Author: by Shilpa Mariam Anil, Security Television Network
India’s Face recognition technology: Ransomware attacks and privacy.
India is a developing country, with tremendous advancements and growth in the IT sector. In the path of being a superpower nation, Indian industry and the government understood the internet as a key component to the aim. Most companies keep all their data online or on loop at a company platform online. Even the government and the military have a top-secret online platform that guards national sensitive data. With the hit of the second wave of COVID 19 in India and the importance of making the vaccine available to everyone, the government moves in to adapt Face recognition technology (FRT) and keeping the sensitive data of the Indian citizens online. Sectors including the Military, health, education, and other home affairs have already adapted or have run trials of FRT. As per reports, India is ranked as one of those countries most stuck down by ransomware attacks, with an average of 213 attacks per week.
This questions the level of security and privacy the country gives to its citizens. In ransomware cyberattacks, hackers transmit software to mobile phones and other devices, which then infects personal devices and servers, locking users out and preventing them from accessing their files and data. Typically, criminals will demand a ransom in return for regaining access to the data at this stage. “With the government adopting an advanced technology it might be a good leap ahead to the future but right now our lives are at stake. In my point of view, the government is adopting this technology in competition to the Chinese government adopting face recognition for better efficiency and tracking of COVID 19 patients. The Indian government has access to its citizen’s data already with the scam of Aadhar cards, the home affairs maintain data of every citizen online, it’s only a matter of time and technology that Ransomware gangs break into the system and makes the county at stake” said Priya S an IAS aspirant in an interview for The Security Television Network.
In 2009 India came up with the idea of Aadhar cards for identification and direct benefit transfer, under the Unique Identification Authority of India (UIDAI). Aadhaar is a 12-digit unique identity number that residents and passport holders of India can get based on their biometric and demographic data. Following the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, the data is collected by the Unique Identification Authority of India(UIDAI), a statutory authority established by the government of India, under the jurisdiction of the Ministry of Electronics and Information Technology.
After the ‘WannaCry’ ransomware attack, in 2017 the authorities secured and made the database immune from any kind of malware or any cyber attacks. The data was converted into encrypted form to resolve the threats dark web and ransomware gangs posted. Securing Aadhar data was the first thing the government did as a wake-up call from the WannaCry attack. But the question now is a robust system that was made in 2017 is good enough for the world’s growing technology and the threats the dark web proposes. Samantha Susan an IT professional told The Security Television Network in an interview that, ‘We should not underestimate the ransomware gangs, they can be anyone but what makes them different is they are very smart with the internet and technology, the Indian government thinks they can outsmart them, truth is they cant as the system isn’t getting updated and if at all any changes happen the common people are not informed.’
Aadhar was adapted in India by looking at the Green Card system of the United States. Initially, it was meant for identification for the Permanent residents of India which later changed as the government found it as a method to get sensitive data about citizens without them even knowing. Aadhar card was made mandatory for any kind of property sales, opening a bank account, for admission of a sick person at a hospital, and even at Ration centers. Ration centers are government-owned and operated services where they provide grains and pulses as per need every month. People have to show the Aadhar card along with their Ration card to get their subsidy.
This changed in the past 2 years, with the information and bank details of the citizens in the government database, the subsidy wing came up with technological advancement of scanning the buyer’s fingerprint to ensure they have bought their monthly ration. The fingerprint along with a person’s health and bank account details are saved in the government home affairs and the public is even aware of this side of the story. As FRT becomes a reality the Indian government is planning to set this in action at the subsidy wing, scanning a person’s face instead of their fingerprint. The more data the government holds the more the citizens question the safety of the data they have.
Amongst the six major Ransomware attacks India faced comes the BSNL(Bharat Sanchar Nigam Limited) malware attack. BSNL is a state-owned telecom operation. Initially, it was just a provider of telephone connections, in 2000 it started internet and modem service. In 2017 BSNL was struck with malware shutting almost 60,000 broadbands resulting in the user having no access to the internet. The issue was because the wing had no proper firewall or any kind of protection against cyber attacks. This was the major incident that made the government shift from the services of its telecom system to Reliance JIO services, a privately owned telecom service provider. Soon after the shift Jio too was hit by a cyber breach. A website posted Jio user’s data including email IDs, Aadhar numbers, names, and contact information. Even though the attack was resolved later and the databases secured with strong firewalls against any kind of attacks, India’s face recognition with Jio 5G internet services still propose a threat, making the public question the level of reliability.
