Security and your UID Aadhaar

The Sonia/Manmohan/Nilenkani UID for everyone residing in India is fraught with security implications.
Databases of passwords and verification details (which is what your stored finger prints and iris scans are... except that you cannot change your iris, and it is expensive to change your fingerprints once the data base is hacked) is a hackers dream. But don't take our word for it.

We will list actual instances where significant government and commercial databases have been compromised, and actual security issues of Aadhaar in practice. We do not add what are obviously teething problems, such as giving a man a UID with the photo of a woman, or the 10,000 IDs sent to the wrong addresses due to a technical snag by an agency that received the 'Aadhaar Excellence Award' at the programme's first anniversary celebrations. Here we focus on the serious, systemic issues like the 2 lakh returned letters which make a mockery of the system.

We also do not have here government misuse such as the elite National Technical Research Organisation (NTRO) set up to prevent Kargil-like intrusions and aid other intelligence agencies in gathering and analysing terror inputs placing hightech pinhole cameras in women's toilets.

The page was started on 30 June 2011. We stop (for now!) with the Minister for Home Affairs P Chidambaram confirming security fears.
.... amazing how regular the security breaches are. In this short span, we have compiled--all from opensources--security breaches of entire countries, highly 'security conscious' companies including those taked with cyber-security(!) and multinational corporations that amount to more than 500 million, half a billion IDs.

Cybersecurity expert Bruce Schneier notes in Cryptogram: None of this is new. None of this is unprecedented. To a security professional, most of it isn't even interesting.... It's not that things are getting worse; it's that things were always this bad. ... The recent news epidemic also illustrates how safe the Internet is.

A report placed in parliament in June 2011 says that in past three years, till June 2011, 117 government websites were hacked in India while the number of other hacked sites is 90,119, 252.

The US FBI Executive Assistant Director Shawn Henry quotes 2011 Norton Cybercrime Report to put the global cost of cyber crime at nearly $400 billion a year, that there are more than one million victims of cyber crime every day.

... and on 15 November, the Deputy Section Chief Richard Downing admitted before the US House Judiciary Subcommittee on Crime, Terrorism and Homeland Security that the United States' critical infrastructure – such as the electrical grid, financial sector, and transportation networks that underpin our economic and national security – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. Sensitive information is routinely stolen from both government and private sector networks, undermining confidence in our information systems, the information collection and sharing process, and the information these systems contain.

He admitted that they confront a dangerous combination of known and unknown vulnerabilities, strong and rapidly expanding adversary capabilities, and limited comprehensive threat and vulnerability awareness. Within this dynamic environment, we are confronted with threats that are more targeted, more sophisticated and more serious.

... and our own home minister P Chidambaram admitted in a note (No 9/502011- CRD(NPR)) to the Prime Minister that
"the data collected by multiple registrars of the UIDAI does not meet the degree of assurance required under the NPR from the point of view of internal security" . (Note No 9/502011- CRD(NPR) Office of the Home Minister, Ministry of Home Affairs, Subject: Comments of MHA on the convergence between UID and NPR exercises).

Another list of hacks can be found on the CNET website.

In the next pages, we start with the leak of the UID policy note on wikileaks and come up to the more recent. Upto 2011 this is what they look like.

31 December 2011
To end the year on a high, wanted criminals also get Aadhaar numbers. Easily. Low grade, international ones. Not the hi-tech 'Mission Impossible' kind.

This is what the Times of India reports:
Suspected Afghan national Bashir Shah alias Ayub Khan was arrested by crime branch on December 31. This is the second arrest of Shah by city police. Shah was arrested by Lakadganj police in February 2006 for alleged act of staying in India without valid documents. He was then booked under the Foreigners' Act and for also violating the provisions of passport. Shah's younger brotherAmir Khan was also booked along with him. The case is still pending for trial. It was, however, not clear as to how Shah sneaked away from India despite being an accused. Earlier he held an Afghan passport, Shah has claimed to have destroyed his documents and was in the process to establish himself as an Indian when the security agencies zeroed in on him. The crime branch found that Shah had managed to procure a driving licence from Nagpur'sRegional Transport Office (RTO) in 2002. With the help of a local contact, Shah prepared a second driving licence in 2010 under the same name. He had also made an 'Aadhar' card for identification in May 2011 and was trying to make a passport when the cops caught him.

Police did not rule out possibility of others like him present in the city and further investigations are on in that direction.

13 November 2009
The confidential plan for the UID in India of the UID authority of India. It was leaked even before it was available to the citizens of India, and when Nilenkani was reluctant to share it. Do note that the UID team at the time was fully hand picked by Nandan Nilenkani.

If he cannot ensure security with his handpicked team, how he will when the cheapest contractor does it.... we leave to your imagination.