In the second part of our series on cryptography, we dive into why we are experiencing increasing privacy violations
In early February this year, an ethical hacker called Victor Gevers revealed that he could track the movements of 2.5 million Chinese Xinjiang Muslims in real-time on a site that belonged to a Chinese surveillance company, SenseNet. There’s more: he could also see their personal records such as their names, dates of birth, passport photographs, and employment details. All Gevers had to do was to find a way into the company’s cache – which stores data for faster computation – because its website had no proper security mechanisms in place.
Even Quora, Mariott Hotels, British Airways, T-Mobile, Yahoo and the like have had their security compromised. Back home, we’ve had our very own Aadhaar privacy breach, where users’ data has been stolen multiple times, potentially compromising the personal records of almost 1 billion people, including their names, addresses, photographs, phone numbers and email addresses. The World Economic Forum’s (WEF) 2019 Global risk report, has ranked this breach the largest data theft in the world.
“Some of these leaks are engineered by humans, who find a loophole and exploit it”
In spite of advances in cryptography – the science of protecting information – why are we seeing increasing security and privacy violations? According to K Gopinath, Professor, Department of Computer Science and Automation (CSA), the factors that make us vulnerable do not always have to do with cryptography. “Some of these leaks are socially engineered by humans, who find a minor loophole and exploit it,” he says.
In the case of Aadhaar, according to him, the Unique Identification Authority of India (UIDAI) employs third parties, some of whom may have tampered with the software that powers Aadhaar’s Enrolment Client Multi Platform (ECMP). Through ECMP, third parties enrol applicants by collecting personal data and record fingerprint and iris scans, which have time and location coordinates imprinted on them and feed them into the ECMP software. This software, in turn, enrols applicants only after making sure that the timestamps and GPS coordinates on the fingerprint and iris images correspond to each other.
The software does this by merging the applicant’s information – photos, timestamps, and GPS coordinates – and binding them. The binding happens through a cryptographic function called hash, which maps the merged information to specific bits, unique to every applicant. This means that no two different applicants can have their attributes reduced to the same number of bits. He explains, “For example, if I hash a book, which maps to say, 384 bits, finding another book which hashes to the same 384 bits is extremely difficult. It is so difficult that it may take thousands of years to be able to do so.” When a third party tries to modify an applicant’s photo, time stamp or location, the cryptographically secure software will compress the information, but its value will be different from the original, alerting the UIDAI.
However, a third party with malicious intent can alter the ECMP software to bypass the checks on timestamps and GPS coordinate and create a new fictional identity altogether. By combining the iris and fingerprint images of two different people or by even artificially generating new identities, a stream of “people” with fake identities can be brought into the system. “The system, it seems, accepts any data on the third attempt”, says Gopinath. This defeats the very purpose of Aadhaar – to provide each Indian with a unique identity. Reports claim that the compromised software was being sold for as little as Rs 2,500. However, the UIDAI has refuted them.
Some critics argue that people will find a way of gaming the system. “All it takes is to know where to find a loophole,” Gopinath says, “and then somebody can install a software that overlooks, for example, the mismatching time and location, providing fodder for cut-and-paste attacks.”
To install fake software, hackers meddle with a certificate that identifies the authenticity of the software. Certificates build a chain of trust and are ubiquitous: on the address bar of websites such as those of banks or e-commerce, (“https” in the URL, as opposed to “http”, indicates that the website has a security certificate), or system updates on mobiles and laptops. Certificates assure the user that the information exchanged with the website, including passwords, is safe, while also ensuring that software updates from WhatsApp or Gmail or on mobiles and laptops are coming from authentic sources. Similarly, the ECMP also has a UIDAI certificate that confirms its authenticity. By making changes to the chain of trust in the certificate, hackers can pass off non-authentic software as authentic.
The situation may seem grim when breaches happen despite the security that cryptography provides. Gopinath thinks that the UIDAI should have made their software more secure by designing the whole ecosystem more efficiently in the first place, by carefully monitoring the third parties or service providers who use their software and checking the integrity across the system. Additionally, he says, they should have rolled out a stronger software system that could have prevented service providers from meddling with them. “Take Gmail’s software, for example, he says, “they say that Gmail cannot be tampered with, it is probably true because of the software they use.”
The reason for privacy breaches with Aadhaar, according to Gopinath, is that every user has a Unique Identity Number (UID) that is shared with all the service providers such as banks, telecom operators, hospitals, and the like
However, this isn’t UIDAI’s only hurdle. According to several news reports, it has had several data breaches in the recent past, where users’ personal records were not just stolen but also sold for as little as Rs 500. Gopinath thinks that the UIDAI didn’t think through privacy concerns as thoroughly as it should have. The reason for privacy breaches with Aadhaar, according to him, is that a user’s Unique Identity Number (UID) is shared with all the service providers such as banks, telecom operators, hospitals, and the like. There’s another privacy concern: when all information about an individual and their transactions are linked, the government or any a powerful organisation can surveil its citizens as China has been accused of doing.
