“Data Theft”, “Hacking”, “Aadhar Data Breach” etc have been the terms used in describing the instance where a person by name Abhinav Srivatsava, who was working as an executive in Ola Cabs created a mobile app and enabled e-Kyc to the App users by linking it to the e-hospital platform created by NIC and used by the National Health portal.

On November 4th 2016, an article had been published in this site titled: Online Registration System for Indian Hospitals.. No Privacy Policy?

In this article, it was pointed out that the Online Registration System used by hospitals (50 plus hospitals are using such applications) enabled e-Kyc through Aadhar but did not care to post even a Privacy Policy.

Today this appears relevant in the context of the accusation of Abhinav Srivatsava that he had made an “Unauthorized use of the application”.

From the available records it seems that the accused seems to have created a mobile app which would go through one of these hospital management websites and fetch the demographic data of persons whose aadhar number is provided on the website.

The aadhar server (CIDR) is connected to only designated agencies who are called Aadhar Service provider(ASA) or KYC service provider (KSA) and any body else including the hospitals are either called the Aadhar User Agency (AUA) or KYC service user agency (KUA) who have to access the data through their contractual agreement with an ASA/KSA.

In the instant case, the e-KYC app of Abhinav seems to have accessed the hospital management system and filled up the aadhar number and captcha to trigger the OTP. If the OTP is provided, CIDR would dispense the details to the hospital website. If one completes the appointment request, the details of the name, Date of Birth, Gender, Address gets displayed in the appointment before confirmation. If it is not confirmed, the data may get discarded. However, before the cancellation, it should be possible to scan the web page and copy the demographic data.

Who ever designed this system should know that it is possible to write some scripts to enter the user inputs and extract the final data without any great “Hacking skills”.

While technically we can call this as “Unauthorized” use, the question that needs to be raised is where is the terms of usage of the page which says that such use is “Unauthorized”?. Non provision of Privacy Policy and Terms of Use of the Service are conspicuously absent and “Cyber Law Unaware” techies like Abhinav would not even understand that what they may be doing is punishable.

I therefore consider that to be fair, the managers of these websites should also be booked for “Lack of due diligence under Section 79 of ITA 2008” and “Lack of Reasonable Security Practice under Section 43A” (considering them as deemed body corporates) which should put civil and criminal charges on the e-hospital users.

UIDAI has also been negligent since it was not able to enforce security in its downstream users and remained blind to such possibilities. When we raised the issue of Bank of Maharashra UPI fraud, NPCI came up with the same defense that the fault was in the UPI interface of the Bank and not with NPCI.

Similarly here UIDAI is taking a stand as if it has no fault on its side and even filed complaint against the accused though the cause of action lies with the particular e-hospital application that was used by Abhinav’s App (which should be available from the code).

After the NPCI-Bank of Maharashtra event, if UIDAI people were intelligent enough, they should have foreseen the possibility of Abhinav App kind of possibilities and ensured that the user end security is tightened up. They neither became wise after the NPCI event.

Also when Naavi.org type of websites place some critical articles like the November 4, 2016 article, they are meant to be read by authorities who are affected and corrective action initiated. We have seen that on several occassions in the past, Government agencies have not taken corrective action and later the dooms day prediction made by us have actually become true. This is not something that we are proud of. It is disheartening to note that the security managers who scout international websites for threat and vulnerability identification are unable to identify that threats and vulnerabilities are also pointed out by authors like the undersigned.

Now the Police in Bangalore who did not want to go against a more serious threat like Wipro Ricin threat, are working overtime to book this IITan techie with several offences under Aadhar Act and ITA 2008. They may technically succeed in proving “Unauthorized Access” but may still fail to prove “mens-rea”. It is doubtful that sections from the Aadhar Act and “Conspiracy” etc will stand scrutiny in a Court. Also if they launch proceedings against Abhinav without including the hospital system that was actually breached, it would amount to being selective in prosecution.

I hope all concerned would debate the root cause of this fraud and take action that would prevent future breach rather than trying to train all their guns against Abhinav only to hide the ignorance and inefficiency of the Government officials.

Naavi

Reference Articles:

Aadhaar data theft: Techie tells police he did it just for kicks, to make an extra buck

UIDAI says no breach of Aadhaar data through the app

What may have made hacker’s task easier

ALSO READ A TECHNICAL ANALYSIS HERE