
India goes digital - pranavk
http://digilocker.gov.in/
======
nnain
Ok, lot of negative impressions here. Only 10MB space, bad ssl cert etc. These
things are easily fixable in future updates.

The reason this is nice to have is this quote from the site:

"How is DigiLocker going to help me?

It will minimize the use of physical documents and will provide authenticity
of the e-documents It will provide secure access to Govt. issued documents. It
will also reduce administrative overhead of Govt. departments and agencies and
make it easy for the residents to receive services."

------
arihant
For people having issues with CA - It is not the CA that is the problem (it is
not a famous CA, but is known, at least by Chrome), the problem is that they
probably shortened the domain too late and are still using the old
configuration. Use the URL below, the certificate works fine. It's just for
the wrong domain:

[https://digitallocker.gov.in/](https://digitallocker.gov.in/)

Edit: I'm unable to login though. I get the OTP from Aadhaar just fine, but
the website doesn't seem to be able to verify it.

Edit 2: It worked after a couple of tries. Looking at the trail, it is
probably some issue with Aadhaar and not this website. It does look really
neat. You basically upload copies of your IDs and then agencies can request
it. You get to approve. They are pulling UID data so it's quick to set up. I
think the point of this is that you can link all other IDs with UID so people
just have to ask for you Aadhaar number, no paper ID copies or forms. I wish
they just integrated this into UID system like they link bank accounts, that
way developers would have a single UIDAI API for identity, bank accounts and
other IDs.

~~~
krisgenre
I am getting the certificate error even at the link you provided ( using
Google Chrome on Ubunut 14.04 ).

~~~
arihant
I investigated further. It works fine on Mac and Windows 8.1. Apparently your
operating system doesn't support the CA yet. I don't have Ubuntu, but I do
have a linux based system, and it fails there too.

They are using a relatively new sub-CA of e-Mudhra, so it will appear
everywhere soon, I believe.

If you're really willing to use it now, SHA1 of verified certificate is 56 7F
2D B5 7E 31 BC E5 6C 5C 8C 3B 80 44 AA 2F 7C 13 D3 6D. Not ideal way at all,
but might help paranoia. You shouldn't trust me though.

~~~
_nedR
The Certificate seems to be verified by a "Gujarat Narmada Valley Fertilizers
Company Ltd."

Speaking as an Indian, I am not sure i would trust a CA run by a company that
is close to the Indian govt. (whose record on corruption and civil liberties
isn't exactly stellar).

~~~
arihant
The whole point of the CA system is that there is no place for personal
opinion on which CA to trust, as long as they make it to your operating
system. The audits they go through far trumps the hand waiving you just did.

------
asdofij
It's kind of hilarious that their certificate is signed by "Gujarat Narmada
Valley Fertilizers Company Ltd."

------
newscracker
I'm leaving aside the certificate issue for a moment since others have
mentioned it. This solution is a great way for hackers and phishers to collect
a lot of personal information. Perhaps this is done with very good intentions,
but is really poorly thought out. I wonder who architects these solutions and
how they think.

See the following question in the FAQ (I've edited it for brevity with
ellipsis and emphasized important parts). [1]

>Q11 How can I share the e-documents in my digital locker?

>A11 For sharing your e-document...enter the email address of the recipient in
the dialog box and click ‘Share’ button.

> _The document will be shared with the recipient via email._ ... _email body
> will have the URI link of the document and the sender name and Aadhaar
> number._ The recipient can _access the document using the URI link provided
> in the email._

So:

1\. You share your document, which is sent over plain text email.

2\. The recipient can access it just with a link. There is no authentication
or verification of any kind.

3\. The recipient can forward the mail to data collectors so they can
immediately get your name, your Aadhaar number and the document. There is no
link expiry, which allows perpetual abuse of information by forwarding emails.
This technology makes selling information a lot simpler and quicker.

4\. Someone else's email account gets hacked? Thousands or millions of names,
Aadhaar numbers and documents could be out on torrents soon enough. Talk about
government enabling things through technology.

Even if you trust the government to store all your documents, even though some
may be issued by local authorities, this looks more and more like a
comprehensive and centralized data collection mechanism. The next step, which
may or may not be disclosed, would be to provide access to every government
entity to query this database without any control or limits or oversight. For
a country without any privacy laws, they already have your biometric
information, now they can completely own you. :)

[1]: [https://digitallocker.gov.in/Resources/FAQ-
Digital_Locker_v0...](https://digitallocker.gov.in/Resources/FAQ-
Digital_Locker_v0_3.pdf)

~~~
arihant
No, no, no. The link they send requires Aadhaar verification, your will get an
OTP, which you will give to the agency. They can get the copy of the document
only if they provide the right OTP. It is the same way you are logging in to
this website.

The whole UID infrastructure is two-factor auth by default. Think of the URI
like Facebook Graph API URLs. They are static, REST-ful endpoints that require
two-factor authentication.

While there are no strong laws to protect scans of your IDs, the biometric
data does come under The Privacy Bill, 2013. So does any identification
typically used by financial institution. Your other IDs, like Voter ID are
public information anyway, except for biometric identifiers.

------
chdir
Background: Almost all govt / public sector / regulated private sector
services in India requires you to submit a physical proof of ID/Address (along
with application forms & other essentials) e.g. bank account, mobile SIM,
gas/water/electricity, credit card etc.

It's unlike US where your SSN is electronically linked to your identity &
credit history and most of the above stuff can be done without any physical
documents.

The Aadhar ( _literally means foundation_ ) card is trying to provide a
unified identification across the country. Perhaps like an SSN to some extent.

------
KamiCrit
I feel the Feedback page might need some work. Right now is seems like all the
submitted feedback is made public with no approval.

[http://i.imgur.com/1qieQ03.png](http://i.imgur.com/1qieQ03.png)

------
HashNuke
SCREENSHOTS - [http://imgur.com/a/k9mCf](http://imgur.com/a/k9mCf) (read notes
below)

For people who have negative opinions about this, hold on. There's more to the
DigitalLocker than you think. I tried using this the day it launched (a few
weeks ago). Here are a few things for people who haven't tried it.

1.) Apart from storing documents, the other important feature is to share
documents with entities (seems like both govt and private). Right now in
India, for anything new you want to signup for in the offline world, you are
usually asked for multiple ID and address proofs. This site has a feature to
share stored documents when entities request for it. So you get document
requests from entities (just like Facebook friend requests) and you approve
them to share the documents required. Way better than having to carry xerox
copies to the office of the entity.

2.) It also looks like entities can issue you documents. If implemented, then
we wouldn't have to about carrying and safe-guarding physical copies of
documents. I have about 20-30 physical documents I need to safe-guard and more
than a dozen marks cards from college. Imagine just receiving a notification
that the document for your new insurance policy has been received in your
digital locker? Ah such minimalistic life.

3.) Love the simple Aadhaar-based login process. That is so layman-friendly.
Entered my Aadhaar card number to get an OTP to login. Most Indian govt sites
have ridiculous rules about setting passwords - all of which I cannot remember
at all. Even worse changing your account email or password on those sites is a
nightmare. To change the email address on the Service Tax website, I have to
write a paper-based request to the authority.

4.) You can store any document you want to. This isn't limited to government
issued IDs. There's an "other" category when uploading.

5.) I've been using Dropbox to store scanned copies of my family's important
documents. It has come handy many times. It is the govt offering to digitally
store govt-issued documents. Why would I bother about privacy? I'm glad they
made this.

6.) About the SSL cert: AFAIK they seem to have broken the site during a
recent update. SSL was fine during the launch day. Oh, and when the Indian
govt website specifies "beta" version - they literally mean it. And this site
isn't as bad as booking a Railway tatkal ticket on IRCTC, for which there are
tutorials and videos on how to use the site. I've forgotten my IRCTC
username/password again and I've exhausted all mobile numbers in the house to
signup for new account. I'll have to get a new sim just to book a railway
ticket next time.

Mailed the DigitalLocker team my concerns about the 10mb limit and also
offered to send code contributions if it was opensource. I got back a very
quick reply:

    
    
      It is not a open source project, but you can contribute by your valuable suggestions as it is still running in beta Version.
      
      Regarding Storage space we have noted the issue. Inconvenience regretted.
      We shall review and resolve the same as soon as possible.
    

Besides it's been mentioned in the FAQ, that the storage limit will be
increased to 1gb in the future [https://digitallocker.gov.in/Resources/FAQ-
Digital_Locker_v0...](https://digitallocker.gov.in/Resources/FAQ-
Digital_Locker_v0_3.pdf)

[EDIT: I've edited my comment multiple times to add more information]

