Centre for Internet and Society

130 Million at Risk of Fraud After Massive Leak of Indian Biometric System Data

praskrishna — 2017-05-20T12:36:06Z

A series of potentially calamitous leaks in India leave as many as 130 million people at risk of fraud or worse after caches of biometric and other personal data became accessible online.

The article by Dell Cameron was published by Gizmodo on May 3, 2017.

That’s according to a new report from the Bangalore-based Centre for Internet and Society (CIS), which details breaches at four national- and state-run databases, all of which are said to contain purportedly “uniquely-identifying” Aadhaar numbers.

Launched in 2009, the Aadhaar system is an ambitious, albeit flawed program aimed at assigning unique identity numbers, not only to Indian citizens, but everyone who resides and works in the country. It is the largest program of its kind in the world. The 12-digit Aadhaar codes are assigned and maintained in a central database by the Unique Identification Authority of India (UIDAI) and link to biometric data of fingerprint and iris scans combined.

For security purposes, since 2002, all U.S. passports issued to international travelers at embassies and consulates around the world have contained biometric data, including a ten fingerprint scan, contained in a microchip embedded in the back cover. In 2007, the law was extended to cover U.S. citizens, and since at least 2013, so-called “e-passports” have been the standard.

With a very different intention in mind, the Aadhaar system was created to employ biometrics as a means to ensure that Indian residents have access to the social safety net, including programs for welfare, health, and education. But due to the sheer scale—again, the largest biometric project in history—the program has been fraught with controversy since day one. Since inception, more than 1.13 billion Aadhaar numbers have since been assigned, according to UIDAI data. (India has a population of roughly 1.32 billion.)

Former World Bank economist Salman Anees , a member of the Indian National Congress (INC), points to migrant laborers as an example of those the program is intended to help. The often carry no identification, he said, and therefore can rarely prove who they are when traveling from state to state. The purpose of the Aadhaar system, he said, is to provide every Indian with a “digital identity.”

“At least, that was the original idea,” adds Soz.

After the INC was battered in the 2014 general election, plans were put forth to expand the scope of the Aadhaar program, inflaming public concern over security and privacy. “Basically, you take this Aadhaar number and you start seeding different [government] databases,” Soz says. “And that, in effect, creates this huge data structure that people are very uncomfortable with.”

“In some ways,” he continued, “what you have is this amazingly modern system with huge data collection potential—and of course, many positives can come from this, but in the wrong hands it can become a huge problem for India. At the same time, your legal framework, your regulatory framework, your policies and procedures are not there. People aren’t aware of what their rights are. They have no idea what this thing can do.”

One problem, Soz says, is that Aadhaar numbers are not always checked against a cardholder’s fingerprints or iris scans in all cases, defeating its purpose entirely. When someone provides an Aadhaar number to prove their identity online or by phone, for example, their identities cannot adequately verified. In this way, Aadhaar numbers are not wholly unlike Social Security numbers in the United States. Were 130 million Social Security numbers to be leaked online, confidence in the ability to use that number to confirm an Americans’ identities would be shaken, if not destroyed.

Last month, a central government database containing thousands of Aadhaar numbers—as well as dates of birth, addresses, and tax IDs (PAN)—reportedly leaked, exposing thousands of Indian residents to potential abuse. According to The Wire, the information, which was contained in Microsoft Excel spreadsheets, could be easily located on Google.

According to CIS, roughly 130-135 million Aadhaar numbers have now been exposed in this most recent leak. With the growing use of the numbers in areas such as insurance and banking, and without proper mechanisms in place to biometrically confirm the identities of cardholders in every case, the threat of financial fraud is pervasive. “All of these leaks are symptomatic of a significant and potentially irreversible privacy harm,” the report says, noting that such incidents “create a ripe opportunity for financial fraud.”

While Aadhaar is not mandatory everywhere, CIS says, the Indian government continues collecting information about the participants under various social programs. Inevitably, that information is combined with other databases containing even more sensitive data. As that happens, there’s a heightened risk to those whose Aadhaar numbers have been compromised. How the Indian government will address its apparently inadequate security controls before fraud overwhelms the system remains unknown.

Read the full report: Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

For more details visit http://editors.cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report

105 Kannada books released under Creative Commons

praskrishna — 2014-09-30T05:57:37Z

Contents will now be available in Wikisource for use by everyone.

The article was published in Bangalore Mirror on September 29, 2014.

Kannada book lovers will now be able to legally download more than 100 books that have been released by the state government under the Creative Commons licence. The treasure trove, which includes a good mix of classics and rhythmic writings, have been digitised by the Department of Kannada and Culture and some of them put up on Wikisource, the website from where details for Wikipedia pages are sourced.

