Tag Archives: Security
Google is advising anyone who uses the Chrome browser to make sure their browsers have the latest update, which patches a “high” risk security flaw that hackers are already exploiting on unsuspecting victims.
It’s common practice when bugs are disclosed to not immediately share details of how they work until a majority of users have a security patch. The practice allows companies like Google to notify users, and roll out updates, without tipping off any potential bad actors.
While little is known about how the threat, called CVE-2019-5786, works, Justin Schuh, Google’s Chrome engineering and security desktop lead, tweeted on Tuesday that everyone should update their Chrome browser “right this minute” on every device.
Google Chrome updates are usually automatic, however they don’t always roll out to everyone, all at once. If you’d like to trigger a manual update, you can click the three dots in the upper-right corner of the window, select “Help” and “About Chrome.” This will tell users whether their browser is updated or if they need to restart their device to trigger the updated, patched version of the browser.
Silhouettes of laptop users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration
(Reuters) – Microsoft Corp on Wednesday said it will offer its cyber security service AccountGuard to 12 new markets in Europe including Germany, France and Spain, to close security gaps and protect customers in political space from hacking.
Microsoft had recently detected attacks, which occurred between September and December 2018, targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund, the company said here in a blog post.
The attacks, which targeted 104 employee accounts in Belgium, France, Germany, Poland, Romania, and Serbia, are believed to have originated from a group called Strontium, the company added.
The AccountGuard service will also be available in Sweden, Denmark, Netherlands, Finland, Estonia, Latvia, Lithuania, Portugal and Slovakia.
Ahead of a critical European Parliament election in May, German officials are trying to bolster cyber security after a far-reaching data breach by a 20-year-old student laid bare the vulnerability of Europe’s largest economy.
Reporting by Shubham Kalia in Bengaluru, Editing by Sherry Jacob-Phillips
Amazon is finally offering a simple way for its cloud services customers to lock down data stored at its Simple Storage Service (S3) with one fell swoop. This change should help companies in the Fortune 500 and mom-and-pops down the street avoid embarrassing breaches of data.
Customers of Amazon Web Services (AWS) routinely leave private files available for public consumption. That’s led to routine, sometimes costly situations for companies that find hackers or security researchers have retrieved customer information, databases containing user passwords, or even proprietary company secrets.
That includes the global consulting and management firm Accenture, which in October 2017 left four of its S3 storage areas, known as “buckets,” open to public examination and download. Over 137 gigabytes of data could have been retrieved, including 40,000 unencrypted passwords. Accenture’s cloud platform, hosted on Amazon’s services, include 92 of the Fortune Global 100 and three-quarters of the Fortune Global 500. A security researcher discovered the public data and informed Accenture.
In August 2018, a researcher discovered that a company that sells surveillance software it markets for parents, Spyfone, left an Amazon S3 bucket publicly available, and intimate and personal data extracted from thousands of people its customers were monitoring were exposed, according to Motherboard. This included several terabytes of camera photos.
Last November, Amazon released a change that gave system administrators better notification about any storage buckets set to public access, using an orange label in its file-browsing dashboard.
The change released on Nov. 16, however, allows top-down control for an entire storage area, including disabling overrides for individual folders or files within it. This will prevent companies from leaving data open for global snooping—if they’re attentive enough to know about the new feature and enable it.
The number of security breaches due to customer settings at Amazon S3 has been so high that articles at tech sites devote themselves to listing them all.
Notable breaches include Uber, which exposed personal data of about 57 million customers in October 2016, and didn’t disclose the matter [until November 2017](Dara Khosrowshahi), after it had hired a new CEO; Deep Root Analytics, which exposed personal data on 198 million American voters; and the WWE wrestling entertainment firm, which exposed personal details of 3 million of its fans.
WASHINGTON (Reuters) – U.S. President Donald Trump said on Wednesday he will use a strengthened national security review process to thwart Chinese acquisitions of sensitive American technologies, a softer approach than imposing China-specific investment restrictions.
