Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.
The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.
At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.
The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.
While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.
The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.
Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.
Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.
We hope the authorities will take a deep breath and review the security of the system before proceeding further.