Indian Data Security: Keeping your bride in your best friend's house

[shaun]

Aadhaar data kept, processed only on own secure servers: UIDAI
https://timesofindia.indiatimes.com/bus ... 342148.cms

New Delhi, Aug 30 () The UIDAI today rejected charges that foreign firms were accessing sensitive data, saying no Aadhaar information has ever been stored or processed outside its own data centre and resides only within its fully-secured servers.

"Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI data centre is an infrastructure of critical importance and is protected accordingly with high technology, conforming to the best standards of security," the UIDAI said in a statement.

The Unique Identification Authority of India (UIDAI), which is the Aadhaar issuing body, said such data is accessible only to the biometric software provider's solution for the purpose of processing of data "within the highly secure environment of UIDAI data centre".

The Aadhaar data is stored, kept and processed only on the UIDAI severs within its data centre. Moreover, it said these servers have no linkages to the "outside world" through the Internet or any other means, including laptops and pen drives.

The data centre premises are fully protected "physically", the UIDAI claimed, adding that hardware supplies are also tested twice before being put to use in the data centre.

"No Aadhaar data has ever been kept, stored or processed outside the UIDAI data centre and is always on UIDAI servers," it added.

The UIDAI said the role of the biometric service providers is to offer de-duplication software which too runs on UIDAI's secure servers and data centres.

"The biometric image data is never in physical possession of biometric service provider or any of its employees at any point of time, in any case," it said further.

The terms of contract require the software solution to be secure and conform to the government's data security guidelines, the statement said, adding that applications running on UIDAI IT hardware too are secured through firewall and intrusion prevention system.

All the service providers are bound by strict confidentiality regime under the contract, and violation would lead to three years of imprisonment, it added.

The statement from the UIDAI comes amid reports that an RTI application has revealed that the Aadhaar contract gave foreign firms access to classified personal data such as fingerprints and iris scan information.

The UIDAI has been fire-fighting allegations of unauthorised access to data. Last week, WikiLeaks hinted that the CIA had allegedly accessed the Aadhaar database, a claim strongly refuted by the UIDAI.

WikiLeaks, in a tweet last week, had said, "Have CIA spies already stolen #India's national ID card database?"

It was alleged that the Central Intelligence Agency (CIA) was leveraging tools of US-based technology provider Cross Match -- incidentally, an Aadhaar vendor -- for snooping, and that sensitive data could have been compromised. MBI ARD

[UlanBatori]

Secure Indian servers..... safe as a bank vault.

My Evil 6th coujin has an account with the famous IndusInd Bank, the Best in India in Customer Service. It eventually got through his thick skull that he had not seen any statements from said Bank for about a year, so he emailed them and asked for a stmt.

They sent it - the Manager and his merry band are nothing if not totally service-minded. His address had been changed to some place in Bangkok, instead of Ulan Bator. IOW, for a year, the bank had been most conscientiously sending his name, acct number, bank balances, TDS statements with PAN card number, all to some place in Bangkok.

Chalta hain. The CIA may get the Aadhar database, but will it make any sense?

[vasu raya]

Dark Web Nightmares

The Indian defence forces have taken measures to protect information systems that store tactical information such as deployment of troops, formations and war strategies. The most recent measure in this regard was the development and deployment of the Bharat Operating System Solution (BOSS) to guard the armed forces communication and information networks from espionage by foreign players. The software, developed by CDAC Chennai, is already functional in the northern command of the army, but has shown little promise. “BOSS has been tested by the army, but it’s still in very nascent stages,” says an officer of the Navy on condition of anonymity. “Its use has highlighted several bugs in the system that we are patching as and when a situation arises.” Retired army officer D.P.K. Pillay, who is a Fellow with the Institute of Defence Studies and Analysis, adds to this that BOSS is still not state-of-the-art and needs a lot of work to make it actually impenetrable.