The Treasury Department has recommended that Trump use the Committee on Foreign Investment in the United States (CFIUS), whose authority would be enhanced by new legislation in Congress, to control investment deals. The legislation expands the scope of transactions reviewed by the interagency panel to address security concerns, Trump said.
The decision marks a victory for Treasury Secretary Steven Mnuchin in a fierce White House debate over the scope of such curbs.
Mnuchin had favored a more measured and global approach to protecting U.S. technology, using authority approved by Congress, while White House trade adviser Peter Navarro, the administration’s harshest China critic, had argued for China-specific restrictions.
“We are not, on a wholesale basis, discriminating against China as part of a negotiation,” Mnuchin said on CNBC on Wednesday.
The investment restrictions are part of the administration’s efforts to pressure Beijing into making major changes to its trade, technology transfer and industrial subsidy policies after U.S. complaints that China has unfairly acquired American intellectual property through joint venture requirements, unfair licensing and strategic acquisitions of U.S. tech firms.
“I have concluded that such (CFIUS) legislation will provide additional tools to combat the predatory investment practices that threaten our critical technology leadership, national security, and future economic prosperity,” Trump said in a statement that did not specifically name China.
U.S. stocks rose after Trump announced the new approach to U.S. investment restrictions but reversed gains in afternoon trading.
Senior administration officials told reporters on a conference call that sticking with CFIUS, a process companies are familiar with, would ensure strong inward investment into the United States while protecting the “crown jewels” of U.S. intellectual property.
Trump said in his statement that upon final passage of the legislation, known as the Foreign Investment Risk Review Modernization Act, he will direct his administration “to implement it promptly and enforce it rigorously, with a view toward addressing the concerns regarding state-directed investment in critical technologies.”
If Congress fails to pass the legislation quickly, Trump said, he would direct the administration to implement new restrictions under executive authority that could be applied globally.
The decision to stick with CFIUS was a pragmatic move because the new CFIUS legislation “will put a crimp in China’s efforts to move up the value chain in high tech,” said Scott Kennedy, head of China studies at the Center for Strategic and International Studies in Washington.
But it will likely do little to stop the activation of U.S. tariffs on $ 34 billion worth of Chinese goods, scheduled for July 6, or jump-start trade negotiations between the two economic superpowers, Kennedy said.
And the mixed messages from the administration do not help Trump’s negotiating position, he said.
“It shows the Chinese that the Trump administration is still undependable and can be moved back from the most hardline positions,” Kennedy added.
Mnuchin on CNBC downplayed the dissent within the administration, saying that Trump wants to hear differing views on important issues, but the administration’s economic team typically comes together on major recommendations such as the investment restrictions.
Mnuchin said the new CFIUS legislation, passed 400-2 in the House of Representatives on Tuesday, would broaden the types of transactions that could be reviewed by the panel on national security grounds, including minority stakes, joint ventures and property purchases near U.S. military bases.
“This isn’t a question about being weak or strong, this is about protecting technology. We have the right tools under this legislation to protect technology,” Mnuchin said.
COMMERCE EXPORT CURBS
Trump also said that he has directed Commerce Secretary Wilbur Ross to examine U.S. export controls and recommend modifications that may be needed “to defend our national security and technological leadership.”
A Commerce Department spokesman could not be immediately reached for comment on the study.
The CFIUS legislation is headed for negotiations between U.S. House and Senate lawmakers in the coming weeks to craft a final version, with guidance from the Treasury.
A sticking point that could emerge is language in the Senate version that would reinstate the ban on Chinese telecom equipment maker ZTE Corp (000063.SZ) from purchasing U.S. components for a year. The Commerce Department ban had effectively shut the Shenzhen-based company down, angering Beijing.
The House version has less stringent language prohibiting the U.S. Department of Defense from purchasing any ZTE communications gear.