In April 2021, the defense ministry of India was proposing to install face recognition biometric authentication in various departments and wings to mark attendance. According to the Internet Freedom Federation(IFF), face recognition biometrics in the department of military affairs is very dangerous as there is no protection of sensitive data like people’s images as there is no strong data protection law that exists in India. The FRT accuracy in India is at the rate of 2% according to the IFF.
With many companies already adapting this biometric system for better efficiency the threat it proposes includes not just ransomware and other malware but the fact that FRT is used in India without standards in places without proper clarity and quality of software. The possibility of misidentification and false conviction is at a very high rate.
In March 2020, the Central government of Indian approved the development of its own automated facial recognition system, which was considered as the world’s largest government-operated facial recognition system with an estimate of at least 2500 users at any given time. The facial biometric was charted as an extraction from CCTV visuals and videos which matches images of individuals whose data- images and identity information are already in the State Home affairs data wing.
Cognizant, Indias largest tech and consultation company confirmed that they were hit by the Maze ransomware attack. The company had a face recognition biometric system that had all the data the company confirmed that there was a disruption in the internal system and with the data of some clients. Maze isn’t like any other ransomware encrypted data. It not only infects and locks all computers in its path, but it also exfiltrates the data to the attackers’ servers, where it is held for ransom. If the ransom is not paid, the attackers will upload the material on the internet. However, the company later announced no leak of their data after the attack.
- Shreyas Bharadwaj, IAS aspirant in an interview with The Security Television Network commented that ‘ India adapting face recognition is a big jump. Like a coin that has two sides, this jump has both advantages and cons. The advantages include the government monitoring the flow of cash inside the county in a way handling the mix of black money, secondly, as education health, and ration sectors adopt these biometrics all data is at one place for future check by the government. Illegal accusations even identity thefts might reduce tremendously if FRT works in India. But the major consequence is that privacy will vanish into thin air. As the FRT allows ones behind the monitor’s map every movement one makes. Coming to ransomware and FRT in India, many companies were hit by malware like a maze, CryptoLocker, and WannaCry which when traced, hackers were from countries like Russia and Japan. This is because of two reasons, Indian data is very easily available to people without a boundary, people in India do not see other country’s content much, like that India should set up a boundary for data accessibility. Secondly, because the safety walls are very light for them to break through. The government jumping into FRT will be a huge mess if proper safety measures aren’t taken as the country is economically down already with multiple lockdowns from the Pandemic.”
Further, he also added that “the possible way India can be free from ransomware when FRT is updated in various sectors is by giving proper education as of what Malware is and ransomware is, secondly by educating kids and adults to reduce the ‘Indian- click on anything online’ attitude.”
Sidharth Iyar an IT professional in the home affairs at the central government of India said that “India can only be 10% safe from ransomware when FRT comes to action, is by taking proper cyber protection and strengthening that data law of the country. One can start by getting the high-end anti-virus software available. We at the central government try majorly to keep these in mind- Never click on risky links, shouldn’t reveal personal information, and don’t open strange email attachments. Never use a USB stick that you aren’t familiar with. Maintain the most recent versions of the apps and operating system. Only download from well-known sources. On public Wi-Fi networks, use VPN services.”
In conclusion, the use of FRT’s in India is rapidly being used in airports, train stations, and restaurants, with plans for a nationwide system to modernize the police force’s information collecting and criminal identification processes. Analysts, on the other hand, believe the advantages are unclear, and that it may compromise people’s privacy or lead to more monitoring due to a lack of protection and transparency about how the technology works, how data is kept, and who has access to it. Indian politicians are working on a personal data protection law. Which might lead to Malware and Ransomware attacks in the future. Ransomware has struck 68 percent of Indian businesses in the last year, according to research. According to “The State of Ransomware 2021,” a global survey conducted by cybersecurity firm Malwarebytes, India is one of the most impacted countries in terms of ransomware assaults. With India moving forward without thoughts on people’s data privacy, the whole country is at risk as one more economic crisis can result in a very bad Indian structure in its journey to a superpower nation. Bharadwaj also stated that “By implementing FRTs in schools, people are jeopardizing the future. As many people are aware, there was a massive breach of altered images of females students on pornographic websites, which later linked back to original photos of them attending college or school online lessons. We should establish a countrywide border and safety net first, and then go forward to the future.”