Typically network stack doesn't have encryption as a layer, its always at application level, maybe they can consider that for end-to-end encryption by default?

Military cyber security, according to experts in the field, is a tricky domain. Unlike nuclear power, which functions on an interwoven mesh of international diplomacy and a show of hard power, it has the potential to wreck a country without providing for attribution or accountability. This means no country can authoritatively claim to know the extent of capabilities another possesses.

While intelligence-collecting tactics have shown to a certain extent the capabilities of each country in the cyber world, it is a well-protected secret. Take for example the recent crash of a Sukhoi aircraft in Assam earlier this year. Speculations within the forces and other agencies suggest that the May incident at Nagaon district was a well-crafted attack by the Chinese cyber command. (They remain conjectures, since the origin of the attack is mostly not attributable.) An official statement though claims that a high-level committee appointed to find the cause of the crash negated the involvement of the Chinese cyber command on the basis that Beijing still does not possess the technical ability to get into the Indian system to launch such a complex attack.

while not supporting the Chinese hand theory, the logic to rule out it as a cause is flawed

[kit]

Quite an apt title for the issue

[vinod]

There has been a report on Aadhar data being compromised.
The original report in Tribune:
http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html

Rs 500, 10 minutes, and you have access to billion Aadhaar details
Group tapping UIDAI data may have sold access to 1 lakh service providers

Rachna Khaira

Tribune News Service

Jalandhar, January 3
It was only last November that the UIDAI asserted that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI.” Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.
(Follow The Tribune on Facebook; and Twitter @thetribunechd)
It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.
What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
When contacted, UIDAI officials in Chandigarh expressed shock over the full data being accessed, and admitted it seemed to be a major national security breach. They immediately took up the matter with the UIDAI technical consultants in Bangaluru.
Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, accepting that this was a lapse, told The Tribune: “Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.”

1 lakh illegal users
Investigations by The Tribune reveal that the racket may have started around six months ago, when some anonymous groups were created on WhatsApp. These groups targeted over 3 lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.
CSCS operators, who were initially entrusted with the task of making Aadhaar cards across India, were rendered idle after the job was withdrawn from them. The service was restricted to post offices and designated banks to avoid any security breach in November last year.
Spotting an opportunity to make a quick buck, more than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards. However, in wrong hands, this access could provide an opportunity for gross misuse of the data.
The hackers seemed to have gained access to the website of the Government of Rajasthan, as the “software” provided access to “aadhaar.rajasthan.gov.in”, through which one could access and print Aadhaar cards of any Indian citizen. However, it could not be ascertained whether the “portals” were genuinely of Rajasthan, or it was mentioned just to mislead.
Sanjay Jindal said all of this could be confirmed only after a technical investigation was conducted by the UIDAI.

‘Privacy at risk’
“Leakage of Aadhaar data reveals that the project has failed the privacy test. At the recently concluded 11th WTO Ministerial Conference, India submitted a written position on e-commerce, opposing the demand for negotiations on e-commerce by the US and its allies. The latter were demanding access to citizens’ database for free. The revelation by The Tribune also means that the proposed data protection law will now hold no purpose, as the data has already been breached. The state governments must immediately disassociate themselves and cancel the MoU signed with UIDAI,” said Gopal Krishan, New Delhi-based convener of the Citizens Forum for Civil Liberties, who appeared before the Special Parliamentary Committee that examined the Aadhaar Bill in 2010.
A quick chat, and full access
•12:30 pm: This correspondent posing as ‘Anamika’ contacted a person on WhatsApp number 7610063464, who introduced himself as ‘Anil Kumar’. He was asked to create an access portal.
•12:32pm: Kumar asked for a name, email ID and mobile number, and also asked for Rs 500 to be credited in his Paytm No. 7610063464.
•12:35 pm: This correspondent created an email ID, aadharjalandhar@gmail.com, and sent mobile number ******5852 to the anonymous agent.
•12:48 pm: Rs 500 transferred through Paytm.
•12:49 pm: This correspondent received an email saying, “You have been enrolled as Enrolment Agency Administrator for ‘CSC SPV’. Your Enrolment Agency Administrator ID is ‘Anamika_6677’.” Also, it was said that a password would be sent in a separate mail, which followed shortly.
•12:50 pm: This correspondent had access to the Aadhaar details of every Indian citizen registered with the UIDAI.
Printing Aadhaar card
This correspondent later again approached Anil Kumar to ask for software to print Aadhaar cards. He asked for Rs 300 through Paytm No. 8107888008 (in the name of ‘Raj’). Once paid, a person identifying himself as Sunil Kumar called from mobile number 7976243548, and installed software on this correspondent’s computer by accessing it remotely through “TeamViewer”. Once the job was done, he deleted the software drivers, even from the recycle bin.
Possible misuse
Getting SIM cards, or bank accounts in anyone’s name. Last month, a man was arrested in Jalandhar for withdrawing money from someone’s bank account by submitting a fake Aadhaar card.

