassment tactic of the JNU administration. I don’t have an Aadhaar card, and I insist that my dissertation should be submitted without it,” she said.

Related posts

Is GOI’s National Informatics Centre also culpable for Abhinav Srivastav’s #Aadhaar data hack incident?

There are three people. Person APerson B and you yourself. Person A somehow manages to get the login details of your email account, i.e. username and password, and writes it down on a piece of paper and stores it in a place which he/she considers is secretive enough, but it really is not. Person B manages to find that piece of paper which Person A had hidden, accesses your email account and misuses the information for his/her personal gain. Aren’t both Person A and Person B equally culpable in this little story?

Recently, a 31-year-old MSc graduate from IIT-Kharagpur, Abhinav Srivastav, was arrested for allegedly stealing Aadhar data. If an analogy were to be drawn between the story in the first paragraph and this incident in which various sections of main stream media are claiming that Srivastav ‘hacked’ Aadhar data, then Srivastav would be the Person B in the story.

Through the course of this article, we’ll show that Person A in this story is the team at National Informatics Center (NIC) who designed and developed the eHospital hospital management software. NIC is the prime builder of e-Government / e-Governance applications for Government of India. This story will show how NIC released a horribly designed application which published a secret token in a non-secure manner. Abhinav Srivastav got hold of this secret token and gained unauthorised access to Aadhar data.

What is Abhinav Srivastav accused of?

As reported by Indian Express, Srivastava had accessed UIDAI (Aadhaar) data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016. Further, Times of India reported the police version which stated that Srivastav accessed Aadhaar data through the e-hospital application hosted by the government’s National Informatics Centre (NIC). Quint reported a follow up statement by Bengaluru Police which stated that Srivastav had exploited weak security protocols of the e-hospital system, a government server, for easy access of Aadhaar data.

To understand how Abhinav Srivastav exploited the eHospital system, it is necessary to have a basic understanding of eHospital, Aadhaar/UIDAI and the eKYC service offered by UIDAI.

What is eHospital?

According to the eHospital website, it is a Hospital Management System designed and developed by NIC for Government sector hospitals across India. It is a generic software which covers major functional areas like patient care, laboratory services, work flow based document information exchange, human resource and medical records management of a Hospital.

One of the features provided by eHospital is Online Registration System (ORS) which utilizes Aadhaar to provide an online appointment system across various Government hospitals. As part of the eHospital suite, an Android application has been developed which enables access to the Online Registration System (ORS). ORS is hosted by NIC and uses the Aadhaar number to get eKYC data of a customer for authorisation in order to create online appointments.

eHospital Online Registration

What is eKYC?

eKYC is a service provided by UIDAI which enables a resident having an Aadhaar number to share their basic demographic information such as name, age, date of birth, post address, phone number and a digitally signed photograph with a UIDAI partner organization after user consent either through biometric authentication or OTP (One Time Password). eKYC service by UIDAI thus provides an online verification service for Proof of Identity (PoI) and Proof of Address (PoA). KYC in eKYC stands for ‘Know Your Customer’.

Who can get access to eKYC service by UIDAI?

UIDAI has 254 partner organisations who can access the eKYC service by UIDAI. National Informatics Center (NIC), who built the eHospital service and Android application, is one of the partner organisations. In the UIDAI world, these partner organisations are called KUA or KYC User Agencies. Each KUA is given a unique license key using which it can access UIDAI’s eKYC service.

Can UIDAI’s eKYC service be accessed over a regular Internet connection?

No. The eKYC service can only be accessed over secure leased lines which provide connectivity to UIDAI’s data store also known as Central Identities Data Repository (CIDR). At the time of writing, 27 partner organisations have secured leased line connectivity with the CIDR (Aadhaar data). These partner organisations are called ASA or Authentication Service Agency. Those ASAs who are eligible to provide access to the eKYC service are called KSA or KYC Service Agency. NIC or National Informatics Center is also a registered KSA.

Definitions Aadhaar

Screen Shot 2017-08-09 at 10.53.30 PM.png

How did Abhinav Srivastav exploit the eHospital application to gain access to Aadhaar data?

If the eKYC service provided by UIDAI can only be accessed over a secure leased line with only 27 partner organisations having access to the Aadhaar data, how did Abhinav Srivastav manage to get access to it?

The leak was not at the KSA level but at the KUA level. In this particular case, NIC or National Informatics Centre is both a registered KSA as well as KUA. What this entails is that NIC has secured leased line access to CIDR (Aadhar Data) and is also eligible to access the e-KYC service by UIDAI. For the eHospital application and more specifically the Online Registration System, NIC built an additional service on top of the existing eKYC service already provided by UIDAI. In the software engineering world, such a service is also called an API or Application Programming Interface.

