Review of Mobile One Service by GoK – 2 – Security and Privacy
Table of Contents
Mobile One is an useful utility. To get the most of it user has to provide personal information like Full Name, DOB, Address etc. Also to use some of the features you need to give your PAN no, Car registration no etc. With so much of personal data and transaction store at MobileOne, its important to look at the security and privacy features provided by the app. Hence I took some effort to do minimal testing. Tests that I have done here are minimal and any smart citizen can do it. It doesn't need any special skill or ability in programming. But these common sense tests say a lot about the system. I generally follow these whenever I want to use an online system where I need to enter my personal details.
So when you register the system takes your mobile phone number and sends you a passcode by SMS. It's a simple way to register and confirm the number in a single step. But the system doesn't force you change the passcode once you login. Forget forcing, you can not change the passcode, at all, no way. I checked multiple times in all possible places. No you can not change the passcode. Also it doesn't help that the passcode is just four digits.
- Passcode is sent by the system
- No way to update or change the passcode
- 4 digit password - Not enough
- Account doesn't get locked after three wrong password entries, instead it gives you a CAPTCHA. But you can clear the cookies to clear the CAPTCHA.
- I have a strong doubt if the passcode/password is encrypted/hashed in the backend database
- In case if your passcode gets leaked, only option is to try forget user and make the system to send a new passcode
Type of certificate
SSL certificates are important for two reasons.
- To keep the communication between you and the server secure/encrypted so no one else can overhear it
- To assert the identity of the server/service provider. So you are sure you are talking to the right person/organization
To get the first one right you just need a modern and valid SSL certificate. This just makes sure that the conversation between your browser and the said server is encrypted. This is good enough for most of the websites online. But when you are doing a financial transaction or sending extremely sensitive data, its important to be assured of the identity of the server/provider. To assert the identity of the server/provider you need a special kind of SSL certificate. Its called Extended Validation Certificate or EV certificate. In this case certificate authority will do some background checks to assert the identity. You can easily observe this in the URL bar of the browser. For example when you go to SBIOnline the URL bar becomes green bar and shows the name of the organization. Also when you click on the padlock it again shows the name of the organization and other details.
In the below pictures you can see the difference between OnlineSBI and MobileOne ssl certificates. MobileOne certificate doesn't have any organization details. MobileOne should use EV certificate as its important for the citizen to know whom they are talking to.
- Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
- The server does not support Forward Secrecy with the reference browsers.
Privacy: Private info leaked by services
There are too many third-party services to check the security each service. I checked two services where I had to use PAN no or motor car registration. In both the places I could register without any difficulty. But it also means no validation of any kind before exposing sensitive data.
- I can register any vehicle to pay fine. All I need is very public motor vehicle registration number. The service doesn't validate in any way that I am the owner of the vehicle. But If I malicious and want to keep an eye on the traffic violations done by some one else, I can do that too. It leaks private info indirectly. It's a huge threat.
- To get the income tax details you just need to know PAN no of a person. Nothing else and no other validation.
I am hoping they have some kind of audit trail to track back if any mischief happens. But I am not sure.
Please note: I used my family details with permission to do this testing with their permission. No privacy violation happened.
(a) We collect the following categories of Personal Information from You when You visit the Portal :
(b) You shall at any time be entitled to withdraw Your consent to the collection, storage, use, disclosure, and transfer, of the Personal Information by Us, by notifying Your intention in writing to the Grievance Officer on the address provided in paragraph 14 below. However, in the event that You so choose to withdraw Your consent to the aforesaid, We shall be entitled to discontinue providing any or all of the services to You.
The app or the site has no way to delete the account, which is a way to automatically withdraw the consent. Writing to an officer to do this makes it extremely difficult if not impossible.
The Personal Information collected by Us is used by Us, our affiliates, subsidiaries and joint ventures, inter alia, for -
(xi) Any other purposes required for offering the services on the Portal;
You agree that We may use personal information about You to improve CeG’s services, marketing and promotional efforts, to analyze Portal usage, improve the Portal's content and service offerings, and customize the Portal's content, layout, and services. These uses improve the Portal to, inter alia, meet Your needs, so as to provide You with a smooth, efficient, safe and customized experience while using the Portal.
What are these other purposes? and what are these marketing and promotional efforts?
(b) The Personal Information provided by You can be shared by Us at any time without obtaining explicit consent from You, with any government agencies mandated under the law to obtain Personal Information including sensitive Personal Information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences;
(c) Personal Information provided by You may also be disclosed by Us at any time without obtaining explicit consent from You, to any third party by an order under the applicable law for the time being in force;
(d) We will make endeavours to ensure that third parties who are the recipients of the Personal Information maintain the confidentiality of such information, with the same level of data security practices as are employed by Us in relation to the Personal Information, and use the Personal Information only in relation to the Portal and the services offered by Us to You;
Not very clear. Does this mean, it will get shared by the order of the court? or just by any Govt agency?
(a) Personal Information may be disclosed/ transferred to the following recipients:
(i) Third party service providers who assist Us in rendering services to You and/ or enhance the efficiency of the services to You;
(ii) Third party service providers who require Your information only in connection with the services offered on the Portal, for monitoring Your preferences, for displaying personalized advertisements to You, for displaying important communications regarding the services to You;
(iii) Our affiliates, other users of the Portal and service partners strictly for the purposes specified in paragraph 4 above.
There is no list of all third part service providers, their contract details, how they will manage data, keep our privacy. Even though point(d) in disclosure say they will make all the endeavours to maintain the same privacy, terms etc. It doesn't talk about the standards used, rules followed, access or authorization leves and implications in case of privacy breach by a third-party.
