Many users complain of bugs and other issues while using the DigiLocker application that could potentially lead to hacking.
Accessing and uploading documents on the DigiLocker application is a challenge for users as they encounter multiple issues.
Rishit, a DigiLocker user, explained that whenever he tried accessing his driving license, the application did not work. “It shows some unknown error,” he explained. Many users face difficulties in accessing DigiLocker. With 3,51,787 ratings and four-star reviews, the app has over 1,00,00,000 downloads and users. Some of the users have expressed their views on DigiLocker’s space on the Google Play store.
Ajay Bhut, a DigiLocker user, reviewed, “Digitalization is a good idea but making a crashing app and wasting people’s time is not a good idea.” He said the app tries to download documents again and again when it is actually unable to download them. The download remains pending when it comes to showing the documents to the officers. ”Please solve this issue,” he said.
The DigiLocker was launched by the Ministry of Electronics and Information Technology as a key initiative under the Digital India Programme, the Indian government’s flagship programme. It was aimed at transforming India into a digitally empowered society and a knowledge economy by creating a platform that stored issued and verified documents and certificates digitally.
Another user, Sanjay Singh, reviewed that he was unable to view his issued documents or the uploaded ones. “Very poor upgradation is happening. I have all the proper documents. It is unable to access those. In such a case, when traffic police will be asking for documents and this DigiLocker won’t be showing our documents. Useless in time when needed,” he reviewed.
Ashish Gehlot, a security researcher who discovered vulnerability in the DigiLocker application system explained the problem. “I logged in the application by using one-time password (OTP) and putting my Aadhar card details. It was an insecure sign-in process,” he said.
“With DigiLocker, the thing is that the small errors that people are experiencing could be because of potential bugs that could lead to a massive data breach,” he explained. Gehlot said that if any similar bug comes out today, it would lead to a massive data leak. “The number of people using DigiLocker has increased massively. When their dependency on the application has increased, security has becomes a major concern,” he explained.
In 2021, some OnePlus mobile phone users complained that they could not access DigiLocker after updating their operating system. “Ever since the update, I can’t seem to view my DigiLocker documents. I’ve tried restarting, reinstalling, clearing cache and storage, and even force stopping, but to no success,” said rishankp619, a OnePlus user.
Sheth mentions that not only he face issues with the application’s working but also with its interface. “Whenever I try to click on Hindi, the application either closes or it displays the information in English,” he added.
In 2020, over 100 gigabytes (GB) worth of data of Indians, which included PAN cards, Aadhar cards, voter IDs, and driver’s licenses was put up for sale on the dark web. The global intelligence agency, Cybel, which found this trade, claimed that they had access to over one lakh IDs from different places in India, with the total size being over 100 GB.
About the security and authenticity of DigiLocker, its website mentions that it is completely safe and secure to use. “We do care about your privacy and take all precautionary measures to ensure your data is protected and uncompromised,” the website mentioned.
It further mentions that DigiLocker uses 256- bit secure socket layer (SSL) encryption for information transmitted during any activity.
An official from the Controller of Certifying Authorities (CCA) on anonymity said that the security of DigiLocker could be enhanced if it comes under our department. “Annual audits and compliance to rules and regulations by the CCA are the two things that DigiLocker must comply with if they come under us,” they said.
For DigiLocker to come under the CCA, it has to apply for certification. “Till now, they have not applied for certification. They are working independently under the Ministry of Electronics, Information and Technology (MeitY),” the official said.
Gehlot said, “Cloud services and advanced ones like DigiLocker must not only have encryption on their stored data but it should also have data loss prevention (DLP). DLP protects data from unauthorized access and automatically disables access and transport data when suspicious activity is detected.”
Under DigiLocker’s security factors, the website mentions that the application uses mobile authentication based signup via OTP for authenticating users and allowing access to the platform. The application is hosted in an ISO 27001 security certified data center. “Data is backed up in a secure environment with proper redundancy with security audits by recognized audit agencies,” the website mentioned.