Millions of Indians woke up on Saturday, 27 October, to a lengthy apology published in national newspapers and issued to “the People of India” by Gemalto, a global digital security agency.
In an unprecedented move, Gemalto CEO, Phillip Valle, tendered an unqualified apology on Saturday, for publishing a global Breach Level Index report on 15 October that had claimed 1.2 billion Aadhaar records were compromised in a breach in the first half of 2018.
However, in retracting its report hastily and offering a profuse apology, Gemalto appears to have withheld one key fact – UIDAI, the Aadhaar issuing body, is a client of Gemalto.
Biometric data of citizens – which lie at the heart of the ambitious Aadhaar project – were captured, gathered and later authenticated using machines manufactured by Gemalto.
In the interest of full disclosure, many have pointed out, that this omission is conspicuous by its absence.
Moreover, two days after the Dutch security company had published its report, UIDAI issued a circular on 17 October, stating that ‘Security issues have been discovered in existing Gemalto products’; ecosystem partners are ‘advised to suspend future procurement of Gemalto products’. A day later, Gemalto withdrew its report and republished a fresh one days later. The new report has no mention of the Aadhaar data breach.
How Does Gemalto Fit Into The Aadhaar Story?
This is the same question Gemalto asks rhetorically on its official website. In a post, last updated on 1 July, 2018, a sub-header asks ‘So where does Gemalto fit into this story?’
It proceeds to answer this questions stating that “in the search for biometric solutions capable of capturing fingerprints and iris scans from over billion people, the Indian authorities turned in particular to 3M Cogent – now a Gemalto Company”.
In other words, the machine that recorded our fingerprints and the one that scanned our iris at the time of enrolling for our Aadhaar numbers were manufactured by Gemalto.
Later, when we authenticated ourselves using our fingerprints to get a SIM card, we did so using a Gemalto machine.
A Curious Timeline of Events
- 15 October: Gemalto publishes its Breach Level Index Report; categorises Aadhaar data breach as ‘catastrophic’.
- 17 October: UIDAI issues circular stating that “Security issues in Gemalto products’ had been identified; ecosystem partners are ‘advised to suspend future procurement of Gemalto products’.
- 18 October: Gemalto withdraws its report
- 23 October: Gemalto issues new BLI report and press release that reports there were 944 breach incidents in the first half of 2018 as opposed to 945 in the original report.
- 27 October: Gemalto CEO, Phillip Valle, publishes apology to “the people of India” in national dailies.
A Tale of Two Gemalto Reports
The global Breach Level Index report originally published on 15 October and the one re-published on 23 October have a number of crucial differences, on account of the removal of 1.2 billion Aadhaar data breach. The statistics pertain to the first half of 2018.
The original report had categorized the Aadhaar data breach as ‘Catastrophic’ on a scale where 1 to 2.9 is ‘minimal risk’ and 9 to 10 is ‘catastrophic’. The Aadhaar breach had received a perfect score of 10.
In its report Gemalto had attributed its numbers to a report by The Tribune in January 2018, which had exposed an anonymous service that allowed anyone with Rs 500 to access all 1.2 billion Indian citizens’ personal information.
What The Apology Says Without Saying
Anyone who read the apology on Saturday would have been struck by the profuseness of its language. Phillip Vallee, Gemalto CEO, addressed his apology, not to the Government of India or to the UIDAI, but to “the people of India”.
He opens his apology by terming the BLI report as “inaccurate” and the news article about the Aadhaar data breach as “unverified”. It goes on to state the company is ‘deeply regretful’ and that by publishing its report “Gemalto has caused prejudices in the minds of the general public at large against Aadhaar which we deeply regret.”
The report further states that the Dutch company is launching an internal investigation and that they have found no evidence of any Aadhaar data being breached.
However, in its 289-word apology, it withheld the fact that UIDAI is a client of Gemalto, which has led to several people pointing out this glaring omission on social media.
“Hiding the UIDAI Gemalto relationship while issuing the apology clearly shows Gemalto was under pressure to do this,” said Srinivas Kodali, an independent security researcher. Anivar Aravind, a security researcher, added that “there is nothing to apologize if they are doing their research properly. The apology is to save their business.”
Apology Profuse, Aadhaar Praise More So
A quick glance at how Gemalto’s website describes Aadhaar provides a glimpse into a client-customer relationship.
A post titled Aadhaar Project in India: 2018 facts and trends uses hyperbole to describe the project. The post is replete with phrases such as ‘Aadhaar – the word on everyone’s lips in India’ and describes ‘Aadhaar’ as ‘word of the year’. It also goes on to explain why ‘Aadhaar has no parallel’.
The same post also specifies the equipment it sells to UIDAI.
A Deeper Rabbit Hole ?
Twitter users also pointed towards the fact that Gemalto is in the process of a merger with Thales, a French aerospace and defence technology company, within the first quarter of 2019.
Why is this relevant?
Because Rafale fighter jets’ “on-board electronics systems, equipment and sensors are supplied by Thales and account for about 25 per cent of the plane’s value,” says Thales’ official website.
The Quint has reached out to Gemalto and UIDAI for comments and will be updated with their responses when/if they arrive.