Aadhaar Data Breach: Gemalto Publishes Abject Apology; Was It To Protect Business?
Digital security firm Gemalto, having retracted a study on Aadhaar data breaches has tendered an unconditional apology through half page advertisement in a leading newspaper. In this unusual advertisement addressed to the ‘People of India", it regrets the 'grave error' on its part while publishing a report on 1.2 billion data breaches in the Aadhaar database.
 
 
Those who know about Gemalto's business with the Unique Identification Authority of India (UIDAI) believe that there is more to the withdrawal of the Breach Level Index and apology than meets the eye. Was Gemalto under pressure to withdraw the report to protect other business interests, they wonder? The abject apology seems another step in that direction.
 
In the (now withdrawn) Breach Level Index report Gemalto had stated that during the first half of 2018, there were 945 data breaches leading to 4.5 billion data records being compromised, and India's Aadhaar witnessed 1.2 billion data breaches in March, making it the second highest breaches across the world after Facebook.
 
In its 'apology' advertisement, Philippe Vallee, chief executive of Gemalto, says, "Gemalto wants to make it clear that this error has been corrected in the revised report. All concerned parties should take note that we have not been able to find any verified or substantiated data breach of Aadhaar data. As a result, Gemalto has withdrawn the data breach claim from the Breach Level Index Report."
 
 
(Advertisement published by Gemalto)
 
So what does Gemalto do for UIDAI? It has collaborated with UIDAI since inception of the Aadhaar scheme in 2009 and has been supplying biometric scanners, including 10-finger fingerprint scanners and iris scanner. Gemalto also provides digital tokenisation solution to UIDAI.
 
 
Here is what it has accepted on its customer case study report on Aadhaar: “The roots of Gemalto's involvement in the Aadhaar project stretch right back to the very beginning. In the search for biometric enrolment solutions capable of capturing fingerprint and iris scans from over one billion people, the Indian authorities turned in particular to 3M Cogent– now a Gemalto company."
 
 
(Gemalto fingerprint scanners)
 
Further, in the same customer case study report, Gemalto says, “Another 2017 initiative by the UIDAI is set to promote even wider use of Gemalto technology within the Aadhaar scheme. Specifically, because the Unique Identification Numbers (UIDs) issued by  the UIDAI contain Personally Identifiable Information (PII), the authority mandated that the private cryptographic keys used to digitally sign and authenticate UIDs must be stored on a Hardware Security Module (HSM). Furthermore, to prevent data falling into the wrong hands, their use was also made subject to strict conditions. This included the use of 'tokenisation' - the process of replacing data with a digital token that can be safely stored, processed and transmitted without compromising the original information. Gemalto is recognised as a world leader in this field, and the company's SafeNet Tokenisation and Luna HSM technologies both meet the UIDAI's exacting mandates and were selected."
 
 
(Gemalto case study on Aadhaar, published on its website)
 
As a supplier of 3M scanners for Aadhaar and provider of tokenisation services, the Gemalto report was clearly deeply embarrassing to the project and to itself if the Breach Level Index report's findings were held accurate. It also raises questions about Gemalto's own products and services to UIDAI. 
 
In July this year, Gemalto, in the same customer case study report on Aadhaar was full of praise for the ID project. It said, "The Aadhaar Act 2016 for example is providing stronger legal backing to the Aadhaar unique identification number project and opening the door to a large scope of applications. What's more, as it migrates from public to private sector, Aadhaar is likely to provide an equally dynamic springboard for a host of different enterprises, helping to power and protect economic growth in the years ahead."
 
The Supreme Court of India's long awaited judgement has now discarded that section from the Aadhaar Act, which allowed private parties to piggyback on the ID project. (Read: Supreme Court Upholds Aadhaar; Says Private Entities, Including Banks, Mobile Operators Cannot Demand Aadhaar)
 
On 26 September 2018, the five-judge Constitution Bench of the Supreme Court barred private entities, like telecom companies, banks and payment service providers from demanding and using Aadhaar data of customers. (Read: How To Delink Your Aadhaar from Bank Accounts, Mobile Number, E-wallets
 
You may also want to read…
 
 
 
 
 
 
 
  • Like this story? Get our top stories by email.

    User

    Aadhaar: Why Is Google Again Sneaking UIDAI's Helpline Number into Mobile Phones?
    Google India, which had apologised in August for 'inadvertently coding' the helpline number of Unique Identification Authority of India (UIDAI), continues to insert the 1800-300-1947 helpline number in the contact list of the newly introduced mobile phones and operating systems (OS).
     
    In a tweet, one Jishu, who claims to be a software enthusiast and to have developed an Indic keyboard, says he found the UIDAI helpline number in the newly introduced Google Pixel 3 mobile phone. Interestingly, Google will be releasing its Pixel 3 in India by the end of this month.
       
     
    Earlier in August, after the challenge from RS Sharma, chairman of the Telecom Regulatory Authority of India (TRAI) to harm him through his Aadhaar number, French hacker Elliot Alderson (@fs0c131y) asked people on Twitter if they had the UIDAI helpline in their phonebooks. 
     
    While some mobile phones, like Realme from Oppo, certainly come preloaded with the UIDAI number, some people found this number when they updated the software of their mobile devices from Motorola, OnePlus, Samsung and Nokia. A few users of iPhone also found this helpline number on their mobiles.
     
