Cross Match Technologies, a US-based company that offers biometric products and services to a range of customers including India’s Aadhaar authority (UIDAI), told Gadgets 360 that it has not captured, or stored, or processed any personal private information of its customers. The clarification comes days after WikiLeaks reported that US federal agency CIA had the capability to disguise Cross Match’s software and then spy on Cross Match clients, theoretically giving it access to biometric data of over 1 billion Indians, if UIDAI were to be one of the organisations targeted. But Cross Match has clarified that its software does not have such capabilities.
John Hinmon, vice president of global marketing at Cross Match Technologies, told Gadgets 360 that the US-based company takes personal privacy very seriously. He added that Cross Match “does not capture, store or process in any manner personal private information, such as fingerprint images, collected by any of its customers,” adding that the company doesn’t have the “technical ability” to “covertly ‘remote into’ databases and systems that do store such personal data, nor have we ever been involved in developing or supporting such capability for any government or private entity.”
“Crossmatch’s fingerprint scanners and software allow end users to capture, store and process those images in their own systems, under security protocols defined by that end user. Typically, these systems are accessible only by trusted ‘administrative users.’ To be clear, this is the case with India UID. All software utilised with our scanners was developed, tested and certified under the direction of India UID,” Hinmon told Gadgets 360. “We value our partnership with India to support the historic and progressive Aadhaar program that widens social and economic inclusion and channels welfare payments more effectively.”
Earlier this week, WikiLeaks published secret CIA documents detailing a biometric collection system that the US agency ran, for which it worked with its intel partners including the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The intel partners were “expected” to “voluntarily” share the biometric information they collected, WikiLeaks reported.
The CIA, however, didn’t find the arrangement for the biometric collection system sufficient so it reportedly created a secret program called ExpressLane, using which it installed a trojan — disguised as software update — that would covertly collect the biometric information, according to WikiLeaks. Citing CIA’s internal documents, WikiLeaks alleged that the agency was also using Cross Match’s technologies for its biometric collection system, and ExpressLane program could compromise Cross Match’s services.
In the aftermath of the WikiLeaks’ revelation, reports claimed that the CIA could have managed to access and collect the biometric information — Aadhaar data — of Indians, since the UIDAI has also worked with Cross Match Technologies. It needs to be stressed that there is no evidence in WikiLeaks’ report that explicitly states that the Aadhaar infrastructure is impacted, too. It is also not known whether Cross Match still provides its services to UIDAI. Update: Cross Match told Gadgets 360 that its software — Crossmatch MOBS — which has been referenced in the confidential CIA documents — “has never been used in any UIDAI application.”
More than 1.17 billion people have enrolled in the Aadhaar system — for which a person’s print of all fingers, iris data, and other private information such as name, data of birth, address, and phone number — are collected. Originally conceptualised to help a portion of Indians avail social welfare programs, the central government has made Aadhaar identity mandatory for availing several other services including filing income tax returns and getting a new phone number.
According to a press release issued by Cross Match in 2011, it had received a three-year certification to supply biometric authentication solutions to UIDAI. “Today’s milestone demonstrates that Cross Match, as a global leader in image quality and performance, and its Indian partner for the UID program, Smart Identity Devices Pvt. Ltd. (Smart ID), are ideally suited to help make this historic project a reality,” Cross Match CEO David Buckley had said then.
The issue, as reported by WikiLeaks, however is that the CIA’s ExpressLane program could gather biometric information from systems without knowledge — and presumably consent — of its intel partners. In a brief conversation with Gadgets 360, Julian Assange, the founder and publisher of non-profit organisation WikiLeaks said CIA, through its ExpressLane program, installs “trojaned versions of the Cross Match under the cover of a “[software] update.”
A CIA-assigned officer would visit offices and install ExpressLane program — disguised as software update — which would set wheels in motion to covertly collect the biometric information, according to CIA’s confidential documents published by WikiLeaks. Several documents detail how the authorised officer would install the program, and the technical details of how the program had been created.
Over the years WikiLeaks, founded in 2006, has published several confidential documents detailing various controversial programs run by governments. “Wikileaks has a solid history of producing legitimate material, but they’ve also been known to over-inflate the significance of it,” top security analyst Troy Hunt told Gadgets 360. “Especially in more recent times, there’s growing concern that the material they’re publishing is less in the best interests of the people, and more to further their own agendas. In reality, it’s probably a bit of both.”
Update: In a follow-up conversation with Gadgets 360, Cross Match said, “The leaked documents specifically indicate that although malware was installed using a file name that was similar to the name of our software, the malware was designed to not affect, change or interact with our software. Rather, it was designed to act independently of our software.” The company added that it had no knowledge about the creation or use of ExpressLane.