Centre for Internet and Society

Vidushi Marda selected for Internet of Rights Fellowship

praskrishna — 2017-05-03T15:48:58Z

Article 19 had put out a call for applications for its Internet of Rights Fellowship in February 2017. Vidushi has been selected to be part of the 2017-2018 cohort.

This fellowship aims to "facilitate stronger considerations for human rights within Internet governance processes and to shape the human rights agenda for the Internet". As a Fellow, Vidushi will be primarily working on AI and ethics. The IEEE is developing a document on "Ethically Aligned Design: A Vision for Prioritizing Human Wellbeing with Artificial Intelligence and Autonomous Systems". The development process includes various committees, my work will focus on:

General Principles Committee: This Committee is currently deliberating on how to ensure that AI/AS can be designed and operated to respect human rights, and how to make AI/AS transparent, and accountable.
Law Committee: Working on the aspects of legal accountability and transparency, closely connected to ethics.
EPIC AI/AS Committee (new): Working on adoption of AI/AS in public services, and focussing on ethical principles guiding such adoption.

For more details visit http://editors.cis-india.org/internet-governance/news/vidushi-marda-selected-for-internet-of-rights-fellowship

Govt may have made 135 million Aadhaar numbers public: CIS report

praskrishna — 2017-05-03T15:43:37Z

CIS report says Aadhaar numbers leaked through government databases could be 100-135 million and bank accounts numbers leaked about 100 million.

The article by Komal Gupta was published in Livemint on May 2, 2017.

A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

The report said the NSAP portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.

UIDAI did not respond to an email from Mint seeking comments.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-may-2-2017-komal-gupta-govt-may-have-made-135-million-aadhaar-numbers-public-cis-report

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report

Around 13 crore Aadhaar numbers easily available on government portals, says report

praskrishna — 2017-05-03T15:29:12Z

A report by The Centre for Internet and Society claimed that around 13 crore Aadhaar numbers and 10 crore bank account numbers were easily accessible on four government portals built to oversee welfare schemes. The document, released on Monday, pointed out that though it is illegal to reveal Aadhaar numbers, the government portals examined made it easy for anyone to access them, as well as other data about beneficiaries of welfare schemes including in many cases their bank account numbers.

This was published by Scroll.in on May 2, 2017.

The report suggests that the Aadhaar numbers leaked could actually be closer to 23 crore, if most of the government portals connected to direct benefit transfers used the same negligent standards for storing data as the ones examined. “It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the authors of the report said.

The document also pointed out that the breaches are an indicator of “potentially irreversible privacy harm” and said the data could be used for financial fraud. The report authored by Amber Sinha and Srinivas Kodali studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government’s Chandranna Bima Scheme and Andhra Pradesh’s Daily Online Payment Reports of NREGA.

While the report said the Aadhaar initiative as a concept may be praiseworthy, the absence of adequate security could prove disastrous. “Sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away and suggest how poorly conceived these initiatives are,” the report said.

The Centre had, on April 25, cautioned states against leaking Aadhaar information, after it emerged that a number of government websites were making it easy for people to access individuals’ Aadhaar numbers. The Unique Identification Authority of India also filed First Information Reports against eight private websites for collecting Aadhaar-related data from citizens in an unauthorised manner on April 19, but no such action appears to have been taken against government websites so far.

According to government data, the UIDAI has issued 112 crore Aadhaar numbers so far and has maintained that its biometrics database is tamper-proof, although it is up to various other authorities to maintain the secrecy of Aadhaar data collected or kept by them.

On April 21, the Supreme Court had questioned the Centre for making the Aadhaar card mandatory for a number of central schemes despite its repeated orders that the unique identification programme cannot be made mandatory. The government has nevertheless been expanding the scope of the Unique Identity project over the past few months by introducing it for initiatives such as the midday meal scheme of school lunches for children, and, most recently, requiring Aadhaar to file income tax returns.

In March, an Aadhaar enrolment agency had been de-registered for leaking the personal data of cricketer Mahendra Singh Dhoni.

For more details visit http://editors.cis-india.org/internet-governance/news/scroll-may-2-2017-around-13-crore-aadhaar-numbers-easily-available-on-government-portals-says-report

13 crore Aadhaar numbers on four government websites compromised: Report

praskrishna — 2017-05-03T15:19:52Z

The lack of information security practices in key government websites which hosts Personally Identifiable Information (PII) has left citizens of the country more vulnerable to identity theft and financial fraud, a research paper has argued.

The article by Akram Mohammed was published by the New Indian Express on May 2, 2017.

A paper by Amber Sinha and Srinivas Kodali of Centre for Internet and Society analysed four government websites and found that more than 13 crore Aadhaar numbers with related PII were available on the websites, exposing lax security features.