The licence entitles anyone "to use the work in a commercial product or otherwise, and to modify it according to their needs." The licence is not limited to use in Wikipedia.

The initiative, which aims to enrich Kannada language and culture, is the brainchild of UB Pavanaja, a Bangalore-based writer. Pavanaja, along with some other Wikipedia contributors, approached the department to digitise and re-release Kannada classics. The department then decided to give CC licence to 105 books last month. With this licence, the source copy (soft copy) of the books will be made available.

The books released by the department include 35 volumes of the Samagra Dasa Sahitya (complete Dasa literature), 15 volumes of Samagra Vachana Samputa (complete Vachana literature), 36 volumes of Rigveda Samhita, Kumaravyasa Bharata, Jaimini Bharata, Nalacharitre and Mohana Tarangini. Soon, all these will be available for anyone who wants to read them online.

"According to India's copyright laws, any book will be out of copyright after 60 years. So technically, classics are out of copyright but this applies to the text only. But when someone publishes even a classic, they hold the copyright to the information they have keyed in and edited," said Pavanaja who is also a member of the advisory committee to the state government of Kannada software development. "What the department has given is rights to re-published versions of the classics and also the commentary, criticism, essays on these classics they have published. Any information that is out of copyright is uploaded to wikisource.org. They have given us soft copies of some of the books. The rest of the books for which CC licence is provided will have to be typed again and uploaded to Wikisource."

Pavanaja, who is also a popular contributor of Kannada information on Wikipedia, feels the 'free and open' knowledge movement in Kannada and especially Wikipedia is hampered by lack of contributors.

"Malayalam Wikipedia has nearly 1,000 editors. Kannada also has 600 registered editors, but only about 22 are active. So while the number of Wikipedia articles in other languages are increasing in leaps and bounds, there are only about 18,000 Kannada articles. This is a very small number considering there are around 18 lakh hits for Kannada every day."

Director of the Department Kannada and Culture KA Dayanand told Bangalore Mirror that they are currently only uploading books to which the department holds the copyright.

"I have also written to the writers who hold copyrights of books published by us. If they give permission, more books will be released. If more Kannada books are available online, it can only boost Kannada on the Internet."

In another related development, Mysore University has released six of the 14 volumes of its encyclopedia. Four of these will be available for anyone to read online, modify and use it. The Hampi Kannada University has a huge 29-volume encyclopedia. Sources say the university is in the initial stage making this available on Creative Commons.

For more details visit http://editors.cis-india.org/openness/news/bangalore-mirror-shyam-prasad-105-kannada-books-released-under-creative-commons

100 Konkani Articles Added to Wikipedia in One Day

praskrishna — 2016-02-12T15:17:02Z

This was published in the Times of India.

For more details visit http://editors.cis-india.org/a2k/news/100-konkani-articles-added-to-wikipedia-in-one-day

महाराष्ट्र ग्रंथोत्तेजक संस्थेमधील एक हजार ग्रंथ ऑनलाईन

praskrishna — 2015-12-15T07:57:00Z

Coverage of Marathi Wikipedia in Saamna.

A scanned version of the article published in Saamna on October 30 is below:

For more details visit http://editors.cis-india.org/openness/news/92e93993e93093e93794d91f94d930-91794d93090292594b92494d92494791c915-93890293894d92594792e927940932-90f915-93991c93e930-91794d930902925-91192893293e908928

मराठी पुस्तके 'विकिस्रोत' ला, सकाळ

praskrishna — 2015-12-15T07:44:52Z

Marathi Wikipedia media coverage in Sakaal newspaper.

Scanned version of the article published in Sakaal on October 28, 2015:

For more details visit http://editors.cis-india.org/openness/news/92e93093e920940-92a94193894d924915947-93593f91593f93894d93094b924-93293e-93891593e933-1

भाषाई कंप्यूटिंग के मानक बनाने के लिए चेन्नई में हुआ तीसरा फ्यूल जिल्‍ट

praskrishna — 2015-12-15T07:53:31Z

“मूसलाधार बारिश से जूझ रही चेन्नई में तीसरा फ़्यूल ज़िल्ट कॉन्फरेंस 2015 सफलतापूर्वक रविवार 22 नवंबर को संपन्न हुआ। भाषाई कंप्यूटिंग के लिए मानक भाषाई संसाधन और औज़ार बनाने में पिछले सात सालों से जुटी फ़्यूल परियोजना के द्वारा 2013 में आरंभ किए गए इस सम्मेलन के प्रायोजक और आयोजक दुनिया की जानी-मानी कंपनियां मोज़िला, सी-डैक और रेड हैट हैं। इसके पहले के दोनों सम्मेलन पुणे में आयोजित किए गए थे। यह सम्मेलन लोकलाइजेशन क्षेत्र का ओपन सोर्स का सबसे बड़ा सम्मेलन है।”

The article was published in Outlook on November 26, 2015.

