“Security is going to be a  Concern” for Aadhar says  Mr Nandan Nilekani, the architect of the system.

Though it has always been a concern for most of the Information Security observers, it is good that now persons close to the project are also realizing that the red flags raised by security observers are not because they were opponents of the scheme but were people who genuinely believed that there was a security issue which was being ignored and brushed under the carpet by UIDAI all along.

Thanks to Mr Abhinav Srivastava, realization has at last come to the UIDAI managers that there is an issue. This is good because “Awareness” is the first step in Information Security implementation. Naavi’s theory of Information Security management identifies “Acceptance” as the second most important aspect of implementation. Mr Nandan’s statement indicates that UIDAI may be in the process of accepting that a Risk exists and it needs to be mitigated. This is a positive development that we need to welcome. Other elements such as “Mitigation through tools that are made available” and “Sanctions and Incentives” need to be combined to ensure that Information security finally becomes a part of the UIDAI structure.

One can always say that “Internet” itself was never designed for secure communication and if it is today used for all E Commerce and E Governance it is an ambitious over reach made to work with tools such as encryption. It is therefore not surprising that Cyber Security has become a problem that all of us are worried about. Similarly, Aadhar system was not created for all the uses that it is presently been put into and the problem actually arises from this aspect.

For example, initially when Mr Nandan designed the system he was very clear that there would be this CIDR server which will receive a structured query from anywhere in the Internet but would give out only a binary reply by just picking the data input and checking with the data base to say either “Yes” or No”. The Aadhar number was to be kept confidential by the Aadhar owner and the verification was always to be done with a biometric input plus one of the several parameters associated with the data base on which the Yes” or “No” reply would be given.

Today the system is used in a completely different manner. Firstly the Aadhar data is printed out and handed over to many KYC users and several copies of are floating around all Gas agencies, Banks etc. During the demonetization days, Banks collected aadhar particulars for deposit of old currency and most of the Bankers have collected photocopies of the aadhar data. Similarly PDS department and Mobile Operators might have collected Aadhar photocopies multiple times. I am sure that many hotels have also collected photo copies for identifying residents when they check in.

Most of the data leaks that the Press is now reporting is from such users of Aadhar information particularly when they put out the data on the Internet as part of their information dissemination to public about their activities (eg: Release of scholarships etc).

The e_KYC process as designed envisages that the KUAs (KYC user agencies) are empowered to get the biometric and the aadhar number and send it to UIDAI for e-KYC. In this process, instead of simply getting the confirmation for individual data elements from UIDAI, the API is designed to extract the data from the CIDR and populate the form at the user end.

In the e-sign process which is the higher end of e-Kyc, the application form to be sent to the Certifying Authority for issue of a Digital Certificate is populated with the data drawn fromt he CIDR by the API and sent on the internet as an undigitally signed application to the Certifying Authority.

Using this “Undigitally signed Application”, the Certifying Authority issues an E-Sign Certificate which is then used to sign the application by the customer of the KUA to deliver any service. It can also be used for signing any contractual document on the web.

Such certificates are being used by Share brokers as well as many websites to e-sign documents on the web for contractual purposes.

How can an e-Signature certificate be issued against an “Unsigned Application from the subscriber”?…. is some thing I have not been able to fully understand till date. But this is the process which the CCA has approved and like the “Telgi Stamp Papers” all such e-signature certificates are considered valid because CCA has not found a better way of handling the problem of authentication before issue of the digital certificate.

Since in the process, the entire Aadhar information gets printed out at the user level, each time an aahdar user uses the e-kyc process, the data keeps printed out at the service provider’s end.

In the e-hospital application, there is no need for the presence of the Aadhar user for requesting the Aadhar information in front of the service provider and no biometric is provided. The query is raised simply on the basis of Aadhar number and acted upon with the OTP verification as if OTP is as good as “Biometric”. This is a much weaker process than the e-sign process.

It is therefore possible for creating a script that can be used in an App and offered to the Aadhar owners to fetch the data as and when required from the CIDR. This is what Abhinav did and called the App as “E-KYC” App. Using this App any owner of Aadhar could fetch the demographic data by just raising a query on the App and providing the OTP. Since in most of the Apps, OTP is automatically read by the App, it does not require any  other affirmative confirmation from the Aadhar owner to fetch the data. Merely invoking the App on the mobile and entering the Aadhar number with a click on the “Submit Request” button is sufficient for the data to be made available to him on the mobile or in his e-mail box.

While in the case of Abhinav, Police are trying to fix him under some sections of ITA 2000 or IPC or Aadhar Act so that he can be jailed as long as possible to create a deterrant, there are many other web based and non web based applications with lakhs of service providers through which a query can be raised for aadhar information and results can be printed out.

When the AEPS (Aadhar Enabled Payment System) comes into use, lakhs of merchants including the neighborhood grocery shop owner will have a Chinese made biometric device connected to a billing software which makes a query to the CIDR for each payment and populates the bill. Any local script kiddie can right a script to extract the demographic data of the AEPS user and give it out as a “E-KYC” document though this does not use the e-Sign system.

Then there will not be one single e-Hospital that can be used by one Abhinav Srivastava but many more channels of accessing the CIDR and many more Abhinav Srivastavas. 

How will UIDAI propose to secure such a system?… no body seems to have an idea.

After the Abhinav case, I had come across one anonymous security professional who was suggesting that he has identified a vulnerability which he wants to report to UIDAI but does not know if any such report would immediately be latched upon by UIDAI to file a criminal case against him like what happened to Abhinav.

He does not even trust reporting to CERT-IN because the Abhinav arrest has created a “Chilling Effect” amongst security professionals to such an extent that they are not going to share any vulnerabilities they may find in Aadhar to either Aadhar authorities or to CERT IN.

This only means that even identified vulnerabilities will go underground and some time later when a black hat hacker finds it out, there will be an attack which could result in greater damage and greater embarrassment.

It is therefore an urgent necessity that UIDAI announces a “Bug Bounty” program and invite “Ethical hackers” to report any observed vulnerabilities. Will they provide any reward? or whether the reward will be good? is secondary.

Naavi has been advocating that “Bug Bounty” programs should be made mandatory in law for all software developers as a part of the Reasonable information security practice and Due diligence under ITA 2000/8 and here is an opportunity for UIDAI to show to the community that it is really concerned in setting things right by being the first Government agency to introduce a Bug Bounty Program.

I call upon Mr Modi to immediately advise UIDAI  to introduce an effective Bug Bounty program which will provide a proper platform for reporting vulnerabilities observed by “Security Professionals” with or without financial incentives.

I also call upon Mr Nandan Nilekani to take up the issue with Mr Modi and UIDAI since his word still carries a very high value with UIDAI as well as Mr Modi himself.

Naavi

Also see:

Three Plus One Dimension of Information Security Management

Bug Bounty Program from Government is required