Protect Trans Rights Now! Portal Leakages Must Be Addressed.

Last year, we had received a complaint that the National Portal for Transgender Persons contained several vulnerabilities that could be exploited to access the sensitive personal data contained within. While some of these issues were addressed, certain concerns about the portal's security remain.

25 January, 2021
4 min read

Tl;dr

Last year, we had received a complaint that the National Portal for Transgender Persons contained several vulnerabilities that could be exploited to access the sensitive personal data contained within the portal. While some of these issues were addressed, certain concerns about the security of the portal still remain.

The purpose of the portal

On the 25th of November 2020, The Social Justice and Empowerment Ministry launched a national portal for transgender persons to apply for certificates and identity cards. Through the portal – transgender.dosje.gov.in – transgender persons could apply for certificates and identity cards digitally without having to visit any government office and could also monitor the status of their application through the portal itself.

Security issues emerge

Last year, we were CC'd on an email to the NIC, informing them about certain vulnerabilities in the portal’s architecture. The table below contains a list of the issues and their status.

Description of Issue Status
Sensitive data can be accessed by changing URL Addressed, but could still potentially be accessed
All hitherto submitted forms can be accessed by changing URL Addressed, reverse engineering the hash function to gain access once again
Unsecure website, does not have HTTPS or SSL certificate Still present
Lack of security controls for registration Still present

Thus, while some of these issues have been addressed, certain vulnerabilities persist:

  • SSL vulnerabilities: The portal is not SSL secured which means that all data in the website is not secured and the data can be accessed by hackers. SSL certificate helps to encrypt the data while passing it between web servers and websites. In general sense, the data is locked and can only be unlocked by the intended recipient so that all the sensitive information may be protected. Hence, this is absolutely necessary for a portal that handles information that can be categorised as extremely sensitive in nature. As the portal does not use SSL, there is high possibilities of leakage of personal data of the users of the portal. This makes the portal not secure for handling any information that is of a sensitive nature. This information can be misused and be used for identity theft or even for targeting the already vulnerable transgender individuals.
  • Lack of security controls: It is very easy to register onto the site by using a fake email id and phone number, and there isn’t any verification done (such as an email verification) to check whether candidates registered are actually legitimate or not. And so, any individual with the help of fake email IDs and phone numbers can create an account in the portal. By creating an account, one can learn the database architecture of the portal and analyse the weaknesses and vulnerabilities, and attack them, thereby enabling them to access data that is available on the portal. If registration continues to happen so easily without strict verification, the personal and sensitive data of all the users registered to the portal are at all times vulnerable to attacks from hackers. Rather than forcing any linking of government IDs in the sign-up process we recommend an inclusionary registration process that is designed in consultation with cyber security professionals.

Urgent need for privacy

The judgement of the Supreme Court in National Legal Services Authority v. Union of India granted transgender persons legal recognition as the ‘third gender’, and thus affirmed their fundamental rights as guaranteed under the constitution of India. Additionally, the Supreme Court’s judgement in Justice K. S. Puttaswamy (Retd.) vs Union Of India And Ors. affirmed the Right to Privacy as fundamental. Given the constitutional recognition of transgender persons, the Puttaswamy Judgement, when read along with Articles 14 (Equality before law), 19 (Protection of certain rights regarding freedom of speech), and 21 (Protection of life and personal liberty), thus implies a strong privacy doctrine for the information of transgender individuals as a constitutional obligation, and so the deprivation of the same due to leakages effectvively amounts to a deprivation of fundamental rights.

Furthermore, given prevalent societal mores and norms, the safety of the data of transgender persons is paramount. Much has already been written about gender and surveillance, with transgender people facing extremely high levels of both digital and physical threats. These threats, together with deeply ingrained biases and misbeliefs, have already lead to both focused surveillance and physical injury (or even death).

Recommendations

  1. If the issues listed above are not immediately dealt with and resolved, it could lead to data theft which could further lead to financial fraud and identity theft for the users of the portal. Furthermore, applying for certificates through the portal may be a less taxing experience than doing so by physically going to a government office, and so the importance of this portal is clear. Thus, we request swift redressal of the above enlisted issues.
  2. Cyber security is a complex process that requires dynamic activities to neutralise emerging threats. To ensure that such issues do not reoccur with the portal, a technical audit of the portal must be conducted. The National Informatics Centre has 33 Empanelled Information Security Auditing Organisations, many of which have conducted significant audits for government agencies such as the NIC, NPCI, and the SBI. Such organisations are technically capable of being tasked with auditing the portal.

If you are unable to discern any other fragilities in the portal's security architecture, please do let us know.

This representation was drafted with the help of Rohan Mathew, a legal and policy intern at IFF.

Important Documents

  1. IFF's Representation to the NIC regarding vulnerabilities in the National Portal for Transgender Persons (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!