DIGILOCKER: LAWS & FLAWS- Is the Government of India initiative safe & verifiable?

August 15, 2022 Anshika Dhawan cyber 1

We all know how important it is to have identity proofs handy, especially while travelling. However, carrying them physically creates a fuss and potential risk of losing such crucial original documents. Even if we tend to keep a scanned version of the document, they are not verifiable and do not replace the original ones.

To solve this problem, in 2015, Government of India launched a platform that allows citizens to fetch and store all important documents upon registration & verification to the software. The platform provides dedicated cloud-based storage that is linked to a user’s Aadhar number.

What is DigiLocker?

DigiLocker or Digital Document Wallet is a Government of India initiative under Ministry of Electronic & IT (MeitY). It allows citizens to store government-approved electronic copy of their documents. DigiLocker can be accessed via web through its official website, or via Mobile Application available for both android & iOS users.

It aims at ‘Digital Empowerment’ of the citizen by providing access to authentic digital documents to the citizen’s digital document wallet.
[1]

The user can store their documents using three simple steps: Register, Verify, and Fetch.[2]

[3]

Are the DigiLocker documents Verifiable?

The only reason people are willing to download or visit the app is to have all their important documents in one place. Having all the documents does however is not sufficient, their acceptability and verifiability are far more important. So, the first question that clicks in our head is, are the DigiLocker documents verifiable? or do we need anything else to get them approved?

According to recent reports, the Delhi University employed DigiLocker to digitally check 1.1 lakh documents during the 2020-21 admissions. In addition, the “Passport Seva Programme” was also introduced by the Ministry of External Affairs, allowing Indian nationals seeking passports to submit their passport verification documents digitally through the DigiLocker app.

All things considered, yes, the documents on DigiLocker are verifiable and nothing else is required to get them approved. However, there is a small catch, only Issued documents come under the verifiable category and not the ones uploaded by the user.

What are Uploaded & Issued Documents?

The Digital Documents Wallet holds two types of documents: Issued & Uploaded. For instance, if a user uploads a scanned document to the wallet, it will be classified as an uploaded document and if it was fetched from the DigiLocker app itself, it will be classified as Issued Document.

Subsequently, the uploaded documents are not verified and acceptable as they are simply scanned copies of original documents, but issued documents are verified and need no further approval. This is because, the issued documents have a Digital Signature by the issuing authorities like this:

[4]

or are digitally verified by the DigiLocker and the issuing authority like this:

[5]

Laws & Security Clause

  1. Legally Valid as per IT Act 2000

The DigiLocker issued documents are deemed to be at par with physical documents as per the Information Technology Act 2000.

[6]

Rule 9A of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Amendment Rules, 2017 also states that “Issuing certificates or documents in Digital Locker System and accepting certificates or documents shared from Digital Locker Account at par with Physical Documents.”[7]

  • Privacy

DigiLocker data is only shared with the citizen’s explicit authorization.  Organizations which require access to a citizen’s certificate must sign up with DigiLocker and have the citizen’s express consent.

  • ISO 27001 Compliance

An ISO 27001 security-certified data centre serves as the application’s host.

  • Standard Software Development Policies

DigiLocker adheres to industry-standard software development techniques such as standardized coding standards, rules, and reviews. Before being deployed on servers, each version is internally evaluated and tested for security and penetration issues.

  • Encrypted Documents

For information transmitted during any activity, DigiLocker employs 256-bit secure socket layer (SSL) encryption.

  • Mobile Authentication

In order to authenticate users and grant access to the platform, DigiLocker provides mobile authentication-based signup with an OTP (one time password).[8]

Flaws

DigiLocker contains data & crucial documents of millions of Indian users. Considering this, if the digital wallet holds vulnerabilities that might be used as an opportunity by the hacker, sensitive data of millions of Indian citizens will be rolling out for sale in the dark market.

Recently, independent Bug Bounty researchers notified CERT & DigiLocker Authorities regarding vulnerabilities present in the system. The vulnerabilities included:

  1. OTP bypass due to insufficient authorisation (Critical Vulnerability)
  2. PIN Bypass (Critical Vulnerability)
  3. Poor API session mechanism (High Vulnerability)
  4. Weak SSL pinning method in the mobile app (Medium Vulnerability)

This concern was soon addressed and clarified by the authorities stating that the vulnerability was successfully patched by the technical team on priority. They shared an official clarification through a tweet:

What can you do as a DigiLocker User?

Following are the points that you must remember:

  1. Ignore Spam messages on your device.
  2. Do not click on unwanted or suspicious links.
  3. Be aware and do not fall for phishing traps.
  4. Update your devices to the latest versions.
  5. Regardless of how legitimate the request may seem, never share your authentication credentials with someone. (OTP, Passwords, PINs, etc.)
  6. Most importantly, trust your instincts and be aware.            

Although this vulnerability is patched, no technology is completely safe. Despite the fact that, given the sensitive nature of data, the government must have placed adequate security measures, as users, we must constantly be conscious and cautious.

[1] https://www.digilocker.gov.in/

[2] For Detailed Steps & features, Visit:
https://www.livemint.com/money/personal-finance/all-you-need-to-know-about-digilocker-and-how-to-use-it-11612943898102.html

[3] Image Source: https://www.digilocker.gov.in/

[4] Images source: https://www.paisabazaar.com/aadhar-card/7-things-you-should-know-about-digilocker/

[5] Images source: https://www.paisabazaar.com/aadhar-card/7-things-you-should-know-about-digilocker/

[6] DigiLocker Website: https://www.digilocker.gov.in/

[7] Rule 9A Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Amendment Rules, 2017.

[8] https://www.digilocker.gov.in/about/faq

About Anshika Dhawan 7 Articles
I am a student pursuing B.Tech (CSE) LLB with specialization in Cyberlaw from UPES, Dehradun. I believe "Each person must live their life as a model for themselves." I am known to be a self-starter. I am committed, sincere, and a keen learner. Apart from this, I am passionate about creative art, craft, and photography.

1 Comment

  1. Hi, one of my friend lost her all documents (educational).
    She don’t have any copies of original documents and she never used digi locker.
    Please guide me for further steps.
    Thank you.

    Reply

Leave a Reply to Ankit Cancel reply

Your email address will not be published.


*