Reporting by David Lawder; Editing by Jeffrey Benkoe and Steve Orlofsky
There are more Wi-Fi devices in active use around the world—roughly 9 billion—than there are human beings. That ubiquity makes protecting Wi-Fi from hackers one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.
It’ll take time before you can enjoy the full benefits of WPA3; the Wi-Fi Alliance, a trade group that oversees the standard, is releasing full details today but doesn’t expect broad implementation until late 2019 at the earliest. In the course that WPA3 charts for Wi-Fi, though, security experts see critical, long-overdue improvements to a technology you use more than almost any other.
“If you ask virtually any security person, they’ll say don’t use Wi-Fi, or if you do, immediately throw a VPN connection on top of it,” says Bob Rudis, chief data officer at security firm Rapid 7. “Now, Wi-Fi becomes something where we can say hey, if the place you’re going to uses WPA3 and your device uses WPA3, you can pretty much use Wi-Fi in that location.”
Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.
A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary—and beyond—in relatively short order.
“Let’s say that I’m trying to communicate with somebody, and you want to be able to eavesdrop on what we’re saying. In an offline attack, you can either passively stand there and capture an exchange, or maybe interact with me once. And then you can leave, you can go somewhere else, you can spin up a bunch of cloud computing services and you can try a brute-force dictionary attack without ever interacting with me again, until you figure out my password,” says Kevin Robinson, a Wi-Fi Alliance executive.
This kind of attack does have limitations. “If you pick a password that’s 16 characters or 30 characters in length, there’s just no way, we’re just not going to crack it,” says Joshua Wright, a senior technical analyst with information security company Counter Hack. Chances are, though, you didn’t pick that kind of password. “The problem is really consumers who don’t know better, where their home password is their first initial and the name of their favorite car.”
If that sounds familiar, please change your password immediately. In the meantime, WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure—and widely vetted—Simultaneous Authentication of Equals handshake.
There are plenty of technical differences, but the upshot for you is twofold. First, those dictionary attacks? They’re essentially done. “In this new scenario, every single time that you want to take a guess at the password, to try to get into the conversation, you have to interact with me,” says Robinson. “You get one guess each time.” Which means that even if you use your pet’s name as your Wi-Fi password, hackers will be much less likely to take the time to crack it.
The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.
When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today—Wi-Fi Protected Setup—has had known vulnerabilities since 2011. WPA3 provides a fix.
Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you’re set—they’re securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.
“Right now it’s really hard to deploy IoT things fairly securely. The reality is they have no screen, they have no display,” says Rudis. Wi-Fi Easy Connect obviates that issue. “With WPA3, it’s automatically connecting to a secure, closed network. And it’s going to have the ability to lock in those credentials so that it’s a lot easier to get a lot more IoT devices rolled out in a secure manner.”
Here again, Wi-Fi Easy Connect’s neatest trick is in its ease of use. It’s not just safe; it’s impossible to screw up.
That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You’ve probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That’s because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.
“By default, WPA3 is going to be fully encrypted from the minute that you begin to do anything with regards to getting on the wireless network,” according to Rudis. “That’s fundamentally huge.”
As with the password protections, WPA3’s expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.
“The heart is in the right place, but it doesn’t stop the attack,” says Wright. “It’s a partial solution. My concern is that consumers think they have this automatic encryption mechanism because of WPA3, but it’s not guaranteed. An attacker can impersonate the access point, and then turn that feature off.”
Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3’s many upgrades, the entire ecosystem needs to embrace it.
That’ll happen in time, just as it did with WPA2. And the Wi-Fi Alliance’s Robinson says that backward interoperability with WPA2 will ensure that some added security benefits will be available as soon as the devices themselves are. “Even at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect,” Robinson says.
Lurking inside that assurance, though, is the reality that WPA3 will come at a literal cost. “The gotcha is that everyone’s got to buy a new everything,” says Rudis. “But at least it’s setting the framework for a much more secure setup than what we’ve got now.”