    Interestingly, this 'default' helpline number, 1800-300-1947, found in mobile phones is 'temporarily not available' as UIDAI uses 1947 as its toll-free helpline number.
     
    After a furore on social media about sneaking the UIDAI helpline into the contact lists without the knowledge of the user, UIDAI distanced itself from the number controversy. However, Google came forward and took the blame.
     
    It stated that, in 2014, the UIDAI helpline number was 'inadvertently coded' in the Android release given to the original equipment manufacturers (OEMs) or mobile makers.
     
    "Our internal review has revealed that in 2014, the then UIDAI helpline number and the 112 distress helpline number were both inadvertently coded into the set up wizard of the Android release given to OEMs for use in India and have remained there since. Since the numbers get listed on a user's contact list, these get transferred accordingly to the contacts on any new device," Google had said in a statement. 
     
     
    This clarification from Google, however, is still hard to believe, at least for people who know how government or the authorities operate. Even if we were to accept Google's clarification, there are some issues with it. How was the UIDAI helpline number revealed only in 2018 and not earlier? And how was this helpline number still there in the system of other manufacturers, who do not use stock Android? Many mobile handset manufacturers make certain changes, add some apps of their own (often referred to as bloatwares) and only  then allow their users to use or update handset and the OS.
     
    One person, Anand, said on Twitter that he bought his mobile phone in the US and was using services from a local operator there and yet found the UIDAI helpline number in his contact list. He says, "Is Google saying they distributed that OEM on US shores? I have never bought a smartphone in India. I am asking Google to tell me which OEM inadvertently added this contact into my phone in US."
     
     
    As expected, the blame game during August lasted for few days. However, what Jishu had revealed about the recurrence of the UIDAI helpline number in the new handset from Google, appears to be a deliberate attempt from vested interests.
     
     
    A more serious question that needs an answer from all players, including government authorities and Google, is: What is the security and protection offered to common users? If anyone can push certain number on any mobile device without the knowledge and explicit consent of the users, what stops them from extracting personal details and data of the same user?
     
    Nothing, unfortunately, at least at present, prevents these players from accessing all information from a mobile handset.
     
    Do mobile customers need to approach courts to get justice from such unwarranted invasion in their privacy like the Aadhaar case? In the Aadhaar case, the Supreme Court had already struck down Section 57 that had allowed private entities like banks and mobile operators to mandate Aadhaar from users. 
     
    You may also want to read...
     
     
     
  • Like this story? Get our top stories by email.

    User

    Aadhaar: Here is How You Can Lock or Unlock Your Biometrics
    The Unique Identification Authority of India (UIDAI) claims that it had enrolled over a billion residents for its Aadhaar number scheme. If you have an Aadhaar number, this translates to a constant threat of misuse of  biometric data and information on the Aadhaar card. But UIDAI suggests that people can keep their Aadhaar data and biometrics safe from misuse by locking the data online and unlocking it temporarily when required. 
     
    Before knowing how to lock or unlock biometric data, let us understand how data is collected by UIDAI. While enrolling for an Aadhaar number, one is required to provide full name, address, mobile number, date of birth and so on. The UIDAI also captures a photograph of the person enrolling for Aadhaar but this does not constitute a part of your biometrics.  Biometric data covers your 10 fingerprints and iris. So for locking and unlocking Aadhaar, you can only allow or disallow use of data related with your fingerprints and iris but not the other information that is collected for enrolment.  In order to use this facility, you need to have your mobile number or email ID registered with UIDAI. You need to visit nearest centre and register or update your mobile number and email ID. 
     
    One your biometrics are locked, you cannot use them again for authentication unless you unlock your data from time to time.
     
    Here is how you can lock or unlock (temporary) your biometrics.
     
    How to lock biometrics in Aadhaar?
     
    1. Visit https://resident.uidai.gov.in/biometric-lock
     
    Here enter your Aadhaar number, the security code (number from the image). Click on the send OTP (one time passcode). 
     
     
    2. You will receive the OTP in the SMS on your registered mobile number. Enter the OTP and click on login.
     
     
    3. Enter the security code and then click on ‘Enable Biometric Locking’.
     
     
    4. The next screen will display if you have successfully ‘Enabled’ biometric locking on your Aadhaar number or no.
     
     
    5. Your Aadhaar biometric information will remain locked. You can, however, unlock it temporarily if required. 
     
    How to Unlock biometrics in Aadhaar?
     
    Unlocking Aadhaar details gives you two options, which are unlocking on temporary basis and on permanent basis. Here you need to follow similar process as mentioned above. Only difference is the duration for which you want to unlock the biometrics. 
     
    1. If you want to unlock your biometric details for temporary then click on “Unlock it”.
    2. And if you want to unlock your biometric details permanently then uncheck the check box of “lock” and click on “disable locking”. But be careful as keeping biometrics unlocked may lead to its misuse. 
     
    While locking and unlocking your biometric data may seem like a painful process, it is best to be safe than sorry, once you have opted to have an Aadhaar. So make the effort to lock it after each authentication!
     
    You may also want to read…
     
     
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    VRakesh Das

    1 year ago

    Rakesh das [email protected],com

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone