#AadhaarLeaks: Why UIDAI and PwC are responsible
This is a continuation of my previous post on UIDAI leaking Aadhaar numbers from its servers.
Todays news reports shows yesterday there was repeated point stating “leaks are not from UIDAI”. Arghya Sengupta (From Rohini Nilekani backed Vidhi Centre for Legal Policy)appearing as a counsel for Government in petition challenging PAN-Aadhaar linking said following
“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States… their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.
source : Aadhaar data leaks not from UIDAI: Centre — The Hindu Report 04th May17
This separation of Aadhaar from its ecosystem is new. Lets look at who is responsible for Information Security in UIDAI & its ecosystem
In November 2015 UIDAI contracted audit and consultancy firm PricewaterhouseCoopers India has been roped in for building an additional layer of oversight by reviewing the security of the entire ecosystem that includes UIDAI data centres and servers along with that of government departments and private agencies such as banks that are engaging with Aadhaar for authenticating citizen information.
So UIDAI rightly understood the need of security of entire ecosystem and had an audit consultant for oversight . We know #AadhaarLeaks are not just from State schemes. It includes gigantic leaks of Whole MNREGA & NSAP data and Central schemes such as Swachh Bharat portal and Pradhan Mantri Awas Yojana. But for deeper understanding of UIDAI ecosystem & data with states lets look at some other UIDAI documents
This have more terms SRDH . SRDH means State Resident Data Hub. It is conceptualised as subset of CIDR Data
Central Identities Data Repository (CIDR) is the centralised database of Aadhaar project that stores every individual’s data collected via enrollment process. SRDH is a primarily contains Enrolment data (including KYR+ extra parameters specified by the states) of All residents in state. SRDH helps in seeded data verification of welfare projects in states as you can see in the conceptual data flow diagram. In short SRDH is a critical Information Infrastructure as same as CIDR . If Jharkhand PDS is leaking , it means both UIDAI and their security auditing and monitoring agency failed in their information security function.
While exploring various SRDH , I came across these documents from Karnataka (Thanks @databaazi)
1. KRDH Presentation (PPT) [Cached Version]
2. Process Manual — Update Consent Sharing from No to yes.doc [Cached Version](cached version luckily does not have photos)
This documents are just for indication of how Irresponsibly citizen data is maintained at SRDH level. This data is from Karanataka , where UIDAI have a technical base. The below pictures show you the Information Security practices are non existent.
The document have pictures of this lady in each step , including public display of aadhaar & Update slip with EID& Aadhaar Numbers . Agency enrolled MS Dhoni is blacklisted for very same reason of sharing similar slip.
Now lets examine who else is responsible apart from the Karanataka State Resident data Hub , which published these details online. I checked ownership details of documents in meta data and result was shocking
A simple search on confirmed both these names in document metadata resolve back to one company , the very same company responsible for “building an additional layer of oversight by reviewing the security of the entire ecosystem that includes UIDAI data centres and servers along with that of government departments and private agencies such as banks that are engaging with Aadhaar for authenticating citizen information.”
PwC was a consultant for Karnataka for audit process for the Aadhaar enrolment process as well as the data captured from 2011 onwards. It was also listed as an empanelled firm as consultants, software solution providers and complete end to end solution providers for UIDAI in SRDH Institutional Framework document.
The dates in above document they are mostly prepared in implementation period prior to the Information Security consultancy. This makes clear that PwC also participating as a consultant implementing even design. Then how PwC is also doing a InfoSec audit of same structure? Isn’t that a conflict of interest?
I am linking LinkdIn profiles these names I have seen below, because that is not Aadhaar and it is publicly available to anyone . If citizen’s personal details are posted in presentations, I think it is fair to publish their name and designation from public URLs.
This shows a clear proof of security practices and auditing on UIDAI Ecosystem and related Information systems. As you can clearly see PwC India failed in following basic information security practices and violated the duty UIDAI assigned them. There is no corrective measure from anyone in Ecosystem so far. I would like to present this fact as a public record to understand Why #Aadhaar & Its data handling practices within ecosystem are totally insecure and violating citizen’s control and consent over their personal data .