~~~
krisgenre
Please change 'xerox copies' to 'photocopies', except Indians others might not
understand :)

~~~
HashNuke
ROFL. Thanks for pointing out. I was thinking exactly the same when writing
that, but still went ahead with "xerox copies" thinking it might be ok.

Cannot edit my comment anymore.

------
primitivesuave
According to the FAQs, every resident only gets 10 MB of storage space, with
plans to expand to 1 GB in the future. Basically, it's a government-controlled
Dropbox for 3 - 5 PDF files.

------
ajaimk
Additionally, a government run dropbox isn't very reassuring. This would the
equivalent of the NSA hosting backups of all your data (which they probably do
- but still).

~~~
jestinjoy1
This looks like not as Dropbox. A service for storing govt "issued" digital
documents.

------
ajaimk
An SSL Cert would be helpful to assure me of its security.

~~~
sharvil
Yeah, the current cert has CN mismatch and is issued by an unknown CA [1].

[1]
[https://www.ssllabs.com/ssltest/analyze.html?d=digilocker.go...](https://www.ssllabs.com/ssltest/analyze.html?d=digilocker.gov.in)

------
aasarava
For those who are interested, (and for those who think this is some half-
hearted project fulfilling various conspiracy theories,) the New Yorker wrote
a good story about the origins of the Aadhaar project and its goals a while
back: [http://www.newyorker.com/magazine/2011/10/03/the-i-d-
man](http://www.newyorker.com/magazine/2011/10/03/the-i-d-man)

------
rb2k_
Seems like a relatively basic CRUD site. Considering the SSL issues which
apparently weren't tested properly and the immediately published feedback that
shows tons of private data from people, I really, really hope that the site
won't be hacked in the next month or two. Seems like a prime target for folks
looking to commit identity theft :-/

------
frozenport
This Connection is Untrusted

You have asked Firefox to connect securely to digilocker.gov.in, but we can't
confirm that your connection is secure.

------
tzakrajs
Too bad they can't afford SSL certificates. I'll never get to know just how
digital India went.

------
anuraj
You meant India Government goes digital - there is a day and night difference.
And if you think your data is safe with any government - you should be day
dreaming!

------
firefoxNX11
How does this work for NRIs? How do I get Aadhaar number?

~~~
middleclick
I don't know how you can get one but you shouldn't get it. Do you really want
to give all your fingerprints and retina scans to the government when you know
how it can be misused in a country like India which is a police state? I bet
there is no oversight in getting access to your information and there are tons
of ways in which your information can be misused/exploited.

~~~
sumitviii
>when you know how it can be misused in a country like India which is a police
state

Do you have anything resembling a proof for the utter BS you just wrote?

------
accurrent
Valid ssl cert would help

------
chheplo
A Hacker heaven..

------
yuhong
Funny that I just mentioned the CA that issued the cert for this site in
[https://twitter.com/yuhong2/status/574416966460403712](https://twitter.com/yuhong2/status/574416966460403712)

FYI, the Mozilla inclusion request is in
[https://bugzilla.mozilla.org/show_bug.cgi?id=557167](https://bugzilla.mozilla.org/show_bug.cgi?id=557167)

