DigiLocker Safety: Challenges & Solutions
Ravichandran Swaminathan 06 January 2025
The thrill of a new SIM card quickly turned into a chilling experience for Praveen Kumar. Like any tech-savvy individual, Mr Kumar was thrilled to add a secondary mobile connection to his repertoire. Little did he know this decision would unravel a startling flaw in a widely-used government-backed service. After activating his new SIM card and setting up DigiLocker to access digital documents, Praveen Kumar, who is a resident of Chennai, stumbled upon a surprising discovery—a stranger’s Aadhaar card from Rajasthan was already linked to his newly created account.
 
Confused and alarmed, Mr Kumar delved deeper. He learned the SIM card had been recycled after being deactivated due to inactivity. The previous owner had linked their Aadhaar to DigiLocker, and the system now mistakenly associated those credentials with Mr Kumar’s account. 
 
How safe is DigiLocker?
The issue of DigiLocker safety came into sharp focus when an incident revealed a critical vulnerability: a surrendered SIM card, reassigned to a new user by a telecom service-provider, was used to open a new DigiLocker account. Shockingly, the Aadhaar details of the previous SIM card holder were displayed in the newly-created account. This represents a serious breach of privacy and a direct violation of the Digital Personal Data Protection (DPDP) Act. It highlights the inability to delink Aadhaar from a DigiLocker account once it is associated, raising significant concerns about data security.
 
What Is DigiLocker?
DigiLocker, or Digital Document Wallet, is a government of India initiative launched by the ministry of electronics and information technology (MeitY) in 2015. It enables citizens to store important documents digitally and retrieve or submit them through the DigiLocker app. The platform employs dedicated cloud-based storage linked to the user’s Aadhaar number.
 
There are two types of DigiLocker accounts:
1. Verified accounts: Created using an Aadhaar number.
2. Non-verified accounts: Created using a mobile number.
 
DigiLocker uses mobile authentication via OTP (one-time password) to authenticate users and grant access to the platform.
 
Legal Framework and Authentication 
 
Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Amendment Rules, 2017, equates certificates or documents issued in the digital locker system with physical documents. These digitally issued certificates are legally valid under the Information Technology Act.
 
DigiLocker explicitly requires user authorisation before sharing data. Documents stored in DigiLocker fall into two categories:
1. Issued documents: These are fetched directly from the DigiLocker app, bearing the digital signature of the issuing authority and verified by DigiLocker.
2. Uploaded documents: Scanned and uploaded by users, these are not verified but are still accepted.
 
Challenges to DigiLocker Safety
 
Despite its utility, several safety concerns surround DigiLocker:
Authentication Issues: The reliance on OTP-based authentication linked to SIM cards is inherently risky.
Platform vulnerability: Dependence on potentially compromised devices or systems.
User non-compliance: Many users fail to follow basic cybersecurity practices.
Lack of chain of custody: There is limited visibility into how data is accessed and shared.
Opacity in security policies: The security protocols for data storage and access lack transparency.
 
Weaknesses in Authentication Protocols 
The weakest link in DigiLocker’s security is its authentication protocol. Relying on OTPs sent to registered mobile numbers creates vulnerabilities due to risks like SIM card cloning, duplication, swapping, or blocking. OTPs can also be intercepted or guessed if the underlying algorithm is compromised. This vulnerability has prompted institutions like the Reserve Bank of India (RBI) to question OTP-based authentication for financial transactions. Despite these concerns, DigiLocker continues to use this method for access authentication.
 
Aadhaar-based authentication compounds the problem, especially when Aadhaar is linked to a mobile number. Social engineering attacks, compromised devices, data breaches, weak passwords and misuse of APIs further increase risks. Emerging technologies, including artificial intelligence, introduce additional layers of threats.
 
Cloud Storage and Data Sovereignty 
 
DigiLocker data is stored in the cloud, with assurances that storage is within India to meet legal requirements. However, concerns persist regarding:
Security policy compatibility: Alignment of security protocols with international standards.
Accessibility by third parties: Potential unauthorised access.
Sustained accessibility: Long-term access to data in the event of service disruptions.
 
Enhancing Safety 
To address these issues, the government could consider employing blockchain technology. Blockchain can establish a robust chain of custody by recording timestamps, data-sharing locations and the identities of end-users. This would provide additional layers of security and accountability for data transactions.
 
Additionally, to safeguard public trust and ensure the integrity of digital services, the government must anticipate and address potential misuse or abuse of data. Enhancing DigiLocker’s security protocols, incorporating user-friendly safety features and leveraging advanced technologies, like blockchain, are critical steps toward minimising risks. Public awareness campaigns to promote safe usage practices can further bolster the security of this essential digital service.
 
(SN Ravichandran is an investigator and analyst of cybercrimes, economic offences, and other white-collar crimes, faculty at the in-house training centre of Tamil Nadu police, and speaker at various forums on Cyber Crime. He is also a member of DSCI, Cyber Society of India, and Digital Security Association of India.)
Comments
ravikofficial21
2 weeks ago
Thank you, Sir, for providing such a well-detailed and informative article for awareness, presented in a simple and engaging way.

I would love to connect with you and look forward to reading more articles like this in the future.
tenkaraimohan
Replied to ravikofficial21 comment 2 weeks ago
You can subscribe to their newsletter or just view their website and read articles which interests you
ravikofficial21
Replied to tenkaraimohan comment 2 weeks ago
Thankyou!
tenkaraimohan
2 weeks ago
Appears to be a very serious issue from PDPD Act and also possible misuse of information for cyber crimes. RBI and law enforcing authorities to initiate remedial measures before it is too late
Price Manipulation by Apps: Govt Asks CCPA To Conduct Detailed Inquiry on Differential Pricing
Moneylife Digital Team 03 January 2025
Taking cognisance of outrage on social media about allegations of price manipulations by app aggregators, including apps used for ride-hailing (cab or taxi), food delivery and online ticket booking, and use of differential pricing...
Fraud Alert: Google Prompt and Authenticator Scams
Yogesh Sapkale, 03 January 2025
Adam Griffin from Seattle in the US is still in disbelief over how quickly he was robbed of nearly US$500,000 in cryptocurrencies. A scammer called him using a real Google phone number to warn his Gmail account was being hacked, sent...
6 in 10 Health Insurance Claimants Waited 6-48 Hours for Claim Approval and Discharge from Hospital: LocalCircles
Moneylife Digital Team 03 January 2025
The insurance regulatory and development authority of India (IRDAI) has directed that claim settlement should be done immediately or within an hour to ensure no delay in discharge from the hospital. However, six in ten health...
Housing Society Problems and Solutions: Overcoming Mismanagement and Legal Complexities
Shirish Shanbhag 02 January 2025
In many Societies, the absence of a Will or a clear nomination often creates challenges in transferring property in a cooperative housing society (CHS/Society). Questions about rightful ownership, legal documentation and the role of...
Free Helpline
Legal Credit
Feedback