Just as importantly, that framework mostly relies on solutions that security researchers already have had a chance to poke and prod for holes. That hasn’t always been the case.
“Five years ago the Wi-Fi Alliance was creating its own protocols in secrecy, not disclosing the details, and then it turns out some of them have problems,” says Wright. “Now, they’re more adopting known and tested and vetted protocols that we have a lot more confidence in, and they’re not trying to hide the details of the system.”
Which makes sense. When you’re securing one of the most widely used technologies on Earth, you don’t want to leave anything to chance.
More Great WIRED Stories
It found that 47 percent of small businesses reported that they had one attack in 2017, and 44 percent said they had two to four attacks.
The invasions included ransomware, which makes a computer’s files unusable unless the device’s user or owner pays a ransom, and phishing, in which emails that look legitimate are used to steals information. The invasions also include what are called drive-by attacks, which infect websites and in turn the computers that visit them.
Despite the prevalence of the data invasions, only about half of small businesses said they had a clear cybersecurity strategy, the report found. And nearly two-thirds said they didn’t bolster their security after an attack.
Hiscox estimates that seven out of 10 businesses aren’t prepared to handle cyber attacks, although they can cost a company thousands of dollars or more and ransomware can shut down operations. Cybersecurity tends to get pushed to the back burner while owners are busy developing products and services and working with clients and employees. Or owners may see it as an expense they can’t afford right now.
Some basic cybersecurity advice:
–Back up all of a company’s data securely. This means paying for a service that keeps a duplicate of all files on an ongoing basis. The best backups keep creating versions of a company’s files that can be accessed in the event of ransomware — eliminating the need to pay data thieves. Some backups cost just a few hundred dollars a year.
–Install software that searches for and immobilizes viruses, malware and other harmful programs. Also install firewalls and data encryption programs.
–Make sure you have all the updates and patches for your operating systems for all your devices. They often include security programs.
–If you have a website, learn how to protect it from hackers, using software including firewalls. But you might be better off hiring a service that will monitor your site with sophisticated tools that detect and disable intruders.
–Tell your staffers, and keep reminding them, about the dangers of clicking on links or attachments in emails unless they’re completely sure the emails are from a legitimate source. Educate your employees about phishing attacks and the tricks they use. Phishers are becoming increasingly sophisticated and are creating emails that look like they really could have come from your bank or a company you do business with.
–Hire an information technology consultant who will regularly look at your systems to be sure you have the tools you need to keep your data safe.
–The Associated Press
Taking a look back at another week of news from Cupertino, this week’s Apple Loop includes the latest renders of the new iPhone X for 2018, the hardware that wasn’t announced at WWDC, why iOS 12 stands for stability, the renewed focus on iPhone security, the disappointment of no new MacBooks at WWDC, and all the spoof products announced on the internet.
Apple Loop is here to remind you of a few of the very many discussions that have happened around Apple over the last seven days (and you can read my weekly digest of Android news here on Forbes).
First Renders Of The New iPhone X
As part of Apple’s push to expand the iPhone line-up (and increase sales of the iPhone family after years of declining share), the geekerati are expecting a budget version of the iPhone X (not to be confused with an update of the iPhone SE). What will it look like? Forbes’ Gordon Kelly reveals new renders of the budget iPhone X:
What Hemmerstoffer’s images and video (embedded below) show, is a 6.1-inch design which blends the chassis of the iPhone 8 and a single rear camera with the fascia of the iPhone X, complete with Face ID facial recognition module and the distinctive notch. On the flipside, this means no Touch ID fingerprint sensor.
…Hemmerstoffer notes this currently unnamed budget iPhone X (my naming bet is simply ‘iPhone’), will also pack wireless charging, stereo speakers and a new A12 chipset. So this is basically a single-camera iPhone X for over $ 200 less.
