The thrill of a new SIM card quickly turned into a chilling experience for Praveen Kumar. Like any tech-savvy individual, Mr Kumar was thrilled to add a secondary mobile connection to his repertoire. Little did he know this decision would unravel a startling flaw in a widely-used government-backed service. After activating his new SIM card and setting up DigiLocker to access digital documents, Praveen Kumar, who is a resident of Chennai, stumbled upon a surprising discovery—a stranger’s Aadhaar card from Rajasthan was already linked to his newly created account.
Confused and alarmed, Mr Kumar delved deeper. He learned the SIM card had been recycled after being deactivated due to inactivity. The previous owner had linked their Aadhaar to DigiLocker, and the system now mistakenly associated those credentials with Mr Kumar’s account.
How safe is DigiLocker?
The issue of DigiLocker safety came into sharp focus when an incident revealed a critical vulnerability: a surrendered SIM card, reassigned to a new user by a telecom service-provider, was used to open a new DigiLocker account. Shockingly, the Aadhaar details of the previous SIM card holder were displayed in the newly-created account. This represents a serious breach of privacy and a direct violation of the Digital Personal Data Protection (DPDP) Act. It highlights the inability to delink Aadhaar from a DigiLocker account once it is associated, raising significant concerns about data security.
What Is DigiLocker?
DigiLocker, or Digital Document Wallet, is a government of India initiative launched by the ministry of electronics and information technology (MeitY) in 2015. It enables citizens to store important documents digitally and retrieve or submit them through the DigiLocker app. The platform employs dedicated cloud-based storage linked to the user’s Aadhaar number.
There are two types of DigiLocker accounts:
1. Verified accounts: Created using an Aadhaar number.
2. Non-verified accounts: Created using a mobile number.
DigiLocker uses mobile authentication via OTP (one-time password) to authenticate users and grant access to the platform.
Legal Framework and Authentication
Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Amendment Rules, 2017, equates certificates or documents issued in the digital locker system with physical documents. These digitally issued certificates are legally valid under the Information Technology Act.
DigiLocker explicitly requires user authorisation before sharing data. Documents stored in DigiLocker fall into two categories:
1. Issued documents: These are fetched directly from the DigiLocker app, bearing the digital signature of the issuing authority and verified by DigiLocker.
2. Uploaded documents: Scanned and uploaded by users, these are not verified but are still accepted.
Challenges to DigiLocker Safety
Despite its utility, several safety concerns surround DigiLocker:
• Authentication Issues: The reliance on OTP-based authentication linked to SIM cards is inherently risky.
• Platform vulnerability: Dependence on potentially compromised devices or systems.
• User non-compliance: Many users fail to follow basic cybersecurity practices.
• Lack of chain of custody: There is limited visibility into how data is accessed and shared.
• Opacity in security policies: The security protocols for data storage and access lack transparency.
Weaknesses in Authentication Protocols
The weakest link in DigiLocker’s security is its authentication protocol. Relying on OTPs sent to registered mobile numbers creates vulnerabilities due to risks like SIM card cloning, duplication, swapping, or blocking. OTPs can also be intercepted or guessed if the underlying algorithm is compromised. This vulnerability has prompted institutions like the Reserve Bank of India (RBI) to question OTP-based authentication for financial transactions. Despite these concerns, DigiLocker continues to use this method for access authentication.
Aadhaar-based authentication compounds the problem, especially when Aadhaar is linked to a mobile number. Social engineering attacks, compromised devices, data breaches, weak passwords and misuse of APIs further increase risks. Emerging technologies, including artificial intelligence, introduce additional layers of threats.
Cloud Storage and Data Sovereignty
DigiLocker data is stored in the cloud, with assurances that storage is within India to meet legal requirements. However, concerns persist regarding:
• Security policy compatibility: Alignment of security protocols with international standards.
• Accessibility by third parties: Potential unauthorised access.
• Sustained accessibility: Long-term access to data in the event of service disruptions.
Enhancing Safety
To address these issues, the government could consider employing blockchain technology. Blockchain can establish a robust chain of custody by recording timestamps, data-sharing locations and the identities of end-users. This would provide additional layers of security and accountability for data transactions.
Additionally, to safeguard public trust and ensure the integrity of digital services, the government must anticipate and address potential misuse or abuse of data. Enhancing DigiLocker’s security protocols, incorporating user-friendly safety features and leveraging advanced technologies, like blockchain, are critical steps toward minimising risks. Public awareness campaigns to promote safe usage practices can further bolster the security of this essential digital service.
(SN Ravichandran is an investigator and analyst of cybercrimes, economic offences, and other white-collar crimes, faculty at the in-house training centre of Tamil Nadu police, and speaker at various forums on Cyber Crime. He is also a member of DSCI, Cyber Society of India, and Digital Security Association of India.)
I would love to connect with you and look forward to reading more articles like this in the future.