Signs of deep cyber security flaws

Jharkhand witnessed a leak of confidential information of more than a million citizens as warnings came from the Jharkhand Directorate of Social Security of over a million names, addresses, bank account details and Aadhaar numbers.  Officials had no idea how private details made it onto the website unsecured within 24 hours after the breach was made noticed by the media. It is necessary for the Centre and the State to collect more information about their citizen to ensure adequate government schemes, it seems to be that departments that hold this information are ill-equipped to maintain and safeguard these sensitive database.

Who was affected and prior leakages?

In the shocking breach of privacy, the most vulnerable were the senior citizens, who are beneficiaries of the state’s old-age pension scheme. Jharkhand has around 1.4 million pensioners who have seeded their Aadhaar cards for direct transfer of monthly pension into their bank accounts.

The leaking of the former cricket captain Mahendra Singh Dhoni’s personal details by the authorized Aadhaar enrolment agency exposes a deeper fault in the identification project data’s collection. In turn, taking a serious view of the public sharing of Aadhaar details, the Unique Identification Authority of India (UIDAI) has blacklisted for 10 years the entity that had enrolled this cricketer.

Prior to the leak of the Aadhaar data in Jharkhand, personal details of around 35 lakh pensioners have been published in Thrissur, Kerala in blatant violation of the Aadhaar Act. The personal data of the pensioners whose data had been published had linked their Aadhaar number and their bank account number as required by the “direct benefit transfer” scheme.

Cause for the leak?

While the officials in Jharkhand recognized the vulnerabilities of the websites, they claimed that the gap occurred due to the websites managed by the National Informatics Centre – India’s e-governance provider. The various claims that the Aadhaar is safe because the UIDAI collects minimal data largely overlooks the possibility of privacy attacks through correlation of identities which could lead to the leakage.

There causes a breach in the security since there are no standard guidelines by which servers could collect and store Aadhaar numbers. They are supposed to be kept private which ensure its safety but instead they are printed on cards and embedded on easily readable QR codes. With the recent reports of leakages of biometric data from various collection devices show that there seems to be no possible guarantee that such leakages and biometric replay attacks are not possible.

Assessment

Similar to the Aadhaar system of India is the system followed by Morocco. On recommendations from India, Morocco had included the provisions of biometric identification and authentication in its proposed national register. The country chooses to develop a program on the lines of Aadhaar for executing social welfare initiatives. Their attempts to reform its system of identification is often facilitated by the World Bank which brings about high level of delegation from Morocco to India with regard to their collaboration around the program.

The Indian government should use techniques from the areas of cryptography and security that would ensure that the user data and transactions logs are completely protected from manual inspection even by maintainers. This would ensure that all transactions and investigations are carried out only through audited, pre-approved and provable tamper proof computer programs. It would be necessary for privacy advocates to carefully analyse cases, identify vulnerabilities and suggest any sort of technological and legal requirements to make the Aadhaar safer.