What Wasn’t Announced At WWDC
Lots of news to come out of this week’s Worldwide Developer Conference from Apple, but before we get to what did appear, it’s important to realise what was not on show. Apple refused the opportunity to show off any new hardware. No iPads, no Macs, no MacBooks, no peripherals, and perhaps most importantly, no mid-range iPhones to replace the iPhone SE. And WWDC was the best time to announce this upcoming smartphone, as I discussed earlier this week:
Assuming Taniyama-Shimura, there are enough signs in the supply chain that an update to the iPhone SE is coming. So the question becomes not of ‘will it arrive’ but ‘when will it arrive.’
…its non-appearance at WWDC tells us a lot about the handset. iPhone sales this year need a boost. The iPhone X has not delivered the super-cycle it promised and sales are flat to slightly down year-on-year. Market share is approaching single figures, and relying on high-end handsets with high margins may be delivering financial success… but it doesn’t provide for growth or entry into new markets. The iPhone SE 2 can help balance the equation of revenue and market share by offering a low-priced gateway into Apple’s world of smartphones.
Twelve Stands For Stability
Almost all of the focus at WWDC was on software, and the vast majority of that focus was on iOS. There have not been any major changes or additions, Apple has focused on the stability of the code to rebuild the bulletproof perception of the iPhone’s operating system. Zach Epstein is glad the new release is just ‘meh’:
It’s no secret that iOS 11 has been a complete mess for Apple. It’s not the travesty that whiny anti-Apple bloggers would have you believe, of course, but there’s no question that Apple made some big mistakes in iOS 11. It has had more security holes, annoying bugs, and performance issues than any version of iOS from recent history, and many of those problems still exist in iOS 11.3 and iOS 11.4 now, more than 8 months after the software’s initial release.
We learned many months ago that performance and overall user experience were going to be Apple’s main points of focus in iOS 12. In fact, insider reports stated that Apple decided to delay the addition of several big new features in iOS 12 and push them back to subsequent releases, or maybe even until next year’s iOS 13 update. This way, Apple’s various iOS engineering teams could focus on improving performance in iOS and on refining the user experience, rather than on integrating complex new features.
Next: Security is key, a requiem for macOS, and Conan O’Brien’s new iPhone…
Frank Abagnale, the once-notorious confidence trickster portrayed by Leonardo DiCaprio in the film Catch Me If You Can, said blockchain is the future of secure information processing and data settlement.
A video has surfaced from Abagnale’s speech at a blockchain conference in April in which he shares his thoughts on the burgeoning technology.
“I think you have to be pretty ignorant not to realize that blockchain is the way of the future,” he said at the Blockchain Nation Miami conference. “It is the best way to secure information, to secure it 100%.”
For more than 40 years, Abagnale has worked with and advised hundreds of financial institutions, corporations, and government agencies. In his opinion, these institutions will begin embracing the technology. Blockchain is often defined as “an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way.” Communication occurs between peers instead of through a central authority, and every transaction is visible to anyone with access to the system.
“I think you’ll see banks—especially accounting practices and accounting firms—all move to blockchain,” he said about keeping records on the decentralized network technology. “You cannot break the blockchain. You cannot hack into the blockchain. You can’t change anything on the blockchain.”
He outlines some privacy issues that need to be worked out when using the technology, but Abagnale said it is a technology that will “eventually be adopted by all types of governments, businesses, and corporations.”
Abagnale is alluding to a trend that is already in motion.
HSBC recently said it performed the world’s first trade finance transaction using blockchain technology. Santander last month launched a foreign exchange service that uses the distributed ledger tech to make same-day international money transfers. J.P. Morgan recently applied for a patent to facilitate payments between banks using the blockchain.
WASHINGTON (Reuters) – The U.S. Department of Homeland Security on Tuesday unveiled a new national strategy for addressing the growing number of cyber security risks as it works to assess them and reduce vulnerabilities.
