
Access to India's Aadhaar citizen database selling for under USD $10 - ShirsenduK
http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html
======
throwaway312383
UIDAI has repeatedly been told that there are gaping vulnerabilities in their
architecture of their systems, and more importantly their processes.

These concerns were generally met with great hostility; UIDAI has relentlessly
pursued to silence people sometimes by threatening them with legal
proceedings.

ORF compiled a list of leaked UID numbers (~100 million) sometime back. Many
UID numbers were dumped onto the Internet by clueless public servants. UIDAI
promptly sent them a cease-and-desist order (or something to that effect).

[https://www.youtube.com/watch?v=xU0bTAa_djc](https://www.youtube.com/watch?v=xU0bTAa_djc)

UIDAI was implemented, very un-democratically, first by the former ruling
coalition, and is now being promoted to ridiculous levels by the current
political elites. All this has been done under the watchful eyes of the
billionaire, Nandan Nilekani. He was able to engineer this junk system past
both the legislative houses and courts multiple times over the course of the
previous decade. UIDAI has only receive mandate well after it was already
pushed out onto the people through underhanded tactics.

Usha Ramanathan and others have been following this development from the
start. It's increasingly becoming obvious that UIDAI was really only a means
for creating a new Orwellian state, where everything can be turned off at the
whim of some perturbed politician; where all your phone/bank numbers are at
the mercy of some wrathful God in Delhi (and likely as not outside of it).
This theory goes well with recent statements coming from the Indian state
apparatus about the abolition of cash/untracked assets.

~~~
jacobush
So Bitcoin will become popular in India also eventually.

~~~
srean
Govt would rush to pass laws on owning and using cryptocurrencies at that
point.

~~~
jacobush
I would not nothing less.

------
reallymental
Edited: Added the last line.

I won't add to the toxicity of the comments found in the article.

Has anybody who has worked on the Aadhar system have a presence on HN? The
cynic in me wants to believe that the 'system' was nothing more than a simple
crud app with the front end locked away under a username and password. Minimal
effort, minimum spent.

Even large Non-Tech corporations are known for really insecure systems,
insufficient password protection, easily guessed usernames etc. all in the
name of saving some $ on development. And to think this DB was not even meant
for profit in the first place!

Did they (the org that built Aadhar) commit the same mistakes or does this
look like an inside job (purely for profit, with no malicious intent)?

I want to be wrong. I want this to be an 'attack' rather than just an 'pay for
access' method.

~~~
intended
Yes and no - the aadhar agency itself didnt do anything wrong.

This is by design. I believe Nilekani took a long hard look at the trade off
between privacy and achievability when creating aadhar and decided to fob off
responsibility - moral and practical - to other people.

As a result the agency itself, just provides access to the DB and protects the
biometric DB, and gives access to other agencies to use the system.

So the issue is always going to be the many myriad agencies and states
connecting to the system, and now also the state databases which are being
created.

~~~
thisisit
I don't know if you are joking but let me draw a real life parallel here.
Target was hit by an attack in 2013:

[https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target...](https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-
data-breach-spilled-info-on-as-many-as-70-million-customers/#235324a3e795)

But do you know they were hacked? Through their HVAC vendor:

[https://krebsonsecurity.com/2014/02/target-hackers-broke-
in-...](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-
company/)

Now the defense - "It wasn't us but the HVAC guys who had weak security" would
have been stupid because they were responsible. They were fined 18.5 million
dollars:

[https://www.usatoday.com/story/money/2017/05/23/target-
pay-1...](https://www.usatoday.com/story/money/2017/05/23/target-
pay-185m-2013-data-breach-affected-consumers/102063932/)

So using this kind of logic is like being an ostrich. And UIDAI for better or
worse is being an ostrich using the same logic - "It's not us but them" over
and over again.

If it wasn't for the mandatory stuff government is doing, people would have
ignored and junked Aadhar a long time ago.