UIDAI denies biometric breach, says Aadhaar details safe and secure
UIDAI To File Case After Aadhaar Data For Rs. 500 Report, Says It's Secure


Tribune Responds:
http://www.tribuneindia.com/news/nation/uidai-says-tribune-story-misreporting--read-how-that-is-wrong/523478.html
UIDAI says Tribune story ‘misreporting’, read how that is wrong

Tribune News Service

Chandigarh, January 4
Responding to The Tribune exclusive story revealing how UIDAI data on Aadhaar number holders is being accessed by unauthorised agents, the Unique Identification Authority of India (UIDAI) today claimed it was a case of “misreporting”, and that there had been no Aadhaar data breach.
The Tribune takes a look at the UIDAI claims para by para, and presents a fact check below each:
UIDAI Para 1: Unique Identification Authority of India (UIDAI) has denied the media report published in The Tribune titled “Rs 500, 10 minutes, and you have access to billion Aadhaar details” and has said that it is a case of misreporting. UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.
Fact: Aadhaar data has been accessed by unauthorised people, and the UIDAI claim that “there has not been any Aadhaar data breach” flies in the face of that.
UIDAI Para 2: UIDAI has given the said search facility for the purpose of grievance redressal to the designated personnel and state government officials to help residents only by entering their Aadhaar number/EID. UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken. The reported case appears to be instance of misuse of the grievance redressal search facility. As UIDAI maintains complete log and traceability of the facility, the legal action, including lodging of FIR, against the persons involved in the instant case is being done.
Fact: Here the UIDAI has admitted that a facility on their website has been “misused”. The fact is that it has been ‘misused’ to steal data — personal information such as name, date of birth, address, PIN, photo, phone number, e-mail — at will, for any Aadhaar number. Its second claim in this para that they are able to track all those who access the data only suggests that they will now be able to nab the people involved in the racket. But that does not change the fact that a large number of people have been accessing the data in an unauthorised manner probably for months, and theft has already taken place. Also, the tracking system obviously never realised that unauthorised people were accessing the data. And if FIRs are being contemplated, is that not an admission of something being amiss?
UIDAI Para 3: UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details. UIDAI reassures that there has not been any data breach of biometric database, which remains fully safe and secure, with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.
Fact: The UIDAI is suggesting here that giving away of personal data is of no serious consequence. This renders meaningless its claim of November 20, 2016, that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI”. It had at that time asked 210 websites of Central and state governments that had mistakenly displayed personal details of Aadhaar number holders on various websites to remove the information from public domain. It may be noted that phishing scams use precisely such information on people to try and crack their passwords for net-banking or credit cards.
UIDAI Para 4: The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required.
Fact: The sharing of Aadhaar numbers with “authorised agencies” is indeed safe, but what has been revealed in the story is that unauthorised persons have gained access to people’s personal information. The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded.
UIDAI Para 5: Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI Data Centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions.
Fact: To say that “claims of bypassing” the system are unfounded is to deny facts staring everyone in the face. If unauthorised people can log into government data and download it, how is that not “bypassing”?
Meanwhile, the BJP through its official Twitter handle has called The Tribune report "fake news".


