Aadhaar Mess: How UIDAI continues to goof up on its own mobile apps
In one more incident on goof ups from Unique Identification Authority of India (UIDAI), a French security expert has exposed how the agency and Khosla Labs, a licensed Authentication User Agency (AUA), are risking privacy and security of crores of Aadhaar holders. In his tweet, Elliot Alderson (@fs0c131y), says, "This 'NewTest' app is an implicit confirmation by @UIDAI of the problem, I raised three days ago. They are trying to understand how to encrypt properly a SQlite database."
 
 
Alderson also pointed out ‘lack of knowledge’ of UIDAI developers while using their Google Play Store account. 
 
 
Last week while dissecting UIDAI’s mAadhaar app, the security expert have pointed out several vulnerabilities and issues with the coding of the app. He even called the UIDAI’s app development as ‘school project’ with a copy-paste job!
 
 
 
After the tweets from Alderson, UIDAI and Khosla Labs removed the test app from Google Play Store. However, they still have not updated their mAadhaar app, he says, adding, “I am pretty sure they are unable to update the official Aadhaar Android app because they lost the release key.”
 
UIDAI’s application programming interface (API), a set of subroutine definitions, protocols, and tools for building application software, are available publicly on the net and can be accessed through AUAs like Aadhaar Bridge, run by Khosla Labs and Quagga Tech. 
 
According to an IT security experts, who also conducts security audits for global institutions, the release of an untested app by UIDAI is a big IT and cyber security violation. “This shows the low level of cyber security awareness and basic security policies and procedures at UIDAI,” the expert who does not want to be named, added.
 
In an article, Outlook India, says three executives, Vivek Raghavan, Srikanth Nadhamuni and Sanjay Jain, who earlier worked with UIDAI as volunteer, in 2012 joined Khosla Labs, headed by Vinod Khosla. During 2015, Khosla Labs launched a licensed authentication user agency (AUA) for Aadhaar-based authentication services known as Aadhaar bridge. 
 
As Moneylife has been pointing out how UIDAI, in a tearing hurry has been goofing up on all tests for Aadhaar (Read: How UIDAI goofed up pilot test results to press forward with UID scheme). In 2011, both the government and UIDAI even neglected basic principles of pilot testing and sample size. For over 1.2 billion UID numbers, they used data from just 20,000 people, in pairs, as the sample and on the basis of these results, had gone ahead with the UID number through the 'Aadhaar' project.
 
UIDAI conducted a proof of the concept trial of the Aadhaar project between March and June 2010. In the results, it said, "The matching analysis was done on two sets of 20,000 biometrics, for a total of 40,000. However, the number of comparisons was several orders of magnitude more than 40,000, since each set of fingerprints would be matched against every other set of fingerprints in the data set". 
 
On the false positive identification rate (FPIR), the authority said, "We will look at the point where the FPIR (i.e. the possibility that a person is mistaken to be a different person) is 0.0025%". This means, for every 1 lakh comparisons, there would be two and a half false positives. On a large scale, it means for a population of over 120 crore, there would be 18 lakh crore false positives, or, for every single Indian resident there would be 15,000 false positives!  (Click to see the calculations)
 
According to David Moss, who spent eight years campaigning against the UK's National ID (NID) card scheme, over the years, the suppliers of biometric technology have been caught out repeatedly making exaggerated claims for the reliability of their wares. “Their marketing material is now a little less gung-ho. UIDAI's suppliers, L-1 Identity Solutions Inc. and Morpho among others, do not claim on their websites to be able to deliver unique identification in the case of large population registers. Given the sea of false positives, how could they? So why do UIDAI claim to be able to deliver unique identification? It is easy to see why the suppliers do not object to being boosted in this way. But why do UIDAI provide this unsolicited testimonial to the historically flaky products of the mass consumer biometrics industry?” he asks.
  • Like this story? Get our top stories by email.

    User 

    COMMENTS

    Shrik S

    3 years ago

    This is the state of India's IT industry. Everyone is talking about the youth force that is powering India. But they are also in parallel relegating the generation that implemented Y2K to the backburner and asking the youth to do things on their own. Low cost resourcing = low quality resourcing is a shame on the Indian IT industry and engineering college grads who are only groping in the dark and their vulnerabilities are exposing India's vulnerabilities. With a personal experience of being forced to work with low cost resources, it is a sad state that these youth need to be taught as much on the job as well as depend on their inexperience and novice coding skills. Only some great devastation can bring back the earlier generation watchmen to save the world.