The paper published under Creative Commons is titled ‘Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information’ and was released on Monday.

Sinha and Kodali looked at databases on four government portals -- National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme, Govt. of Andhra Pradesh and Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh.

“We chose major government programmes that use Aadhaar for payments and banking transactions. We found sensitive and personal data and information accessible on these portals,” the report said.

Leaked through portals

“Based on the numbers available on the websites, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million.

While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, that have also used Aadhaar for DBT, could have leaked PII similarly due to lack of information security practices,” it said.

They fear that data of over 23 crore beneficiaries under DBT of LPG subsidies could be leaked also. Identity theft and financial fraud “risks increase multifold in India...,” they said.

Aadhaar payments unsafe

In case a financial fraud takes place through Aadhaar enabled Payment System (AePS), the consumer may not be able to assert his claims for compensation due to the terms and conditions around liabilities.

“These terms force the consumer to take liabilities onto oneself than the payment provider..... Regulations and standards around Aadhaar are at a very early and nascent stage causing (an) increase in financial risk for both consumers and banks to venture into AePS,” they added. The authors also pulled up UIDAI for their inability in providing strong legislation against such leaks.

Leaky govt portals

National Social Assistance Programme

PII available - Access to Aadhaar no., name, bank account number, account frozen status 94,32,605 bank accounts linked with Aadhaar

14,98,919 post office accounts linked with Aadhaar numbers.

Though total Aadhaar number is 1,56,42,083, not all are linked to bank accounts

NREGA

PII Details available: Job card no., Aadhaar number, bank/postal account number, no. of days worked, registration no., account frozen status

78,74,315 post office accounts of individual workers seeded with Aadhaar numbers,

8,24,22,161 bank accounts of individual workers with Aadhaar numbers.

10,96,41,502 total number of Aadhaar numbers stored by portal

Other websites

Chandranna Bima Scheme, Govt. of Andhra Pradesh

Daily Online Payment Reports website of NREGA, Govt. of Andhra Pradesh

For more details visit http://editors.cis-india.org/internet-governance/news/new-indian-express-may-2-2017-akram-mohammed-13-crore-aadhaar-numbers-on-four-government-websites-compromised

What privacy? 13 crore Aadhaar numbers accessible on government portals

praskrishna — 2017-05-03T14:39:46Z

At least 13 crore Aadhaar numbers and 10 crore bank account numbers are readily accessible on government portals, a report claims.

The blog post by Anusha Ravi was published in Oneindia on May 2, 2017.

The centre for internet and society, in its report, has claimed that Aadhaar numbers with sensitive personal financial information were publicly available on four government portals built to oversee welfare schemes. The report said that the government portals made it easy to access sensitive details, despite it being illegal. "It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief," said Amber Sinha and Srinivas Kodali, the authors of the report.

Apart from accessing a person's details, the portals made it possible for anyone to get data on beneficiaries of welfare schemes. In many cases, it included bank account numbers of beneficiaries. The report suggests that close to 23 crore Aadhaar number could have been leaked if most of the government portals connected to direct benefit transfers used the 'same negligent standards for storing data as the ones examined'. "The document shows that the breaches are an indicator of potentially irreversible privacy harm and the data could be used for financial fraud," the authors said in the report. The report was documented after authors studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government's Chandranna Bima Scheme and Andhra Pradesh's Daily Online Payment Reports of NREGA.

The report said that sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information were easily available with a few clicks and suggested how poorly conceived these initiatives were. The report highlights that it was illegal to make personal data public and also refers to # #AadhaarLeaks, a campaign on twitter aimed at exposing the loopholes in the Aadhaar system.

For more details visit http://editors.cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals

Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people

praskrishna — 2017-05-03T14:35:23Z

In yet another shocking report of personal data breach in India, it has emerged that Aadhaar data of 13 crore people was put out on websites of four major government projects in the country. The leaked data include bank account details of over one crore people linked to Aadhar numbers under the direct benefit scheme. Over eight crore people lost their private data on the national job guarantee scheme website alone.

The article by Jikku Varghese Jacob was published by Manorama on May 2, 2017.

The shocking details have surfaced in a report released by the Center for Internet Society (CIS) which deals with the publication of Aadhaar data and their security. It appears to be the biggest blast on Aadhaar data leak yet. The report says these pieces of information were available on Internet since last November. Once detected, the CIS officials had initiated steps to remove them.

The CIS report cites two central government portals and websites from Andhra Pradesh as violators. Following are the websites that published the data:

National Social Assistance Programme (under the Ministry of Rural Development).
The national portal of the job guarantee scheme.
Daily online payment reports (Government of Andhra Pradesh)
Chandranna Bheema project (Government of Andhra Pradesh)

Private data of 1,59,42,083 people were leaked on the social assistance scheme site. The two Andhra Pradesh sites breached the privacy of three crore people.