Tribune's report suggesting the data breach at @UIDAI is fake news!

— BJP (@BJP4India) January 4, 2018

[nam]

One thing people need to remember, Adhaar number has no value. And what will normal people do with encoded fingerprint & iris data? It is not a password that you can enter on some screen.

Entering fake data in to adhaar is a mouse trap. Government wants you to enter fake data. Your iris is linked to a fake identity, which means you will be caught anywhere the moment you scan your biometric.

So i encourage people who create fake identity to go ahead and do it.

[shaun]

from the above tribune report

UIDAI Para 4: The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required.

Fact: The sharing of Aadhaar numbers with “authorised agencies” is indeed safe, but what has been revealed in the story is that unauthorised persons have gained access to people’s personal information. The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded.

The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards.what does it mean ?? i am not getting what these guys want to say ,

1. is it about the unauthorized location ??
2. how actually the tribune guy fed biometric data(if he have one) of specific individuals ( in their absence ) ??

A serious breach i would say is if any one can change my biometric data with some one else . OTP in our registered mobile ultimately wont allow any unauthorzed access to my bank account , even if a person knows my name , aadhar number bank account , name etc

[vinod]

from the above tribune report

UIDAI Para 4: The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required.

Fact: The sharing of Aadhaar numbers with “authorised agencies” is indeed safe, but what has been revealed in the story is that unauthorised persons have gained access to people’s personal information. The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded.

The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards.what does it mean ?? i am not getting what these guys want to say ,

1. is it about the unauthorized location ??
Yes, it looks like that.

2. how actually the tribune guy fed biometric data(if he have one) of specific individuals ( in their absence ) ??
I think that person was present, scanned his biometric details and then printed an aadhar card with that. Not sure what that means. Did it get updated on the server with this details? or just the fake card printed without UIDIA knowing anything?

A serious breach i would say is if any one can change my biometric data with some one else . OTP in our registered mobile ultimately wont allow any unauthorzed access to my bank account , even if a person knows my name , aadhar number bank account , name etc

[nam]

Securing a bank account is not the job of Adhaar. It is the job of the banks. Because until now you cannot scan you iris on a bank website, you use adhaar number.

And given that it is a number, banks need to implement 2 factor as a safety feature. If some banks use only adhaar number as security, they deserve to be hacked.

There is a talk by the Adhaar architect on youtube, where he specifically says, they had no plans to issue a adhaar card or number, because it did not matter. It was later change to issue the adhaar card as a confirmation of their entry. That's all.

[ramana]

Intel is today going through the pain of the revelation that it has built in backdoor for its Chips and the hackers are using these.

[shiv]

https://www.ndtv.com/india-news/aadhar- ... ia-1796162

Over a billion Indian citizens may be vulnerable to identity theft and intrusions of privacy after a newspaper sting uncovered a security breach in the country's vast biometric database, which contains the personal data of almost every citizen.

The Tribune newspaper said its reporters were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government's database, after paying an individual about $8. For another $5, the newspaper said, the individual offered reporters software to print out unique identification cards, called Aadhaar cards, that can be used to access various government services including fuel subsidies and free school meals.

The individual was part of a group that had gained access to the database through former workers who were initially tasked with making the cards, the Tribune reported. Several groups were part of this scheme, the newspaper said. The Washington Post has not independently verified the report.

Extending the biometric ID program, known as Aadhaar - meaning foundation - to every citizen is one of Prime Minister Narendra Modi's flagship policies in his crusade against corruption. Campaigners say that an Aadhaar card is a way for citizens to prove their identity and access government and financial services. It also is a way to prevent fraud - corrupt officials often add fake names in welfare databases and steal money meant for the poor, they allege.