This additional API, which piggybacked on existing UIDAI eKYC service, was utilised by the Android eHospital Online Registration application to create online appointments while using the patient’s Aadhaar number for eKYC verfication. This additional API which gave proxy access to UIDAI’s eKYC service and was created by NIC and was exploited by Abhinav Srivastav to gain access to Aadhar Data. For the purpose of this story, we will call this additional API the ‘NIC eKYC API Proxy‘.

Screen Shot 2017-08-06 at 9.16.33 PM.png

How did Abhinav Srivastav exploit the NIC eKYC API proxy?

While UIDAI’s eKYC service is only accessible over a secured leased line connection and not a regular internet connection, NIC eKYC API proxy is accessible over a regular internet connection and anybody in the world can access the API provided they have the authentication details. NIC had to create this API since the eHospital Android application would create eKYC assisted appointments over a regular internet connection.

Unfortunately, the NIC eKYC API Proxy had major security holes.

  1. The API was protected by a single default password/credential – dG9rZW5Ad2ViQGFwcG9pbnQjbmlj
  2. The API was hosted on HTTP (and not HTTPS) (http://ors.gov.in/ORSServicecontainer/services) and hence communication to the back end was not encrypted.
  3. This allowed anyone who could figure out the default password to be able to call the NIC eKYC Proxy APIs and thus be able to do Aadhaar eKYC verficiation.
  4. Since the NIC eKYC Proxy APIs used the KUA license key internally, UIDAI was not able to distinguish these requests as coming from a third party application.

How did Abhinav Srivastav find out the default password for the NIC eKYC API proxy

The eHospital Android application was communicating with the eHospital backend via NIC eKYC API proxy. However, as pointed out earlier, this communication was over an insecure HTTP connection instead of a secure HTTPS connection. Anybody who knows how to sniff this HTTP communication would be able to find the password. While it is not possible to determine the exact software application used by Abhinav Srivastav to determine the default password, here are the two methods using which one could have found the default password.

    1. Proxying the phone traffic: One can use a software like the Charles Web Debugging Proxy to view the communication between the Android Phone and the eHospital/ORS backend. Essentially, one needs to setup Charles on their own computer and set it up as a proxy server. Thereafter, change Android’s proxy settings and setup your own computer’s IP Address as the proxy server in Android. Once this is done, all the unencrypted traffic that goes on between the Android Phone and the Internet can be captured using Charles. A detailed tutorial can be found here. Thus by running the eHospital application on the Android phone and proxying all the Android traffic through a software like Charles proxy, it is possible to find the default password.
    2. Disassembling the Android application: Android applications are written in a programming language called JAVA. The JAVA code is compiled into a code (bytecode) which is interpreted and executed by a software interpreter called Dalvik. It is possible to ‘decompile’ an Android application to extract an equivalent of the original JAVA source, a detailed tutorial of which can be found here.Anand Venkatanarayan and Anivar Aravind who did the background research for this entire story decompiled the eHospital Android application and found out that the password ‘dG9rZW5Ad2ViQGFwcG9pbnQjbmlj’ is visible as plain text in the decompiled JAVA code. Based on their research of the decompiled code, here are their three findings:
      • Exhibit A: The App uses an unencrypted HTTP channel, which allows anyone to snoop on the contents (Aadhaar number and the OTP and the signed XML)Screen Shot 2017-08-06 at 9.38.46 PM.png
      • Exhibit B: The back end accepts a call to do eKYC from anyone, who knows the magic password, dG9rZW5Ad2ViQGFwcG9pbnQjbmlj. .
      • Exhibit C:The back end “http://ors.gov.in” allowed anyone to obtain the complete list of APIs, through which one can surmise how it uses Aadhaar eKYC APIs.

        Screen Shot 2017-08-10 at 1.08.13 AM.png

How did Abhinav Srivastav use this vulnerability in the eHospital app to create his own Android application?

By either sniffing the HTTP traffic using a proxy or decompiling the Android application, Abhinav Srivastav must have figured out the default password and the API required to do Aadhaar eKYC. He used this knowledge to create his own service on top of the NIC eKYC API proxy. This service was accessed by the ‘eKYC verfication’ app that he created. For the purpose of this story, the Android application created by Abhinav Srivastav will be called the ‘Qarth App’ and the service that utilised the compromised password to communicate with the NIC eKYC API proxy will be called the ‘Qarth App Back End’.