तीन दिवसीय यह सम्मेलन 20 नवंबर को चेन्नई के अन्ना विश्वविद्यालय के टैग ऑडिटोरियम में आरंभ हुआ। इसके उद्घाटन सत्र को मोज़िला के लोकलाइजेशन ड्राइवर एक्सेल हेच्ट, आईआईटी मद्रास की प्रोफ़ेसर हेमा मूर्ति, आईआईटी मद्रास के ही हेमचंद्रण कराह और सीडैक के सहायक निदेशक जसजीत सिंह ने संबोधित किया। पहले दिन के शाम के पैनल डिसक्शन में मोज़िला की पेइंग मो और आर्की तथा अवाया के जी. करूणाकर और फ्यूल प्रोजेक्ट के संस्थापक राजेश रंजन के मॉडरेशन में खुली परिचर्चा हुई। पहले दिन के कार्यक्रम में भाषाई कंप्यूटिंग पर काम करने वाले कई जाने-माने विद्वानों ने हिस्सा लिया।

तमिलनाडु के स्थानीय भाषाई तकनीक विशेषज्ञों के अलावा इस सम्मेलन में भारत और नेपाल के विभिन्न भाषा-भाषाई करीब पचास से अधिक लोग उपस्थित हुए। तीन दिवसीय इस सम्मेलन का पहला दिन सभी लोगों के लिए खुला था जबकि अगला दो दिन मोज़िला लोकलाइजेशन हैकाथन का कार्यक्रम चला जिसके लिए सहभागी ख़ास तौर पर आमंत्रित किए गए थे। लोकलाइजेशन स्रोत भाषा से स्थानीय भाषा में किसी उत्पाद को बदलने की पूरी तकनीकी प्रक्रिया को कहा जाता है। इसके अंतर्गत मोज़िला के विभिन्न उत्पादों के लोकलाइजेशन यानी स्थानीयकरण की प्रक्रिया, उसमें सुधार और भविष्य की कार्ययोजना पर विस्तार से चर्चा हुई। पूरे कार्यक्रम का संचालन सी-डैक के तकनीकी अधिकारी चंद्रकांत धूताडमल ने किया।

उद्घाटन सत्र का आरंभ करते हुए फ़्यूल प्रोजेक्ट के संस्थापक राजेश रंजन ने फ़्यूल प्रोजेक्ट के बारे में उपस्थित श्रोताओं को बताया। उन्होंने बताया कि महज सामुदायिक योगदान और कुछ संगठनों की मदद के बदौलत भाषाई संसाधन का यह प्रोजेक्ट दुनिया की भाषाई संसाधन जैसे तकनीकी शब्दावली, स्टाइल गाइड आदि की सबसे बड़ी खुली परियोजना बन गई है। मानक तकनीकी शब्दावली, स्टाइल गाइड, ट्रांसलेशन एसेसमेंट मैट्रिक्स सहित कई महत्वपूर्ण संसाधनों से लैस यह प्रोजेक्ट विश्वव्यापी भाषाई संदर्भ का बड़ा अभिलेख बन गया है। गौरतलब है कि दुनिया की क़रीब 60 भाषाओं के भाषा समुदाय अभी इस परिजोयना से जुड़ी हुई है। मोज़िला के एक्सेल हेच्ट ने भारत में बढ़ रहे इंटरनेट उपयोगकर्ताओं के महत्व को रेखांकित करते हुए बताया कि मोज़िला और इसके खुले मूल्यों की उपस्थिति कितनी इनके लिए कितनी महत्वपूर्ण है। हेमा मूर्ति ने कहा कि अभी भी भाषाई कंप्यूटिंग की स्थिति काफी अच्छी नहीं हुई है और इस क्षेत्र में काफी काम होना बाकी हैं। जसजीत सिंह ने कहा कि कुछ और बड़ी कंपनियों के साथ फ़्यूल का जुड़ाव होना जरूरी है और उन कंपनियों को सामुदायिक रूप से तैयार किए गए संसाधन के महत्व को समझना चाहिए। ‘समानता के चिह्न और डिजिटल मानविकी का विकास’ विषय पर हेमचंद्रण का वक्तव्य बेहद उम्दा रहा। उन्होंने कहा कि डिजिटल मानविकी ने पारंपरिक मानविकी को हैक कर लिया है। उन्होंने कहा कि हमें महज इंटरफेस स्तरीय लोकलाइजेशन से ऊपर उठना चाहिए।