The Tribune's finding is the latest in reported privacy breaches, raising concerns about the Indian government's ability to protect its citizens from hackers. In the past, government websites have accidentally leaked the data of thousands of citizens.

[shiv]

When I enrolled for Aadhaar - I had to fill in all details such as name DoB address PAN no and passport details in triplicate on paper. I was later taken to a cubicle where an Iris and fingerprint scan were done.

Now here's a sudden doubt I had:

I could in theory obtain a fingerprint scanner, have fake application forms printed and then set up shop in some corner of a town saying I am an "authorised Aadhaar enrolment agent". People walk in fill forms and hand me all their details after which I scan their fingerprints. Forget iris. No one will know. Then I promise to mail them an Aadhaar number and after 2 weeks of collecting personal information from 100s of people I scoot and vanish. Now I have a whole lot of data that can be used in various ways. I could even supply fake Aaadhar cards - but even without that the information can be misused.

Once I have the Date of birth, PAN number, address proof and mobile number - I would need to spoof the SIM card. Declare it lost, get a duplicate SIM in my phone and proceed to bleed a lot of bank accounts. I know this has actually been done.

[chetak]

When I enrolled for Aadhaar - I had to fill in all details such as name DoB address PAN no and passport details in triplicate on paper. I was later taken to a cubicle where an Iris and fingerprint scan were done.

Now here's a sudden doubt I had:

I could in theory obtain a fingerprint scanner, have fake application forms printed and then set up shop in some corner of a town saying I am an "authorised Aadhaar enrolment agent". People walk in fill forms and hand me all their details after which I scan their fingerprints. Forget iris. No one will know. Then I promise to mail them an Aadhaar number and after 2 weeks of collecting personal information from 100s of people I scoot and vanish. Now I have a whole lot of data that can be used in various ways. I could even supply fake Aaadhar cards - but even without that the information can be misused.

Once I have the Date of birth, PAN number, address proof and mobile number - I would need to spoof the SIM card. Declare it lost, get a duplicate SIM in my phone and proceed to bleed a lot of bank accounts. I know this has actually been done.

I think that the iris scan is reduced to a set of long numbers, something like a checksum using a complex algorithm.

As regards spoofing the sim, isn't that one reason why they are linking aadhar to the sim, among many other reasons??

When you declare the sim lost and apply for a new one, the old will be immediately deactivated and the owner will know, so won't he come running to the phone company service center to check??

not saying that it is beyond the realm of possibility but consumers are wising up pretty fast these days as are the telecom companies and for the issue of the new sim, aadhar authentication is again mandatory before issue.

[vinod]

Someone could generate aadhar cards for all Bangladeshi's or Pakistanis... but its of no use.

Identity theft is what can happen. But that happens now also... if bank security is lax, you will lose money irrespective of aadhar. Nowadays, any where you register on internet, they need your full name, address and d-o-b etc. If there are lazy people out there, who reuses the banking password on those websites, then they are going to get taken to laundry at some point.

The point I'm making is that, whether aadhar is there or not, criminals can always find a way and its the job of law enforcement agencies to track and punish them. With these kind of things, Govt cannot be lax about securing it and officers should be held accountable. I remember reading somewhere that intelligence agencies like CIA spend a considerable amount of time and effort in ensuring that they have an insider in each of the countries identity document departments. This is how they get their men in and out without noticing.

The benefits of aadhar far outweigh the so-called concerns on whatever data leakage! Aadhar has resulted in many people disappearing and it has been one of the fruitful exercise in reduction of population!!

[disha]

Data security cannot be approached by fiat. Even if laws are made today that all servers are to be in India and accessed only by Indian citizens, the entire infrastructure is so leaky that it will be akin to salvage a ship full of holes using a pail bucket.