~~~
intended
Unfortunately, the only person who can prosecute someone for a breach of
aadhar is the UIDIA itself.

Dont ignore the value of the design in making the organization survive
scruitiny and legal challenge in India.

While all is well and good for citizens in America with their legal system,
UIDIA is a creature for India.

I am not making conjecture here, I am making sure people are aware that from
the start of the program, its been designed to pass scrutiny and shift
responsibility.

~~~
srean
I think your other post is getting downvoted because you comments can come
across as being in support of the fact that -- the only person who can
prosecute someone for a breach of aadhaar is the UIDIA itself. It is entirely
possible that you are stating a fact but don't support that position, it is
not clear if that is indeed so.

~~~
intended
Oh dear - I definitely don’t support The program, and have opposed it from day
1. This means opposing it at a time when most of the Indian internet world was
not concerned or staunchly pro aadhar.

The program has only served to prove that every informed concern about it has
been proved correct.

Also it won’t surprise me if my opinion is unpopular because it opposes
aadhar.

------
vasundhar
Silverlining comes here -

UIDAI (Outlook) : [https://www.outlookindia.com/website/story/uidai-denies-
biom...](https://www.outlookindia.com/website/story/uidai-denies-biometric-
data-breach-points-to-misuse-of-grievance-redressal-searc/306403) Tribune's
Response. [http://www.tribuneindia.com/news/nation/uidai-says-
tribune-s...](http://www.tribuneindia.com/news/nation/uidai-says-tribune-
story-misreporting--read-how-that-is-wrong/523478.html)

------
codeisawesome
This is like the grand daddy of equifax in sheer numbers :(

------
option_greek
The main problem is that the government wants provide access to this data to
all its departments without any say from the citizens. So they ended up
creating login based system for departments that has only crude access
controls (view/update etc). They didn't segregate and secure the data by
state/village etc. So a single corrupt low level official of any department
can just 'share' his login with anyone else (assuming the login is even secure
to start with).

If I had to design this, I would have added a two factor access to each
citizens data which can only be accessed with their consent. But this model
doesn't let the government departments access all the data at will.

~~~
intended
If you could do it with 2FA, you wouldnt need to make Aadhar in the first
place.

I've followed the program from inception. The real genius lies in 2 things,
little of which have to do with tech.

The first genius lies in the design of responsibility and liability of the
Aadhar authority.

The authority is impervious to assault legally - it is the only person who can
mount a legal challenge on the misuse of aadhar numbers.

The authority also farms out all responsibility of usage of aadhar to "other
entities". Thus it can never be held accountable since it only "provides other
people a tool". What they do with it, is not the Agency's issue.

This is how its engineers can talk on various privacy channels as being fully
for privacy and security, the agency itself can be a secure keeper for the
biometric information - but the actual harm being done is farmed out to other
agencies who can then take the blame.

------
edent
For those unfamiliar with the term, "lakh" is 100,000.

So, "These groups targeted over 3 lakh village-level enterprise (VLE)
operators" is referring to 300,000 operators. That gives you an idea of the
scale here.

------
contingencies
Summary: The goal was the create a unique identification number for every
citizen. This was largely done, but no effective access controls were
installed, such that basically anyone on the system could look up any data and
even print fake IDs.

This now makes all the numbers useless, since all the data stored may have
been duplicated and the means to produce fakes is already out of the box.
Somehow, the world's greatest bastion of humility will not submit to
omnipresent technical surveillance - should we be at all surprised? India is
famously corrupt. Even with rate limiting, search scope limitation, and other
techniques it would appear that such data can never be truly secured.

~~~
srean
Things will start moving if stolen Aaadhaar details are used to
'inconvenience' members of the parliament of the party in power. As long as
that does not happen you might see some grandstanding at best, nothing
concrete will happen.

------
known
Govt will make a "low level" UIDAI employee as responsible and fire him

