In a gazette notification dated December 21, 2015, the Government of India has declared UIDAI system as a “Protected System” under ITA 2000/8.
This was long overdue and given the criticality of the system and the risks associated with the security breach, it is necessary to ensure that the system is protected both technically and legally. Some of the news paper reports have highlighted the impact of this notification by stating “UIDAI: Illegal access to Aadhaar data can land you in jail for 10 years “.
While this is certainly a message that should go out, we should add “Even an attempt to access UIDAI systems without authorization, may land a person in jail for 10 years and this is a non bailable cognizable offence”.
The information security professionals who work in the area of penetration testing should be particularly cautious to avoid any unintentional actions that may appear as an “Attempt” to access UIDAI system.
Under ITA 2000, the section 70 stated as follows:
Protected system (Sec 70 of ITA 2000)
(1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1)
(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
Under ITA 2008, the section was modified to read as under:
Protected system (Amended Vide ITAA-2008)
(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.
Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety. (Substituted vide ITAA-2008)
(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)
As one can observe, the ITA 2000 version did not specify that the system of declaring as “Protected System” is to be reserved for only “Critical Information Infrastructure”, though this was definitely the intention that could be read into the section.
Unfortunately, certain Governments did not understand this intent and went ahead to declare “All E Governance Systems” as “Protected”. Tamil Nadu was one such State which made such a overreaching ruling. (See the copy of the order here). In this order dated 29th June 2005, the TN Government declared
“any computer, computer system (Hardware, Software and Accessories), Website, online service or computer network including the Uniform Resource Lacator (URL) in any of the offices of the Government of Tamil Nadu or of the Government undertakings or Boards to be a “protected system”
This made all computers of the Government whether they are used for critical operations or not as “Protected Systems” and placed restrictions on the access. Fortunately, not many cases were filed under the section though the risk of misuse of the section was always there.
In an article in this site on January 10 2003, Naavi had also raised a doubt as to whether a State Government has the power to notify a “Protected System” under ITA 2000. (Read the article here).
When the amendments of 2008 were made, it was good that Central Government removed the ambiguity in one aspect that the section was not meant to declare “Any” system as “Protected”. The criteria was that the system should be considered as “Critical Information Infrastructure” which was defined in ITA 2008.
The definition of Critical Information Infrastructure in this context is any “computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.”. This does not restrict that the system should belong to the Government since some of the systems that are critical for national economy, health, or safety” may be even in a private sector.
There is no doubt that UIDAI given the uses to which it is being put should be considered as a “Critical Information Infrastructure” and the protection of Section 70 should be accorded.
We may however bring to the attention of the Government here that the notification of December 21, 2015 donot provide details of “Information security practices and procedures”.
It is possible that we may consider the CERT-In guidelines on information security is applicable to UIDAI. However, the Gazette Notification ought to have specified what Information Security Practices and Procedures are applicable for the access of these systems.
One may argue that this is not a matter on which public is to be notified. However, since an “Attempt” to access the system is to be considered as an “offence”, it is prudent for the Government to at least state in general terms what would constitute such offence by defining the limitations.
In particular information security professionals as well as those involved in Aadhar related IT projects need to watch out while undertaking security scanning or software testing exercises to avoid any unintentional violations of Section 70.
The development will also add an additional angle to ITA 2008 compliance programs which should be followed by all IT Companies, Payment gateways, e-KYC companies, etc.