Computer security is a layered and can be best thought through as layers of onion where each layer needs to be protected to get an overall protection. At that time fiat laws only help enabling layered protection, they do not provide the protection itself.

Here is the challenge: Almost all the S/W & H/W computing infrastructure is either designed in US or made in US.

The basic software stuff that makes "cloud": OS, Databases and now-a-days the middle-tier (application servers), designed and developed in US.

The software languages itself? Designed and developed in US.

Networking infrastructure, basically your routers, firewalls and switches? Designed in US. China is only at low-end stuff like the switches and routers. And that too after copying wholesale the switches and routers.

Encryption algorithms? Designed and developed in US. Give me a mainstream encryption algorithm from an Indian university and I will give you an encryption algorithm.

Applications? Designed and developed in US. Yes, Indian industry is contributing here, but their quantum of contribution beyond "body shopping" is barely perceptible.

Chip designs? Show me a fabless chip designers in India that have chipsets in general purpose computing?

Without in house development of the core software and hardware, this entire "data security" discussion is moot. I will use the doc's own example to cite why it is moot.

Assume the IrisScanner and the finger print scanner keeps a copy which uploads with the name and dob of the authenticated person somewhere. This are official scanners and applications which have passed through "QA Check", just like the volkswagen cheater engines. Now somewhere, one has a database of all Indians. It can be used to monitor who goes where and how.

How will you fix the scanners? Or the applications?

Is the above problem fixable? Yes, it is and can be done in less than a decade. If we can come up with a Rail reservation system (one of the most complex in the world) we can do all of the above in less than a decade. But then the Indian IT-Vity industry needs to take their head out of their ar$es (basically stop relying on body shopping) and both the Central and State governments need to encourage local computerizations. But then the socialist/communist mindset of the babus hurt a lot. Indian Universities need to actually start investing in education instead of churning out cookie-cutter aspirants for H1-B/GC.

[nam]

I think that the iris scan is reduced to a set of long numbers, something like a checksum using a complex algorithm.

It is. Once a Iris record is created, then it cannot be updated. This is the key aspect. You laid down security around this aspect.

One reporter tried to create two Adhaar entries with his bio-meteric to prove Adhaar is faulty. He was caught. So you cannot create multiple identities, without getting noticed.

[ramana]

Intel is today going through the pain of the revelation that it has built in backdoor for its Chips and the hackers are using these.

Apple joined the pain.

[shiv]

The point I'm making is that, whether aadhar is there or not, criminals can always find a way and its the job of law enforcement agencies to track and punish them. With these kind of things, Govt cannot be lax about securing it and officers should be held accountable. I remember reading somewhere that intelligence agencies like CIA spend a considerable amount of time and effort in ensuring that they have an insider in each of the countries identity document departments. This is how they get their men in and out without noticing.

This is a valid point. But it occurs to me that there are two interconnected aspects to data security. One is criminal intent and the other is malafide actions by an enemy state. The problem is that no state will openly act if they can conduct their sabotage using criminals within the state they want to target. There are many examples of nation states using criminals in other states even if we exclude Dawood Ibrahim as a case in point.

Let me put this in another way.

Suppose, just suppose that ALL data was stored in India itself. Anything from any scanner, reader, terminal, laptop, PC whatever was stored in India and suppose (theoretically) nothing could leak out of the country - then any security breach would be localized to India alone. There would be no chance of "international" gol maal where undersea cables and satellite links and hundred of routers in between could be used to hide the location of data leak.

[shiv]

When you declare the sim lost and apply for a new one, the old will be immediately deactivated and the owner will know, so won't he come running to the phone company service center to check??

In the cases that have been reported in the press - the owner has not discovered deactivation for a few hours, or has been too busy to report it because he cannot use his phone and needs to make a physical report. It in in these few hours that bank fraud is committed - with money transfers etc - in which all the messages never reach the owner but simply go to the spoofed SIM. That said - as I recall - most of these cases had a criminal SIM provider in cahoots with the crook. But there have been cases where a bank official has been complicit as well.

