~By Rajesh Sinha
The day Supreme Court of India ruled that Right to Privacy is a Fundamental Right, Wikileaks put out a press release saying US’ spying agency CIA is using covert information collection tools based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community.
A day later, on Aug 25, Wikileaks tweeted: “Have CIA spies already stolen #India’s national ID card database?” Cross Match Technologies also shares its biometric solutions with the Unique Identification Authority of India (UIDAI), nodal agency for Aadhaar. So far, the UIDAI, that issues these biometric-based cards, has allotted Aadhaar to around 115 crore Indians.
Officials concerned in India have vociferously denied any such data theft by any agency in the world, reported The Times of India.
The WikiLeaks Release:
24 August, 2017
Today, August 24th 2017, WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services — which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).
The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. But this ‘voluntary sharing’ obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.
ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.
The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.
A tweet from WikiLeaks warned:
An investigative piece by Govind Krishnan V in ‘Fountain Ink’ raises further questions about the security of Aadhaar data. The UIDAI in 2010-2012 – its inception phase – awarded contracts to three US-based biometric service providers (BSP): L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. These companies, all with proprietary biometric software, were responsible for profiling 60 crore Indian residents; developing protocols for avoiding de-duplicating of user details and supplying devices to enrolment agencies.
These companies are connected to both Cambridge Analytica and Palantir Technologies through business dealings and individuals involved in their affairs during the period of the contract.
Cambridge Analytica, Palantir Technologies and the Chertoff Group are among the corporations that are part of the military-industrial complex and ‘the mass surveillance behemoth’ in US that is funded in part by America’s Central Intelligence Agency (CIA) and the National Security Agency (NSA) and ‘billionaires with agendas’, and ‘populated by a revolving-door of key American security and intelligence personnel’.
L-1 Identity Solutions, Morpho-Safran and Accenture have scores of business contracts with American, French and British intelligence and defence agencies through direct contracting of services or services provided by parent corporations and sister companies. Several individuals who worked at these companies have held top positions in the CIA, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the US military before making the switch.
A review of the contract between the BSPs and UIDAI found that they had access to unencrypted biometric data as part of their job, contrary to UIDAI’s public stand that the data is always encrypted and inaccessible. “A set of written questions sent to UIDAI and its top officials didn’t receive any response,” the article said.
The proximity of companies tasked by UIDAI with processing the biometric data of Indians to Cambridge Analytica and the heart of an emerging data empire in the context of the intricate web of intelligence, military and government contacts involved is troubling, says the article.
The WikiLeaks warning aside, even without a spy agency resorting to high-tech snooping, there have been several reports about Aadhaar data theft or leakage in the country. In May, Centre for Internet and Society said Aadhaar data of as many as 13.5 crore card holders have already leaked online. It later modified its statement to change ‘leak’ to ‘public disclosure’, according to Hindustan Times.
Some days ago, the government had revealed it has deactivated more than 81 lakh Aadhaar cards suspecting them of being fake. In July, reports said more than a million Aadhaar card data were compromised in Jharkhand due to a programming error that occurred on the state’s social security website.
In the past as well, similar breaches had occurred in the eastern Indian state that had exposed personal data details of family of M S Dhoni, who was then the captain of the Indian cricket team. Uncovering of any such sensitive data diffuses personal details as name, address, Aadhaar and bank account numbers.
A long list of such instances has been compiled by ‘MediaNama’. It said “these are instances of people whose details have already been compromised. Plugging these leaks doesn’t mean that this permanent information hasn’t already been accessed and recorded by a third-party.”
Khadi & Village Industries Commission has an entire database online with Aadhaar numbers mentioned. This has been verified by MediaNama.
Kendriya Sainik Board Secretariat has published a file online with Aadhaar numbers. This has been verified by MediaNama.
Chandigarh Public Distribution scheme website discloses Aadhaar number. Source: @roadscholarz on Twitter.
Kerala Sevana Pension Site: Has uploaded excel sheets with details, including Aadhaar Numbers of pensioners for whom delivery has failed (for reasons including invalid bank account number, “door not opened”, Address not available and deceased, among others) for: Agricultural Labour Pension, Old Age Pension Scheme, Disability Pension Scheme). We’ve checked and verified this. Source: Anand Venkatanarayan on Twitter.
Jharkhand Directorate of Social Security: Over a million Aadhaar numbers leaked by a website run by the Jharkhand Directorate of Social Security. Report by Hindustan Times.
Venkaiah Naidu, then a Cabinet Minister published a photograph on Twitter, of himself, handing an oversized replica of an Aadhaar card, with Aadhaar number disclosed, to a citizen. The tweet has since been deleted.
Kerala Scholarship Egrantz site was publishing student profiles with their Aadhaar number. This has since been fixed. Source: The News Minute. First reported by Malayalam Manorama, months ago.
Telangana government organisation Mahatma Jyotibha Phule Telangana Backward Classes Welfare Residential Educational Institutions Society publishes Aadhaar data of 4000 minority students, studying in 5th to 10th standard. Source: GoNews
Bihar’s Minority Welfare Department had published information on 30,000 students, including Aadhaar number and bank account number. Source: GoNews.
Punjab Minority Welfare Department had published Aadhaar related data, as well as bank account number, for 12,000 students on its website. Source: GoNews
Ministry of Drinking Water and Sanitation is leaking Aadhaar number and personal data of Swatchh Bharat Mission beneficiaries. Source: @gggodhwani on Twitter. We’ve verified this independently and have screenshots
Ministry of HRD had published excel sheets with user Aadhaar information. These have since been removed. Source: MediaNama
Cricketer MS Dhoni’s Aadhaar details were tweeted by an enrolment agency on 28th of March 2017. Source: DailyO
Telangana: A government agency published Aadhaar information for 500,000-600,000 children. Srinivas Kodali, who discovered this, declined to disclose the name of the agency.
However, officials have held Aadhaar data to be secure and denied any possibility of CIA being able to access Aadhaar data, say media reports.