Information leaked on most of the sites could be downloaded as Excel sheet. It is estimated that data on 23 crore people is linked to Aadhaar under the direct benefit scheme.

The CIS fears that if other government sites have also handled such data without care there could have occurred a massive data base breach. The CIS put in months of effort before finalizing this report.

It was recently found that Aadhaar data on 35 lakh people in Kerala was found disclosed on the state's Sevana Pension website. In Jharkhand, 14 lakh people had their privacy violated when their Aadhaar information was put out on a government website.

Such leaks of Aadhaar data is a crime that can fetch up to three years of imprisonment. Complaints have arisen that government departments did not bother to comply with an IT ministry directive last month to remove the Aadhaar data from websites.

Experts point out that criminals can misuse personal data on Aadhaar and bank account. The data could be used to obtain SIM cards and carry out transactions online.

Aadhaar, the world's largest bio-metric enrolment in India, will enrol 1.2 billion people in a 12-digit unique number for each person to be issued to each resident in the country. The number with its biometric information – photograph, fingerprints and iris scan – of each individual is easily verifiable in an online.

For more details visit http://editors.cis-india.org/internet-governance/news/manorama-may-2-2017-jikku-varghese-jacob-biggest-blast-on-aadhaar-leak-so-far-govt-sites-leaked-data-of-13-crore-people

Global Accessibility Awareness Day 2017

praskrishna — 2017-05-16T05:51:45Z

The Centre for Internet & Society along with Prakat Solutions and Mitra Jyothi is co-hosting the Global Accessibility Awareness Day in Bengaluru on May 18, 2017.

Global Accessibility Awareness Day is celebrated across the world on the 3rd Thursday in May every year to create an awareness in making technology accessible and usable by persons with disabilities. While people may be interested in the topic of making technology accessible and inclusive, the reality is that they often do not know how or where to start, Awareness comes first.

The purpose of GAAD is to get everyone talking, thinking and learning about digital (web, software, mobile, etc.) access/inclusion and people with different disabilities.

To mark this day, Prakat Solutions will be hosting an event filled with lightning talks, workshops and a lot of other activities. You can also view a series of short videos about why accessibility is important with contributions from some of the greatest minds in accessibility today.For us as a company, Global Accessibility Awareness Day is quite special. Other awareness days that we participate in focus on a specific group of people. Today, is not about a specific group of people, today is about each and every one of us.

Watch the Video on What is GAAD

For more details visit http://editors.cis-india.org/accessibility/events/global-accessibility-awareness-day-2017

135 MEELLION Indian government payment card details leaked

praskrishna — 2017-05-20T11:51:14Z

Legislation coming to beef up Aadhaar card privacy, security.

The article by Richard Chirgwin was published in the Register on May 3, 2017.

If you're enthused about governments operating large-scale online identity projects, here's a cautionary tale: the Indian government's eight-year-old Aadhaar payment card project has leaked a stunning 130 million records.

Aadhaar's role in authenticating and authorising transactions, and as the basis of the country's UID (unique identification database) makes any breach a privacy nightmare.

India's Centre for Internet and Society (CIS) made their estimate public in a report published on Monday.

It's not that there was a breach related to Aahdaar itself: rather, other government agencies were leaking Aadhaar and related data they'd collected for their own purposes.

The research paper drilled down on four government-operated projects: Andhra Pradesh's Mahatma Gandhi National Rural Employment Scheme; the same state's workers' compensation scheme known as Chandranna Bima; the National Social Assistance Program; and an Andhra Pradesh portal of Daily “Online Payment Reports under NREGA” maintained by the National Informatics Centre.

In total, the CIS says, the portals leaked 135 million Aadhaar card records linked to around 100 million bank account numbers.

Given India's enthusiasm to try and eliminate cash, it's a big deal: the Aadhaar card funnels benefits to recipients' linked bank accounts. As the report states: “To allow banking and payments using Aadhaar, banks and government departments are seeding Aadhaar numbers along with bank account details”.

The centre says the leaks represent significant and “potentially irreversible privacy harm”, but worse they also open up a fraud-ready source of personal information.

Online databases examined by the CIS included “numerous instances” of Aadhaar Numbers, associated with personal information.

The Indian government responded through Aruna Sundararajan, secretary at the Union Electronics and Information Technology Ministry, who announced amendments to the country's IT legislation to beef up the system's privacy and security.

“Aadhaar has very strong privacy regulation built into it”, she told the Hindu, but it needs better enforcement.

Sundararajan said those issues will be addressed in the legislative amendments.