[ShauryaT]

Most data is commercial data. GoI can mandate companies who "process" data or store them outside the country to follow and enforce privacy and security systems and procedures. The EU is about to embark on such a venture called GDPR (Global Data Protect Rights, IIRC), whereby data of any EU subject processed or subcontracted to be processed in a non-EU setup have to essentially go through hell.

India can and should look to pass a similar mandated framework of protections to start with making liability a serious commercial issue for US companies to worry about.

In theory, in the US at least there are laws and procedures, which protect commercial entities "privacy" to be violated by the government unless there is a court order or a national security issue.

Having said that, Over the long term we should invest in native data centers owned and operated by Indian companies and make it cumbersome and expensive to send data overseas.

[KrishnaK]

Intel is today going through the pain of the revelation that it has built in backdoor for its Chips and the hackers are using these.

Apple joined the pain.

Backdoors are usually hidden - this was a security flaw that was openly visible. It was researched by security engineers at Google amongst others and kept it a secret for as long as possible so countermeasures could be developed. Nobody's called it a backdoor yet. Meltdown & Spectre

[chetak]

When you declare the sim lost and apply for a new one, the old will be immediately deactivated and the owner will know, so won't he come running to the phone company service center to check??

In the cases that have been reported in the press - the owner has not discovered deactivation for a few hours, or has been too busy to report it because he cannot use his phone and needs to make a physical report. It in in these few hours that bank fraud is committed - with money transfers etc - in which all the messages never reach the owner but simply go to the spoofed SIM. That said - as I recall - most of these cases had a criminal SIM provider in cahoots with the crook. But there have been cases where a bank official has been complicit as well.

+1

[pgbhat]

Most data is commercial data. GoI can mandate companies who "process" data or store them outside the country to follow and enforce privacy and security systems and procedures. The EU is about to embark on such a venture called GDPR (Global Data Protect Rights, IIRC), whereby data of any EU subject processed or subcontracted to be processed in a non-EU setup have to essentially go through hell.

India can and should look to pass a similar mandated framework of protections to start with making liability a serious commercial issue for US companies to worry about.

In theory, in the US at least there are laws and procedures, which protect commercial entities "privacy" to be violated by the government unless there is a court order or a national security issue.

Having said that, Over the long term we should invest in native data centers owned and operated by Indian companies and make it cumbersome and expensive to send data overseas.

This should have been done even before Aadhar was open to commercial entities. Once bio-metrics is compromised, we are screwed. Nobody is going to regrow arms and eyes with new signatures.

[abhik]

Apple to hand off Chinese iCloud operations to local firm in February

[Murugan]

Using aadhar app - disable biometrics. app is called mAadhaar

It remains password protected. Biometrics can be activated when needed, remains available for 10 minutes, auto-locks.

[pgbhat]

I think locking aadhar is one thing, but i really would like to limit exposure of my data (especially biometrics) to private entities whether they are Indian or not. These guys will end up having their own database and breach there means we are in big trouble. The laws around handling such data is unclear.

[Murugan]

https://twitter.com/fs0c131y/status/951154909189230593

[tsarkar]

What is worse is that we consider ourselves to be IT superpower.

We're more like an IT mob. One cannot underestimate power of a mob, like the one that ravaged parts of Bombay last week.

Two points from my side -

1. Data Relevancy - if I change jobs or change houses or open a new bank account, the old data becomes irrelevant. That offers a degree of protection.

2. The food home delivery guy or security guard or online shopping delivery boy knows more about you than ISI, CIA etc.

[nam]

I think locking aadhar is one thing, but i really would like to limit exposure of my data (especially biometrics) to private entities whether they are Indian or not. These guys will end up having their own database and breach there means we are in big trouble. The laws around handling such data is unclear.

Are you referring to private entity able to store your biometrics? or private entities having access to Adhaar biometeric?