Facing heat from critics, UIDAI has recently rolled out a new safety feature – Virtual Identity Number (VID) – through which users’ can generate a unique 16-digit number each time they deal with a service provider, similar to the unique OTP that is generated for each online financial transaction we make. So a user can share one VID – generated on the UIDAI website – with a bank and another with a hospital.
Though this ensures greater privacy, the onus is on the user to manage and remember each VID. It is akin to remembering passwords, says Gopinath: “If I deal with 27 service providers, I will have to identify the VID submitted to my bank from the 27 different VIDs I have created. I could write them all in a piece of paper or save it in my smartphone. But if I lose the paper or my phone, I lose everything.”
To deal with this problem, Gopinath and his team came up with a security or privacy model, published in 2017, which while providing an equivalent to VIDs, also addresses the issue of “VID” management. Here, the numbers are automatically generated and require no management from users. There are three players involved in this algorithm: credential producers, who generate and manage “VIDs”; credential consumers or service providers; such as banks, telecom operators and users. This method keeps service providers in the dark about users’ whereabouts. “A user has a single credential. It could be PIN number or a password. This credential producer, depending on which service provider you’re talking to, will produce a new ID for you, automatically,” he says.
Another highlight of Gopinath’s model is that it can protect users from governmental surveillance. Users are allowed to approach multiple producers to generate and manage their VIDs. If the establishment manages to control a producer, users can still rely on the others. However, the model has a threshold – it can only guarantee users’ protection until this threshold of producers is breached.
Gopinath was also keen that the model should not shield people who engage in income tax frauds or terrorism. “For example, if someone is interacting with a vendor to buy tonnes of urea, the government should be able to know whether the purchase was for industrial needs or to make bombs.” Therefore his team has installed a feature allowing the government to access user data called a back door, which ensures that if there is a legitimate security concern, the government can obtain a judicial warrant and track users who are under the scanner.
Beyond Aadhaar
Two breaches that rocked Yahoo email took the world by storm, affecting 3 billion users in 2013, and 500 million users in 2014. Towards the end of 2018, Yahoo was asked to pay a compensation of $50 million for the damage the incidents caused to 200 million people. Gopinath ascribes these breaches to human factors. He explains, “When a person sends an email, it passes through several servers before reaching the recipient. So when the email jumps from one server to another, the recipient’s email address, headers and attachments are unlocked. This also means somebody who has access to servers can view your information.”
Cryptography doesn’t solve everything because it all boils down to keys and we still don’t know how to manage it
There is another area of concern for cryptographers. As the world moves towards cloud computing, a platform which stores and processes massive user data, it too has become the target of attacks by hackers. Here, users’ data are managed on a server maintained by service providers such as Google or Amazon. Cloud service providers use several advanced cryptography tools to secure users’ data and yet, the data are vulnerable to theft. As with Aadhaar, hackers meddle with security certificates and leak sensitive information. They could also look for residual information that computers leave behind every time the device is used, called side channels. “If a hacker follows the side channels of a user’s computation, they [hackers] can figure out everything about the user. It is difficult, requires technical expertise, but it can be done,” Gopinath says.
Leaks also happen when a user unwittingly shares information such as the date of birth or mother’s name on social media sites. With this information, hackers can gain access to people’s bank accounts or buy a duplicate SIM under the user’s name.
It also doesn’t help that many software companies gather large amounts of data of large numbers of people, whose behaviour they study and analyse. The data they generate is often used for targeted advertisements or even sold to a third party, who in turn use it to target the user. “Sites such as Facebook or Google have little motivation to protect users’ privacy. They make money by selling users’ data to advertisers,” explains Sanjit Chatterjee, Associate Professor at CSA, who works on developing stronger cryptosystems. For instance, Facebook has been accused of sharing data of its 87 million users with Cambridge Analytica Pvt Ltd, a political consultancy firm. The firm is said to have used the data to sway the 2016 presidential elections in the United States.
The arms race between hackers and cryptographers is illustrated by the rise and fall of DVDs, buttressed by cryptography. Besides their ability to store data, they were designed to check piracy. Because the content in DVDs is stored in bits, people duplicated them and yet they couldn’t play the DVD. This is because DVDs had a software system that latched on to location details, preventing people from using it in places other than its intended location, Gopinath explains. And the device came with a key which can be unlocked only by an authorised user. But it didn’t take long for some people to create another software system that turned a blind eye to location codes. Also, crackers gradually figured out a way to get hold of the key, stored within the device, which eventually stripped DVDs of its security.
While things seem loaded against the user, cryptographers are constantly developing new tools to better protect the interests of the consumer. Chatterjee highlights the example of TOR, which allows the user to browse anonymously. When a user requests to open a website, say an e-commerce site, TOR locks the IP address and the location of the user. Instead of sending the request directly to the e-commerce site, the locked information passes through a series of nodes or checkpoints, before finally reaching the e-commerce website. The browser has no means of tracking user information. Though secure, one major downside to using TOR is its speed, or lack thereof.
But cryptography doesn’t solve everything because it all boils down to keys and we still don’t know how to manage it, says Gopinath. He recalls a famous quote by a computer scientist, Peter G Neumann, who said, “If you think cryptography is the answer to your problem, then you don’t know what your problem is.”
