On 25th August 2017, GGI News reported how the agents of the Office of Technical Services a branch within the CIA can access the Aadhaar database through UIDAI certified company Cross Match’s technologies. Secret documents published by WikiLeaks show how ExpressLane project of the CIA is installed and run with the cover of upgrading the biometric software by OTS agents. ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.
— WikiLeaks (@wikileaks) August 25, 2017
— Great Game India (@GreatGameIndia) August 24, 2017
Official sources from the government, however, denied our claims. “The reports do not have any basis in fact. Aadhaar data is safely encrypted and is not accessible to any other agency,” official sources said.
Even Cross Match Technologies, a US-based company certified by UIDAI for Aadhaar denied the claims and told Gadgets 360 that “it has not captured, or stored, or processed any personal private information of its customers”.
However, the company in a follow-up conversation with Gadgets 360, said that “The leaked documents specifically indicate that although malware was installed using a file name that was similar to the name of our software, the malware was designed to not affect, change or interact with our software. Rather, it was designed to act independently of our software.”
Further the UIDAI also said that such “misinformation was being spread by certain vested interests”. “Some vested interests are trying to spread misinformation that since ‘Cross Match’ is one of many devices which are being used in biometric devices by various registrars and agencies in Aadhaar ecosystem, the biometrics being captured for Aadhaar are allegedly unauthorisedly accessed by others,” the UIDAI statement said rejecting charges of data compromise.
Now in a startling disclosure it has come to light that foreign firms indeed had access to unencrypted Aadhaar data – and this access was because the UIDAI contracts itself permitted it. As reported by Times of India, this was revealed through an RTI application filed by Bengaluru-based Col Matthew Thomas, one of the petitioners in the right to privacy case currently being heard in Supreme Court.
The RTI reply showed that the nature of the contracts contradicted UIDAI’s statements that no private entity had access to unencrypted Aadhaar data. The contract with one of the biometric service providers (BSPs), L-1 Identity Solutions Operating Co Pvt Ltd, headquartered in US, says that the company was given Aadhaar data access “as part of its job”. (L-1 has been taken over by French transnational Safran Group) Morpho and Accenture Services Pvt Ltd are two other firms that were given identical contracts with two year (2010 to 2012) Aadhaar data access.
Clause 15.1 of the contract, titled ‘Data and Hardware’, says that the firm, by virtue of the contract “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India…” Further, Clause 3, which deals with privacy, says that the BSP could “collect, use, transfer, store and process the data”. It also says that the BSP shall process all personal data in accordance with applicable law and regulation and should not disclose such information.
Another clause in the contract says that the firm should maintain the biometric template created by it and that in the event of termination or expiry of contract, it “shall transfer all the proprietary templates to UIDAI”. Col Thomas says: “If the firms did not have the biometric data, what were they expected to transfer? Why can’t the UIDAI just come out in the open with all the contract details?”
One of the directors of L1 Identity, the company contracted by UIDAI for Aadhaar was George Tenet, director of the CIA. After leaving the CIA Tenet joined L1 Identity. One of L1s client’s was also the CIA. Apart from Tenet, Loius Freeh, former head of the Federal Bureau of Investigation (FBI) and Admiral Loy, who was the acting director of US Homeland Security were/are also members of L1’s board of directors.
The founder of L-1 Identity Solutions is Robert La Penta. Before he founded L1, Penta worked for Loral Space and Communications, which he left as vice-president in 1996, two months after the crash of a Chinese rocket which used Loral’s technology as reported by The Sunday Guardian. After investigation, the US State Department accused Loral of passing sensitive material to the Chinese illegally and the company paid a fine of US $20 million in 2002 to settle the charges without admitting guilt.
The biometric solutions for Pakistan’s NADRA are also being provided by L1 Identity Solutions.