Private entities use adhaar for validation, so they dont have access to adhaar biometric. It is possible they might store you finger prints/iris while doing this validation. Ofcourse there needs to be a law around preventing the storage.

Regarding providing biometric to non-Indian entity, if you have ever applied for say UK visa, you have already given your biometric to the UK government. And you have no say in how it is used. For all we know UK GCHQ might be using biometric to access Adhaar enabled apps.

The interesting part is Indians have no issue giving biometric to a foreign government, but have problem giving it to GoI !

[pgbhat]

I think locking aadhar is one thing, but i really would like to limit exposure of my data (especially biometrics) to private entities whether they are Indian or not. These guys will end up having their own database and breach there means we are in big trouble. The laws around handling such data is unclear.

Are you referring to private entity able to store your biometrics? or private entities having access to Adhaar biometeric?

Private entities use adhaar for validation, so they dont have access to adhaar biometric. It is possible they might store you finger prints/iris while doing this validation. Ofcourse there needs to be a law around preventing the storage.

Regarding providing biometric to non-Indian entity, if you have ever applied for say UK visa, you have already given your biometric to the UK government. And you have no say in how it is used. For all we know UK GCHQ might be using biometric to access Adhaar enabled apps.

The interesting part is Indians have no issue giving biometric to a foreign government, but have problem giving it to GoI !

What I have a problem is Vodafone taking my finger prints to link Aadhar to my phone number, with no law around its storage and access. I also dont want my identity tied up to one kind of ID. It kind of becomes easy to compromise it with a single point of failure.

[milindc]

To me, all educated Indians carrying android phones and iphones are unnecessarily getting worked up over privacy. Once they have signed up for FB, Android or iPhone, they have already given more information to these entities than a finger print and address.
With all the stupid cacophony in educated circles, what India is losing is creating these type of large entities like Google, and FB that pretty much are duopoly in the digital advertising space. The digital advertising which will grow by 400% in next 5 years in India to around 25000 crs.
Because we don't have policy in place to handle data. In US, banks are allowed to share your credit card data to build models, and even allowed to share demographic information.

[shiv]

Wtf does this have to do with data security
https://twitter.com/gautambhatia88/stat ... twterm%5E0

[AdityaM]

A French security hacker expressing concern about lax standards in India around security

https://twitter.com/fs0c131y/status/970 ... 39936?s=21

As per him

“Be realistic, it is super easy for a foreign country to launch a #cyber attack on #India. This must be a concern at the national level.“

[Gerard]

'Shattered': Inside the secret battle to save America's undercover spies in the digital age

For spy services, biometric data has become a highly valued currency — leading to a widespread and ongoing campaign by the U.S. and its allies, as well as hostile states, to hack into biometric databases from important airports worldwide. The U.S. has spearheaded breaches of its own, successfully hacking biometric data from the Dubai and Abu Dhabi airports, says a former official. Stealing biometric databases is an attractive strategy for other countries as well. In one case, Chinese intelligence successfully hacked into the biometric data from Bangkok’s airport. “The Chinese have consistently extracted data from all the major transit hubs in the world,” says another former senior official.

“Part of the discussions we had was, post-OPM hack, we didn’t realize that digitizing government records profoundly changed the threat profile,” says a former senior national security official. The intelligence community did not fully understand how much of its own information was stored outside its own walls until personal data began being stolen by China en masse, says a former senior intelligence official.

[tandav]

Apart from AADHAR, most people do not realize how much location data is reveals about us and what consequences it has on privacy. I have assumed for a very long time now that what I do is nearly completely known to my mobile service provider, google and whatsapp. Which are recording my physical location in near realtime.

https://www.nytimes.com/interactive/201 ... phone.html

[tandav]

Applying for VISA in most countries USA, EU and China requires submission of biometric data. Fingerprints, Iris Scan and Photograph is taken AFAIK. India should also implement this and enrol any visitor to the AADHAR like database