    Jerry Vachaparambil

    3 years ago

    You might want to update this article, considering that Khosla Labs has nothing to do with the mAadhaar app https://twitter.com/fs0c131y/status/952913772372545536

    Adheer Pai

    3 years ago

    When an individual installs and uses this app, where is the data stored ? Is the stored on the UIDAI data-servers or on the server of AUA (Khosla Labs) ?

    Given such incompetance and callousness on cyber-security I would not be surprised if this data is (mis)used for commercial purposes like marketing for bank loans, auto vehicles etc ?
    On a different issue, is it safe to say that our CIBIL records and scores are secure ?

    Ramesh Poapt

    3 years ago

    such awareness drive will lead to a near perfect aadhar in the long term...

    bear in the meantime the big loss...

    Alok D

    3 years ago

    UIDAI doesn't care. They are hand in glove with the vendors and will keep milking the people in the name of security.

    c babu challa

    3 years ago

    UIDAI should correct based on the feedback and should not play with the security of people even if it is 0.0025% false positives. Unfortunately the extensive data provided by Moneylife is not being taken positively by the government. I hope good sense prevails.

    Anand Vaidya

    3 years ago

    There is no dount software related to aadhaar is a mess. The solution is not to throw out the baby with the bathwater but to improve processes. Maybe the Israelis can help us?
    Single ID - whether biometric or not - can & does simplify citizen interaction with agencies. I have lived with such system (NRIC) in Singapore & I have only good things to say about it. Reduces a lot of proof-of-this proof-of-that things demanded by agencies.

    Milind Nadkarni

    3 years ago

    It is shameful for any software development team (& I meant the entire community of coders, testers, analysts, QA, project managers etc.) that the (obvious) faults in their work has been pointed out by an outsider (not necessarily a non-Indian). Second the flaw pointed out is so basic as an engineering graduate making a mistake while adding two single digit integers that too using a calculator !! It is simply unpardonable. The example also indicates extremely poor level of due diligence in supervision of development and testing work on such crucial, mission critical application, which is already under public scrutiny. From my own experience, we take pride of India being a software powerhouse for the world, but the level of quality of work is steadily falling for past 10years. Even the software engineers coming out of (so called) premier technical institutes after 4~5 years of rigorous academic curricula do not apply their mind fully while developing software applications and are not efficient (& productive) enough to code and test with extremely high level of diligence that is expected in a mission critical project like this. Second, disturbing fact is there is a high level of tolerance to such blunders by the Managers and so called top management. The person(s) directly connected with such blunders in all probability, will be given a verbal warning, when the situation demands them to be sacked. Sad....

    SuchindranathAiyerS

    3 years ago

    Aadhar is as tech savvy as Modi, Jaitley, Prasad and the IAS/IRS, it would seem:

    This is how UIDAI's 'Virtual ID' for Aadhaar will work
    The Unique Identification Authority of India (UIDAI) on Wednesday introduced 'Virtual ID' (VID) to safeguard Aadhaar cardholders' data.
     
    VID will be a 16-digit, randomly-generated number which can be used for authentication instead of the original Aadhaar number, according to UIDAI.
     
    This is how VID works:
     
    VID will be a temporary, revocable 16-digit random number mapped with the Aadhaar number. It will not be possible to derive Aadhaar number from VID.
     
    "Last digit of the VID is the checksum using 'Verhoeff' algorithm as in Aadhaar number. There will be only one active and valid VID for an Aadhaar number at any given time," the UIDAI said in a statement.
     
    The "Verhoeff" algorithm is a checksum formula for error detection developed by the Dutch mathematician Jacobus Verhoeff and was first published in 1969.
     
    Aadhaar number holder can use VID in lieu of Aadhaar number whenever authentication or KYC services are performed. 
     
    Authentication may be performed using VID in a manner similar to using Aadhaar number.
     
    "VID, by design being temporary, cannot be used by agencies for de-duplication. VID is revocable and can be replaced by a new one by Aadhaar number holder after the minimum validity period set by UIDAI policy," the authority added. 
     
    VID can be generated only by the Aadhaar number holder. 
     
    They can also replace (revoke and generate new one) their VID from time to time after the UIDAI set minimum validity period. 
     
    "UIDAI will provide various options to Aadhaar number holders to generate their VID, retrieve their VID in case they forget, and replace their VID with a new number. These options will be made available via UIDAI's resident portal, Aadhaar Enrollment Center and mAaadhaar mobile application, etc," the authority said. 
     
    Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

     

  • User 

    COMMENTS

    Milind Nadkarni

    3 years ago

    Appears to be complicated to implement on non-technical aspects and most important majority of citizens are likely to find this difficult to understand and use. Some of these citizens will be running our banks, PF office, securities exchanges etc. Since they are not clear and confused, they will most likely make mistakes in using this concept for authentication in the KYC process, either making the entire exercise waste or misusing and putting more work on the average customers.

