Software for analysing fingerprints used by the FBI and more than 18,000 other US law enforcement agencies contains Russian code. This piece of news should worry Americans as well as Indians, who are being enrolled for Aadhaar.
In a secret deal, the subsidiary of French company Safran Group purchased a code from a Kremlin-connected firm, incorporated it into its own software to boost performance, and hid its existence from the FBI, two former employees of Safran Group told BuzzFeed News.
The revelation should raise red flag in India, as Safran (“Safran Identity & Security) is one of the companies chosen to take part in an unprecedented programme called Aadhaar to count everybody residing in India and then assign each person a unique identification number”. The details are mentioned on the Paris-based company’s website.
Outlook reached out to the UIDAI and Safran Group and Nandan Nilekani for their responseon Thursday. While the UIDAI is expected to respond by the second week of January, 2018, the French company's India office is closed till January 2. We will update the story once we receive their responses.
According to a response to an RTI query in 2015, one of the companies which has been given the contract by the UIDAI on July 30, 2010 for implementation of biometric under the Aadhaar scheme was L-1 Identity Solutions Operating Co Pvt Ltd, headquartered in the US. A month after signing the contract, L1 Identity Solutions was acquired by Safran Group. On February 2, 2011, the UIDAI signed a contract with Sagem Morpho Security Pvt Ltd, which is owned by Safran SA Group, for the purchase of biometric authentication devices.
The allegations raise concerns that Russian hackers could compromise US law enforcement computer systems. One of the whistleblowers, Philippe Desbois, told BuzzFeed News that officials in Safran subsidiary Sagem Sécurité, later renamed Morpho, were worried about the FBI learning the truth of the code's origin, affecting their deal.
The makers of the code, Papillon Systems, regularly works with law enforcement agencies in Russia, including the Federal Security Service (FSB), Russia's modern-day spy agency. US intelligence agencies say the FSB was linked to efforts to interfere in the 2016 presidential election.
In August, The Times of India reported that contracts signed with foreign companies by the Unique Identification Authority of India (UIDAI), custodian of Aadhaar data, show that they got "full access" to classified data, including fingerprints, iris scan information, and personal information like date of birth, address and mobile number of the applicants. They were also allowed to store the data for seven years.
It was revealed through an RTI application filed by Bengaluru-based Col Matthew Thomas, one of the petitioners in the right to privacy case currently being heard in Supreme Court.
The RTI reply, as mentioned by the ToI report, showed that the nature of the contracts contradicted UIDAI's statements that no private entity had access to unencrypted Aadhaar data. The contract with L-1 Identity Solutions Operating says the company was given Aadhaar data access "as part of its job". Morpho and Accenture Services Pvt Ltd are two other firms that were given identical contracts with two-year (2010 to 2012) Aadhaar data access.
“They told me, ‘we will have big problems if the FBI is aware about the origin of the algorithm,’ " Desbois, the Safran subsidiary's former CEO of Russia operations, told BuzzFeed News.
“It was always the intonation like we have done something bad that is a secret between us and that we should not repeat it to anybody,” he added.
Desbois has filed a whistleblower lawsuit against Safran in retaliation, alleging the company fraudulently took more than $1 billion from US law enforcement agencies at every level. Safran did not deny the existence of Russian code in court filings, according to the report, but instead argued that it is not responsible for the actions of a subsidiary.
The FBI declined to answer questions but issued a statement to BuzzFeed.
In August, while hearing a petition against the Aadhaar, a nine-judge bench of the Supreme Court ruled that Indians enjoy a fundamental right to privacy, that it is intrinsic to life and liberty and thus comes under Article 21 of the Indian constitution.
The petitioners had contended that the biometric data and iris scan that was being collected for issuing Aadhaar cards violated the citizen’s fundamental right to privacy as their personal data was not being protected and was vulnerable to exposure and misuse.
This month, the government extended the deadline for mandatory Aadhaar linking from December 31 to March 31, 2018.
This extension will be for 139 services for which the deadline is currently December 31, 2017. The extension, would in all likelihood, include the mandatory linkage of Aadhaar with bank accounts.
(With PTI inputs)