Thursday 10 May 2007

Identity Leakage: Trust VFS to reveal all

The Visa Facilitation Services (VFS) in India have over the years greatly simplified any need to escape the motherland. If you're privileged enough to possess appropriately valid and verified documents, be it travel for holiday, human trafficking, business, family reunion or work, the VFS in India will see to it that you needn't do the worrying nor have to stand in long queues overnight wondering whether you've filled in that visa form correctly. According to recent reports I've been hearing, those days are almost gone.

On the VFS UK India website, you can nowadays apply online for most United Kingdom (UK) visa categories, as part of their Business Express Program and track your application too. VFS India are the British High Commission's commercial partner, and they operate application centres on behalf of the 4 visa departments in India.They have about 11 offices across Indian cities.

Last year, while I was directed to this VFS website due to an UK assignment, I stumbled upon a technical problem. After entering all my details on the online visa application form, I couldn't proceed further. All I had was this blank browser page on my computer monitor, and a 'Back' button that refused to do what it was designed to do.

Having spent a good hour typing in my details, I decided to twiddle around with the URL in my browser to see if something could be salvaged. About two minutes of twiddling with the VFS Uniform Resource Locator (URL) resulted in the following revelation: Anyone who has ever applied for a UK visa online, have their personal details exposed to everyone on the Internet. Personal details such as passport number, address, phone numbers, email, family details, work details, salary, clients, real-estate owned, countries you've visited, where you're going and when you're travelling...the list goes on. Essentially, the entire form, i.e. everything the British High Commission needs to know about you to grant you a visa is available for anyone to misuse. Security is thrown out the window.

This was naturally quite shocking. I quickly verified that what I was seeing was true: that VFS India could be responsible for large scale identity theft, for every online visa application that it receives. I sent an email to both VFS India and the British High Commission explaining this serious security issue. After about two months, I heard back from the British High Commission thanking me for the email bringing this to their notice, and promising to look into this matter. A year later nothing has happened. And this is in spite of the fact that identity theft in the UK is treated quite seriously and there is a parliamentary act that protects such information.

Identity theft occurs when a criminal uses another person's personal information to take on that person's identity. Identity theft in any form has serious consequences, and our law-makers in India should take a tougher stance. From a Wikipedia entry on Identity Theft, "The crimes include illegal immigration, terrorism and espionage, to mention a few. It may also be a means of blackmail if activities undertaken by the thief in the name of the victim would have serious consequences for the victim".

Terms & Conditions on the VFS UK India website state that "Under the Data Protection Act, we have a legal duty to protect any information we collect from you". And they go on to say "VFS shall not disclose or allow access to any personal data provided by the Foreign & Commonwealth Office or acquired by VFS during the execution of the contract, other than to VFS personnel or those otherwise lawfully concerned with the execution of the contract".

Doesn't look like that to me. Whoever VFS India uses to design their website has some serious answering to do, and heads will surely roll. I'm not sure whether this security hole is visible in the United States VFS site or any other country's visa processing that VFS India handle.

In any case, I don't think I want to pay VFS for their services and then be exposed to this gaping security hole.

Excuse me while I try to find the end of this queue.

Update: Problem "sol-ved", as they say here in Bangalore! Check this post. This posting was also the basis of a Channel 4 television news report in the UK on the 17th of May, just a week after publishing on this blog.


Tapanjit said...

I would like give you a big thank for brining this in notice of appropriate authority. It's a good work and hope VFS India will be penalised for playing with our personal data.

Danish Khan said...

Hi Sanjib. My name is Danish Khan and I am a journalist working for Mumbai Mirror. I want to speak to you regarding a report I am working on. Pls email me on Pls treat this as urgent.

Anonymous said...

Its a conterversial company below is the link

Anonymous said...

Its a conterversial company. Even canada embassy says the same thing

Click here

Anonymous said...

I am getting afraid of sharing information on VFS site....Shit can not beleive how ignoart outsourcing companies are....They do not care as its not their personal data.

Pheroze said...

If you look at the way their IT leaders are, you will fall to cold ground. Many of them do not even know what IT is all about.

Its big unorganized filthy puss which will smell in the coming times.