    Chandragupta Acharya

    3 years ago

    No one knows that UIDAI only issues Aadhaar number, not an Aadhaar “card”. So in practice, Aadhaar is getting used just like any other identity document – laminate the Aadhaar “card” and submit a photocopy wherever required. Even the accepting agencies take the photocopy and keep it on their file. Only a small portion of Aadhaar usage actually reaches the UIDAI authentication stage. Threat of one’s Aadhaar getting compromised originates from usage of such Aadhaar “card” photocopies. How will VID address this? Also, accepting agencies are storing Aadhaar number on their database. Will they now store the VID and will it remain valid all the time? For example, take the case of EPFO. Can the VID submitted at the time of joining be valid at the time of retirement when authentication has to be performed and payout made? I fear VID will only create more confusion as the common man will find it difficult to understand this changing number concept.

    REPLY

    Pankaj

    In Reply to Chandragupta Acharya 3 years ago

    well said. Only ignorant souls support Aadhar

    Mukesh kamath

    3 years ago

    Virtual function pointers could have been better as layman will find virtual id concept difficult.

    Natural tendency of government to desire perfect records of private lives, says Snowden
    “It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse,” Edward Snowden tweeted. Snowden is known for his ethical position against mass surveillance saying, “I don't want to live in a society that does these sort of things ... I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under.” This follows the Tribune story on the Aadhaar breach.
     
    Citizens Forum for Civil Liberties (CFCL) has welcomed the statement of Edward Snowden on the police case against the journalist who revealed the colossal breach in Central Identities Data Repository (CIDR) of 12-digit biometric Unique Identification (UID)/Aadhaar Numbers of Indian residents who have lived in India for at least 182 days, said Gopal Krishna of CFCL in a public statement.
     
    On the police case against the reporter for reporting about breach in UID/Aadhaar database, Snowden said, “The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI”, in his tweet. 
     
    Notably, Snowden also retweeted the statement of Harish Khare, The Tribune Editor-in-Chief on FIR (First Information Report) filed against disclosure of breach in Aadhaar Database by The Tribune reporter.  
     
    It may be recalled that Snowden went on a medical leave from NSA (National Security Agency) and on 20 May 2013, he took a flight to Hong Kong, China, where he spoke to Glenn Greenwald, a journalist and Laura Poitras, a filmmaker. Following which secret documents obtained from Snowden were published on 5 June 2013. These documents showed that USA’s Foreign Intelligence Surveillance Court implemented an order that required Verizon to release information to the NSA on an "ongoing, daily basis" extracted from customers' phone activities. Later, The Guardian and The Washington Post published information on PRISM, an NSA program that allows real-time information collection electronically leaked by Snowden.
     
    CFCL says that it is noteworthy that the government has admitted before the Parliamentary Standing Committee on Finance that examined the issue of UID/Aadhaar numbers that it might involve certain issues, such as (a) security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases, (b) impersonation by certain individuals at the time of enrolment for issue of unique identification numbers, (c) unauthorised access to the Central Identities Data Repository (CIDR), (d) manipulation of biometric information.
     
    The Parliamentary Committee observed, “There is no law at present on privacy, and data protection”. The government told the committee that “collection of information without a privacy law in place does not violate the right to privacy of the individual.” The committee recommended that legislation on UID/Aadhaar would be appropriate “only after passing the legislation on privacy, and data protection so as to ensure that there is no conflict between these laws.”
     
    Gopal Krishna concluded his public statement by quoting Snowden: "This really isn’t about me. It’s about us. It’s about our right to dissent. It’s about the kind of country we want to have." In an interview on 5 January 2018, he said, “Privacy’s not about having something to hide, privacy’s about something to protect. Privacy is the fountainhead of all other rights. Privacy is where rights are derived from, because privacy is the right to the self. Privacy is the right to a free mind. Privacy is the ability to have something, anything, for yourself, for you.”
     
    It may be recalled that Rachna Khaira of The Tribune wrote, “It took just Rs500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email. What is more, The Tribune team paid another Rs300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.”
     
     
     
     
  • Like this story? Get our top stories by email.

    User 

    COMMENTS

    Ramesh I

    3 years ago

    Besides the violation of right to privacy, now a fundamental right, Aadhar data can be easily misused and lead to identity theft and financial implications for allotees beyond their imagination. Thr Tribute story shows how easy it is to access a billion plus Aadhar info, that too for a pittance, by any Tom, Dick, or Harry. It's a shame the Govt has not directed UIDAI to make its IT systems more robust to prevent unauthorized access so indiscriminately, jeopardizing the privacy and financial consequences for a billion people.

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 4 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone