By Asheeta Regidi
As per an NDTV report, the Centre for Internet Society is being questioned about its report on the disclosure of 135 million Aadhaar numbers earlier this month. The NDTV report states that the UIDAI has sought the details of the CIS’s findings to investigate the possible hacking of the UIDAI and other databases.
The CIS is also reportedly being questioned on its own access of the websites and the download of data for writing its report. This raises certain issues on the investigative activities carried out by organizations like the CIS. Do such activities violate laws? What are the boundaries of such an investigation? What about inadvertent, or even ethical hacking?
Editor's note: When contacted at 10.00 am on 19 May, CIS had informed us that they are yet to receive an official note from UIDAI on the matter.
Data leaks weren’t because of hacking
The main concern of the UIDAI is whether the leaks of the data were a result of hacking. Hacking can lead to a punishment of three years and/or unlimited compensation for the affected persons under the Section 66 and 43 of the Information Technology Act, 2000. Hacking the UIDAI database itself leads to an aggravated punishment of ten years, since it has been declared to be a protected system under Section 70 of the IT Act. Other penalties under the Aadhaar Act are also attracted.
The CIS report, however, nowhere mentions hacking of the UIDAI database, nor of any database at all. The CIS also recently issued a clarificatory statement, with an updated version of the report, clarifying that the report referred to data that had been ‘publicly disclosed’, or data that had been made available publicly by the websites themselves, and not data that was obtained through hacking. Even without the updates, the original report clearly reads as such (See original and updated versions).
Accessing public data does not violate laws
Since the databases were publicly accessible, the data on it is freely available to anyone accessing the websites. As such, this does not violate any laws, including the Aadhaar Act and the IT Act.
Did the CIS ‘hack’ the websites?
The CIS, in its report, investigated the databases available from 4 specific government websites. While 3 of these were clearly publicly accessible, an issue arises with the CIS’ access to data on the National Social Assistance Programme website. As per the CIS’ report, it obtained access to the data by changing one of the URL query parameters from “nologin” to “login”. This simple change of the URL gave access to data that was otherwise available only to authorized persons with login IDs. This access raises certain issues.
Is ‘easily accessible’ the same as publicly accessible?
The IT Act punishes any access without authority of a computer resource (this includes a website database) (Section 43(a)). The IT Act does not specify the level of difficulty of the access, or the level of skill required to make the access. So long as the access was unauthorized, it contravenes the IT Act.
Strictly speaking, CIS’ access was unauthorized access. On the other hand, as argued by the CIS, the change to the URL is so basic that anyone can make it. No specialized knowledge or skills are required to change the “nologin” to “login”.
However, does a computer resource which can easily be accessed without any special effort, thereby become ‘publicly’ accessible? Clearly, carving out such an exception under the law for ‘easily’ accessible data, will be extremely dangerous when dealing with cyber criminals.
Does intent make a difference?
This brings up the issue of the intent with which the website was accessed. The CIS, in its clarificatory statement, mentions that it not only first informed the govt departments which ran the accessed websites, but also the UIDAI itself, prior to publishing the report. The intention of the CIS is clear to push for better security of the websites holding Aadhaar data.
However, under Section 43(a), the intention of the person making the unauthorized access makes no difference. This is regardless of whether the access was unintentional, with a criminal intent, or as in the case of CIS, for investigative purposes.
Investigative / research activities need to be protected
Under Indian laws, there are no provisions allowing activities like white hacking or vulnerability testing. Security audits that are allowed under the Aadhaar Act and IT Act are through specified auditors only (See Rules 3 and 6, Aadhaar (Data Security) Regulations, 2016). No specific protection is granted to investigative or research organizations for their activities. This puts the activities of organizations like the CIS in a grey area.
The UIDAI’s move to investigate possible breaches of Aadhaar data is welcome, since it is one step towards better security. While the CIS’ NSAP access issue diverts from the main issue of the security of the Aadhaar data, it brings up the need to protect such agencies. The government needs to recognize and support such activities which can result in better security.
Published Date: May 19, 2017 03:49 pm | Updated Date: May 19, 2017 03:49 pm