For more details visit http://editors.cis-india.org/internet-governance/news/the-register-richard-chirgwin-may-3-2017-135-million-indian-government-payment-card-details-leaked

Aadhaar data leaks not from UIDAI: Centre

praskrishna — 2017-05-20T08:27:28Z

Aadhaar is foolproof, it tells SC

The article by Krishnadas Rajagopal was published in the Hindu on May 3, 2017.

Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.

“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.

The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.

Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.

The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.

A-G’s assurance

On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.

For more details visit http://editors.cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai

Around 130-135M Aadhaar Numbers published on 4 sites alone

praskrishna — 2017-05-20T10:52:26Z

“Therefore, there is no data leak, there is no systematic problem, but, if any one tries to be smart, the law ignites into action.” – Ravi Shankar Prasad, IT Minister, in the Rajya Sabha, on 10th April 2017.

The blog post by Nikhil Pahwa was published by Medianama on May 4, 2017.

Details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme (NREGA), Daily Online Payments Reports under NREGA (Govt of Andhra Pradesh), and the Chandranna Bima Scheme (Govt of Andhra Pradesh), as per a research report from the Centre for Internet and Society.

Download the report here. Read full story on Medianama website.

For more details visit http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-4-2017-around-130-135-m-aadhaar-numbers-published-on-four-sites-alone

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T11:10:37Z

The article was published by DNA on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit http://editors.cis-india.org/internet-governance/news/dna-may-2-2017-report-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে

praskrishna — 2017-05-20T11:45:42Z

খোদ সরকারি পোর্টাল থেকে কয়েক কোটি আধার নম্বর ও যাবতীয় তথ্য ‘ফাঁস’!

This was published by Amar Bazar Patrika on May 2, 2017.

অভিযোগ, গত কয়েক মাসে প্রায় ১৩ কোটি আধার নম্বরের যাবতীয় ব্যক্তিগত ও সংবেদনশীল তথ্য ফাঁস হওয়ার ঘটনা ঘটেছে। আর এসবই হয়েছে চারটি সরকারি পোর্টাল থেকে তথ্যপ্রযুক্তি সুরক্ষার ঘাটতির জেরে! যা ঘিরে এখন তোলপাড় দেশ।

সম্প্রতি, এমনই বিস্ফোরক রিপোর্ট প্রকাশ করেছে অলাভদায়ক সংগঠন সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটি (সিআইএস)। তাদের আশঙ্কা, চারটি সরকারি পোর্টালের মাধ্যমে ১০ কোটি মানুষের ব্যাঙ্ক অ্যাকাউন্ট নম্বরও ফাঁস হয়ে থাকতে পারে।

সংস্থার দাবি, যে চারটি পোর্টাল থেকে এই সব তথ্য ফাঁসের অভিযোগ, তার মধ্যে দু’টি অন্ধ্রপ্রদেশ সরকারের ওয়েবসাইট। বাকি দুটি পোর্টাল হল ন্যাশনাল সোশ্যাল অ্যাসিস্ট্যান্স প্রোগ্রাম এবং ন্যাশনাল রুরাল এমপ্লয়মেন্ট গ্যারান্টি স্কিম-এর।

এই গোটা ঘটনার জন্য ইউনিক আইডেন্টিফিকেশন অথরিটি অফ ইন্ডিয়া বা ইউআইডিএআই–কেই দায়ী করেছে সিআইএস। তাদের দাবি, আধার নিয়ন্ত্রক সংস্থার ‘দায়িত্বজ্ঞানহীনতার’ জন্যই এই উদ্ভুত পরিস্থিত সৃষ্টি হয়েছে।

সিএনআই-এর আরও দাবি, বিভিন্ন সরকারি ও বেসরকারি পোর্টাল—যারা আধার তথ্য ব্যবহার করে থাকে, তাদের নিজস্ব সুরক্ষা-ব্যবস্থা খতিয়ে দেখেনি ইউআইডিএআই। ফলত, এই বিপত্তির সম্মুখীন কয়েক কোটি মানুষ।

যদিও, ইউআইডিএআই -এর দাবি, তাদের ডেটাবেস থেকে কোনও তথ্য ফাঁস হয়নি।

For more details visit http://editors.cis-india.org/internet-governance/news/amar-bazar-patrika-may-2-2017-13-crore-aadhaar-leaked-due-to-poor-security-in-4-govt-websites

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

Details of 135 million Aadhaar card holders may have leaked, claims CIS report

praskrishna — 2017-05-20T08:42:57Z

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

The news from the Press Trust of India was published in the Hindustan Times on May 2, 2017.

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS said.

Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

“Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it cautioned.

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

“The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern,” the report added.

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-may-2-2017-details-of-135-million-aadhaar-card-holders-may-have-leaked-claims-cis-report