कार्यक्रम में लिब्रेऑफिस के इटालो विग्नोली, हमारा लिनक्स के विकास तारा, इतिहासकार रविकांत और जाने-माने ब्लॉगर रवि रतलामी और कनाडा के अमनदीप सिंह सैनी ने भी अपना वक्तव्य दिया। जहाँ रविकांत ने भाषाई शुद्धतावाद की आलोचना करते हुए सामुदायिक और खुल प्रयासों की उपयोगिता को रेखांकित किया वहीं रतलामी ने आईफोन, एंड्रायड और विंडोज फोन से उदाहरण देते हुए फ़्यूल की अनिवार्यता बताई। अमनदीप ने कनाडा में विभिन्न भाषा-भाषी लोगों के लिए किए गए सरकारी उपायों को बताया और कहा कि कैसे भारत भाषाई एक्सेसिबिलीटी के मामले में पीछे है और इसके कारण यहाँ के लोगों को कितनी समस्याओं का सामना करना पड़ता है। इटली निवासी इटालो ने ओपन डॉक्यूमेंट फॉर्मेट पर चर्चा की और विकास ने हमारा लिनक्स की गतिविधि पर प्रकाश डाला। भाषाई तकनीक विशेषज्ञ बिराज कर्माकर, प्रवीण ए, शुभाशीष पाणिग्रही, वीथिका मिश्रा, प्रवीण सतपुते, चंदन कुमार, राजू विंदाने सहित कई लोगों ने अपना वक्तव्य दिया।

मोज़िला के एक्सेल हेच्ट, पेइंग मो और आर्की के दिशा-निर्देश में अंतिम दो दिन विभिन्न भाषाओं में काम करने वाले लोगों ने व्यापक परिचर्चा के दौरान कई विषयों पर बातें की और उपस्थित लोगों ने मोज़िला की स्वयंसेवी गतिविधियों के भविष्य की कार्ययोजना बनाई।

For more details visit http://editors.cis-india.org/openness/news/92d93e93793e908-91590292a94d92f94291f93f902917-915947-92e93e928915-92c92893e928947-915947-93293f90f-91a94792894d928908-92e947902-939941906-92494093893093e-92b94d92f942932-91c93f93294d200d91f

पीजी जूलॉजी विभाग में एक दिवसीय समागम का आयोजन

praskrishna — 2016-12-20T16:32:41Z

रांची विश्वविद्यालय के पीजी जूलॉजी विभाग में शनिवार को इंटरनेट एक्सेस पर आधारित संगोष्ठी ‘ओपनकॉन हुई। कुलपति डॉ रमेश कुमार पांडेय ने इसकी अध्यक्षता की। कार्यक्रम में डीएसडब्ल्यू डॉ सतीश चंद्र गुप्ता, प्रो संजय मिश्रा, प्रो अभिजीत दत्ता और डॉ बीके सिन्हा मौजूद थे। इसका आयोजन ओपन एक्ससेस इंडिया के सहयोग से किया गया। संगोष्ठी में लगभग 60 प्रतिभागियों ने हिस्सा लिया। कुलपति डॉ रमेश कुमार पांडेय समेत कई प्रतिभागियों ने अपना विकीपीडिया अकाउंट पेज भी खोला।

The article was published in the Hindustan on November 12, 2016.

संगोष्ठी में बतौर रिसोर्स पर्सन सेंटर फॉर फ्यूचर एंड सोसायटी, बंगलुरू के टीटो दत्ता, विकीपीडिया से गंगाधर बधानी मौजूद थे। साथ ही, ऑनलाइन विशेषज्ञों के तौर पर इस्लामिक यूनिवर्सिटी लेबनान की जमीला जाबेर व बंगलुरू की लीना और वृषाली प्रतिभागियों से रू-ब-रू हुईं। इंटनेटर एक्सेस से जुड़ी नवीनतम जानकारियों को पाकर प्रतिभागी खासे उत्साहित थे। उन्होंने शोधकार्य और अध्ययन के लिए इसे बहुत उपयोगी बताया। साथ ही, यह मांग भी की इस तरह के आयोजन नियमित अंतराल पर होते रहने चाहिए। संगोष्ठी में ओपन एक्सेस, ओपन एजुकेशन और ओपन डाटा के विभिन्न पहलुओं पर चर्चा हुई। इसमें विद्यार्थियों, शोधार्थियों और शिक्षाविदों को शोध व प्रोजेक्ट के लिए बेहतर स्रोत विकसित करने के तरीके बताए गए।

For more details visit http://editors.cis-india.org/a2k/news/hindustan-november-12-2016-article-1-opencon-conference-held-at-ru