Screen Shot 2017-08-06 at 9.25.36 PM.png

If Person B is culpable, why isn’t Person A culpable too?

We started this article with a small story where Person A jots down username/password of your email account on a piece of paper and Person B manages to find that piece of paper and misuses the information. In this story, Person A is the team at National Informatics Center who designed and developed the insecure eHospital service and application which uses a single default password ‘dG9rZW5Ad2ViQGFwcG9pbnQjbmlj’. Person B is Abhinav Srivastav who found out this default password and misused it to create the ‘eKYC verification’ application. If Abhinav Srivastav is culpable of misusing the vulnerability in eHospital app, isn’t the team at NIC also equally responsible for creating a service with a Jupiter-sized security hole?

What are the implications?

So why did UIDAI panic and file the FIR? It is not the Application that Abhinav developed, it is the implications.

      1. Almost all the service providers like Banks, Telephone companies and Mutual funds are mandated to verify or reverify their users via the eKYC process.
      2. The eKYC process requires an Aadhaar number and an OTP/FingerPrint. When both these are provided, the eKYC API sends back signed XML, which could be used as a non repudiable proof, that a genuine user has indeed provided his/her consent for availing the service (SIM Card, Bank account).
      3. An App which once installed on a user’s mobile phone that has “Read SMS” permission, can silently perform multiple eKYC requests in the background, once it knows the user’s Aadhaar number, since it can also read the OTP automatically without the user being aware of it.
      4. UIDAI will not be able to distinguish these requests as malicious as they are routed via the NIC back end through the Proxy API.
      5. Since every successful eKYC request, sends back signed XML, a malicious back end can harvest these PDFs and sell it to the highest bidder in the black market.
      6. The bidder using these harvested PDFs can now connive with a corrupt telco agent or a bank employee to either issue SIM cards or open a bank account for money laundering on the victim’s name without them being aware of it.
      7. This would make eKYC practically worthless.

Integrators are the weak link

The basic principle in the eKYC infrastructure is that not every entity is trustworthy to be given full access to CIDR (Aadhaar data). Thus KYC Service Agencies (KSA) are directly regulated by UIDAI since they are closer to CIDR than other parts of the ecosystem. Every KYC User Agency is vetted by UIDAI and the KSA.

However, applications like the NIC eHospital were never considered as part of the ecosystem and hence were not audited by UIDAI’s auditors. The scope of the audit was only restricted to KSA and KUAs. This is a crucial mistake as the above example indicates that all it requires is one vulnerable application using the eKYC API, which can allow a back door access to the eKYC and Authentication APIs.

There are now 254 such KUAs and there could be a large number of vulnerable applications like NIC eHospital, which were built on top of the eKYC service offered by these KUAs. Every one of these applications can potentially allow a back door to the authentication infrastructure, which significantly expands the risk of abuse.

For a normal user, an Application developed by UIDAI will be indistinguishable from the numerous apps released by third parties as this example indicates and one malicious app is all that it takes for an actual data theft.

The example also clearly points out the complete and total lack of awareness of basic security practices even by the top-most e-Governance vendor. By digging deeper into the eHospital App, it is possible to understand how bad NIC’s security practices were.

Conclusion

UIDAI has shown time and again that it is incapable of handling security incidents without resorting to bullying tactics as is evident by their past behavior. The design problems of Aadhaar and the ecosystem security issues will not go away because of these tactics. Instead they will remain unreported or worse sold to the highest bidder and will be exploited by malicious actors and nation states.

It is time the organisation realises that it cannot make citizens secure by making them more vulnerable, in the mistaken false confidence that “Aadhaar is very very secure”. The security concerns have become real and the grudging acknowledgement by Nandan Nilekani was long overdue and perhaps too little and too late.

Postscript:

    1. Multiple emails were sent to UIDAI CEO, CERT-IN and to NCI IPC reporting the full spectrum of issues with the NIC back end. Only after the critical ones were fixed, the name of the end point has been put out. (Email copies are available on request)
    2. Many thanks to PrasannaApar GuptaPranesh Prakash and Naavi for explaining the legal aspects behind using the disassembler and why it could be construed as illegal under certain circumstances and how to avoid them (Using disassembler for vulnerability disclosures is usually acceptable).
    3. CERT.IN and NCIIPC usually does not respond back, if the bug filed is indeed fixed, which makes public disclosure problematic, since the disclosure might be used by other malicious actors. This could result in a FIR on the person who filed the bug, under a variety of non-bailable sections.
    4. May be we need the right to file a bug without being prosecuted first?

Related posts