8. Other Information
Point 8(b) in Other information contradicts to point 5(d) Disclosures where they say they will make all the efforts.
We employ commercially reasonably data security practices and procedures commensurate with the specifications under the applicable laws, including encryption, passwords, physical security and other technical, physical and administrative, mechanisms and measures, to protect/ safeguard the security and integrity of Your Personal Information.
In view of the functionality of the internet and provision of services over the internet, We cannot guarantee the complete security of Your Personal Information at any time. Given that the internet is a medium which is prone to several security hazards and other events/ incidents which are beyond Our control, while we will strive to ensure full protection to Your Personal Information, We cannot guarantee the same at any given time. Any Personal Information provided by You, must therefore be provided with full cognizance of this risk.
Doesnt talk about what those commercially reasonably data security practices and procedure are? Wih out knowing the details its like selling snake oil. Second paragraph contradicts the first point by saying "We cannot guarantee".
Does that mean they dont notify me when it changes, which is an industry standard? Does that mean users have to keep checking?
14. Grievance Officer
Centre for e-Governance,
146, Gate 2, 1st Floor,
M.S. Building, Dr. Ambedkar Veedhi,
Bangalore – 560 001
(i) Requests for review/ modification/ deletion of any Personal Information provided by You;
(iii) Complaints/ grievances regarding posts/ information shared by other users;
(iv) Intimation of withdrawal of consent to use Personal Information by Us;
No email address, no phone or fax, no online form or complaint management system? Very strange for E-Gov system which is trying to bring the rest of the goverment system online. Please note (iv)14, that you need to write to this postal address to remove your personal information.
THIS DOCUMENT IS AN ELECTRONIC RECORD IN TERMS OF THE INFORMATION TECHNOLOGY ACT, 2000, AND THE RULES THEREUNDER AS APPLICABLE AND THE AMENDED PROVISIONS PERTAINING TO ELECTRONIC RECORDS IN VARIOUS STATUTES AS AMENDED BY THE INFORMATION TECHNOLOGY ACT, 2000. THIS ELECTRONIC RECORD IS GENERATED BY A COMPUTER SYSTEM AND DOES NOT REQUIRE ANY PHYSICAL OR DIGITAL SIGNATURES.
It not citizen friendly at all. It scares people and shouts at them.
By agreeing to use/ avail the services, You represent, warrant, undertake and confirm that -
i. The Registration Data provided by You is true, current, complete and accurate in all respects. You agree to promptly update Your Registration Data, in case of any change, so that Your information remains true, current, complete, and accurate at all times.
v. CeG shall be entitled to suspend, without any prior notice to You, Your access to the whole or any part of the services and/ or the Portal if in the opinion of CeG you have acted in contravention of these Terms and Conditions. CeG further has the right to temporarily suspend access to the whole or any part of the services and/ or the Portal for any technical/ operational reason. CeG may, but shall not be obliged to, give You as much notice of any interruption of access to the services as is reasonably practicable. CeG will restore access to the services as soon as it is reasonably practicable after temporary suspension. You agree that such decision shall be based on the sole discretion of CeG and any decision taken in this regard shall be final and binding on You.
Point 3(i) is something impossible to achieve all the time.
Point3(4) Raises an important question. The services provided by MobileOne are Goverment services. MobileOne - itself is a Government service provide by Center of E-Gov, Government of Karnataka and meant for citizen. Every citizen is entitled to get the services provided by the Government including MobileOne. So how can it be suspended with out any prior notice? Also how is that "restore access" is based only one sole discretion of CeG or its decision is final? In fact isn't by default we are entitled to get all the services provided by Government. Isn't it our right?
This makes feel like I am dealing with a private company and not Government of Karnataka.
5. PLATFORM FOR COMMUNICATION
i. Any and all commercial/ contractual terms are offered by and agreed to between Registered Users and third party service providers alone and the service provider and service receiver are solely responsible for fulfilling the commercial/ contractual terms. The commercial/ contractual terms may include without limitation price, shipping costs, payment methods, payment terms, date, period and mode of delivery, warranties related to products and services and after sales services related to products and services. CeG does not have any control or does not determine or advise or in any way involve itself in the offering or acceptance of such commercial/ contractual terms between the service providers and service receivers;
ii. CeG/ GoK and/ or any of its authorized representatives do not make any representation or give a warranty as to specifics (such as quality, value, scalability, merchantability etc.) of the products or services proposed to be sold or offered to be sold or purchased on the Portal. CeG does not implicitly or explicitly support or endorse the sale or purchase of any products or services on the Portal. CeG/ GoK and/ or any of its authorized representatives accepts no liability for any errors or omissions, whether on behalf of itself, its affiliates or third parties;
This is specially important because there are many private third parties.
5. PLATFORM FOR COMMUNICATION
x. You release and indemnify CeG, the Government of Karnataka and/ or any of its officers, authorized representatives including IMI Mobile and its affiliates from any cost, damage, liability or other consequences of any of the actions of the users of the Portal and specifically waive any claims that You may have in this behalf under any applicable law. Notwithstanding its reasonable efforts in that behalf, CeG cannot take responsibility or control the information provided by other users of the Portal and/ or third party service providers which is made available on the Portal. You may find other user's and/ or third party service providers information to be offensive, harmful, inconsistent, inaccurate, or deceptive. Please use caution and practice safe trading when using the Portal.
This also means we are not responsible for anything that happens on app or portal.
Again. They expect you to visit this page often. They also make sure to say they wont intimate you which is a standard across IT industry.
This concludes the second part. It's not really positive.