“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” DHS chief Kirstjen Nielsen said in a statement. “It is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”
The announcement comes amid concerns about the security of the 2018 U.S. midterm congressional elections and numerous high-profile hacking of U.S. companies.
“The United States faces threats from a growing set of sophisticated malicious actors who seek to exploit cyberspace. Motivations include espionage, political and ideological interests, and financial gain,” according to the 35-page report reviewed by Reuters before its public release. “Nation-states continue to present a considerable cyber threat. But non-state actors are emerging with capabilities that match those of sophisticated nation-states.”
The report noted that by 2020 more than 20 billion devices are expected to be connected to the internet. “The risks introduced by the growing number and variety of such devices are substantial,” it said.
Nielsen said the government “must think beyond the defense of specific assets — and confront systemic risks that affect everyone from tech giants to homeowners.”
The report also noted the 2015 intrusion into a federal agency resulted in the compromise of personnel records of over 4 million federal employees and in total impacted nearly 22 million people.
The DHS report said the agency “must better align our existing law enforcement efforts and resources to address new and emerging challenges in cyberspace, to include the growing use of end-to-end encryption, anonymous networks, online marketplaces, and cryptocurrencies.”
Nielsen will testify Tuesday at a Senate hearing.
In March, Nielsen said the department was prioritizing election cyber security above all other critical infrastructure it protects, such as the financial, energy and communications systems.
U.S. intelligence officials have repeatedly warned that Russia will attempt to meddle in the 2018 contests after doing so during the 2016 presidential campaign.
Nielsen said that more than half of U.S. states have signed up for the agency’s cyber scanning services, designed to detect potential weaknesses that could be targeted by hackers.
DHS said in 2016 that 21 states had experienced initial probing of their systems from Russian hackers in 2016 and that a small number of networks were compromised, but that there was no evidence any votes were actually altered.
Reporting by David Shepardson; Editing by Dan Grebler
NEW DELHI (Reuters) – Tech news site ZDNet said on Sunday it stood by its report that identified a security vulnerability in data-linked to Aadhaar – India’s national identity card project, after a semi-government agency that manages the database sought to discredit the report.
ZDNet reported here that a data leak on a system run by a state-owned utility company could allow access to private information of holders of the biometric “Aadhaar” ID cards, exposing their names, their unique 12-digit identity numbers, and their bank details.
The Unique Identification Authority of India (UIDAI), which manages the Aadhaar program, said “there is no truth in this story,” in a statement late on Saturday.
ZDNet’s global editor-in-chief Larry Dignan said in an email to Reuters on Sunday the publication stood by its report. Dignan said they spent weeks compiling evidence and verifying facts.
“We spent weeks reaching out to the Indian authorities, specifically UIDAI, to responsibly disclose the security issue, and we heard nothing back — and no action was taken until after we published our story,” said Dignan.
UIDAI sought to downplay the report stating that even if the claims in the story were true, it would raise security concerns with the database of the utility company and not with the security of UIDAI’s Aadhaar database. UIDAI said it is “contemplating legal action against ZDNet”.
Multiple researchers and journalists, who have identified loopholes in India’s massive national identity card project, say they have been harassed here by some government agencies and slapped with criminal cases because of their work.
Aadhaar is a biometric identification card that is becoming integral to the digitisation of India’s economy, with over 1.1 billion users it is the world’s largest such database.
Indians have been asked to furnish their Aadhaar numbers for a host of transactions including accessing bank accounts, paying taxes, receiving subsidies, acquiring a mobile number, settling a property deal and registering a marriage.
The government’s demands for Aadhaar linkage for multiple services is currently being challenged here in India’s Supreme Court.
At the same time, security researchers and journalists have highlighted multiple vulnerabilities and data leaks tied to the program. UIDAI has sought to downplay the reports and last week it said the biometric data was safe from hacking as the storage facility was not connected to the internet.
Reporting by Malini Menon; Writing by Malini Menon and Krishna N. Das; Editing by Andrew Bolton, Euan Rocha and David Evans