Yesterday, Chairman of Telecom Regulatory Authority of India (TRAI), Mr. Ram Sevak Sharma, threw a challenge to the world. He gave out his 12 digit Aadhaar number (which I don't want to publish here) and tweeted:
"Now I give this challenge to you: Show me one concrete example where you can do any harm to me!"
The Internet world quickly found out the phone number linked to his Aadhaar, and slowly more information started coming in, his previous and current addresses, date of birth, his frequent flier number, his email addresses, PAN number, bank account details, voter-ID card number and all associated details, alternate phone numbers, the model of his phone, his pictures and that of his family, current location, secret questions to his email addresses, and so on.
Much of this information was in public domain anyway. He kept making two claims: One, all this information could have been found (and perhaps has been found) without knowing Aadhaar. Two, putting all this information in public domain results in no harm to him.
I have refrained from writing on Aadhaar, since a large number of pro and anti-Aadhaar people are divided on political lines, and hence most of the debate is ill informed. Also, the debate does not have to be "Aadhaar compulsory for everything" versus "Kill Aadhaar." But that is how it plays out in public arena.
Coming back to his challenge, I wonder if he has an agenda. Otherwise, a smart and wise man that he is (after all, he is a fellow alum of IIT Kanpur :-) and a Distinguished Alumnus Awardee), he would know that such challenges do not prove anything. If indeed someone is able to get information that can potentially harm him, he will keep arguing that this information was not found using Aadhaar (and most hackers would not reveal their methods). But on the other hand, if no one is able to get any important information in a short period of time, that is not at all an argument in favor of Aadhaar's security. May be it takes more time. So, either way, it proves nothing.
Also, he is big enough man to fight legal battles and has a large network to undo most of the harm, if something does happen. So it is very little risk to him personally. But throwing such a challenge is not in national interest. Since there is a possibility, however small, that some harm may happen, that some people may actually succeed in hacking. That a person at such a responsible position is throwing such a challenge is just so sad. The only reason I can think of is that he is playing to the gallery and his supporters and supporters of Aadhaar will be very happy with him.
He has been arguing that just knowing bank account number will not harm him. What he has not yet said is whether the bank account numbers should be in public domain. If indeed his bank account number has been found using Aadhaar number, isn't that a failure of Aadhaar. Of course, the supporters would argue that the bank account number may have been found not from UIDAI site but from some other source. But the issue is different. Even if we assume that five feet thick and thirteen feet high wall is enough to secure data on the servers inside those walls, shouldn't this be the responsibility of UIDAI to secure the entire Aadhaar eco-system. Shouldn't every Aadhaar center be secure. May be not 5' by 13' wall, but 1' by 7' wall :-) In fact, I would go a step further. How businesses and government departments keep Aadhaar and use them should also be controlled by UIDAI. If they have no control over such use, they shouldn't insist on compulsory sharing of Aadhaar. Of course, today's discussion is not even touching upon the issue of government potentially having access to every interaction that happens between me and UIDAI.
I know most of the information that people have found out about Mr. Sharma can also be found about me, but unlike him, this reality gives me stress. Of course, many will argue that no honest person needs to worry, almost suggesting that if I am stressed about it, I must be dishonest. But the way our government systems and courts work, undoing any damage is extremely slow and expensive, and I don't want to go that route.
Added on 29th July:
-------------------------
Another much more detailed and well articulated article on why this challenge is irresponsible.
Issues with TRAI Chairman RS Sharma publishing his Aadhaar Number, challenging hackers to harm him by Nikhil Pahwa
Mr. M. K. Gandhi and Nathuram Godse
2 weeks ago
10 comments:
Read something sensible on Aadhar after long, interesteting piece. What are your thoughts on securing Aadhar number itself? If the gateway to all these personal information in Aadhar number, will securing Aadhar number would be of any help? Does that closes the door to our personal information?
@Prateek Dwivedi, I think there are other people who have been studying this issue deeper than I have who can answer this better. But not forcing Aadhaar linkages for everything, allowing people to change existing Aadhaar number, and in future using Virtual IDs only would be first few steps.
@Prof Sanghi, interesting perspective! I am sure now no Indian citizen would want to see anybody / @fs0c131y take up Dr. RS Sharma's next challenge "Now I give this challenge to you: Show me one concrete example where you can do any harm to me!" what could be the reason that we in India are so casual in our approach w.r.t. security and privacy issues (ref. now Elliot Andersen has found a security issue with CID WestBengal's system).
One thing that comes to mind is if I buy a kilo of gold with cash using your PAN you will be in a soup with the IT people.
Good one....
The entire issue seems to be driven by idiotic and supremacist approach of a leader, the counter tweets by such a responsible position were not relished. Sometimes we have to step back to prove ourselves right. Anyway congratulations sir for providing us insight into Aadhar.
I agree to your point that it's important to secure the entire ecosystem around Aadhar. And that's not done. Reason being the data is not a single place. I feel they should have done the following
* All Aadhar data must be at one place within multiple layers of security
* Clear access control policies should be there which are strictly enforced
* Any data that is needed to states or any other organizations for the implementation of various programs, they should give it after anonymizing it and thus one cannot correlate back to the original citizen
* Should have thought of better processes in capturing and populating the data. The whole process was outsources to people with less discipline and without fool-proof processes.
If you see the way GSTN was architected, it's very well done and they should have thought of something like that for Aadhar also.
Problem now is Govt is not even accepting there are issues (whether they are minor or major). Then fixing them is out of question. They need a fresh assessment on this whole matter from real experts and not self-proclaiming experts.
Might be of interest:
http://www.cse.iitm.ac.in/~shwetaag/papers/aadhaar.pdf
https://www.cse.iitb.ac.in/identity/
@SpS, I think we are casual since we don't understand it and we have sort of this belief that nothing could be worse than my current situation. Also, privacy is an alien concept. We know everything about our neighbors and colleagues. So it is difficult to imagine what could go wrong if more people know everything about us.
Aadhar database might be heavily secure and leakproof, but litigation and movement against aadhar is not much about data breach..But it is about citizens' choice in a constitutional democracy, against making aadhar compulsory for everything, right to privacy and right of not getting subjected to state surveillance. This litigation is also about reclaiming the notion of "we the people" in the preamble of our constitution.
All these recent open challenges for proving data breach and abrupt irresponsible responses to them on social platforms are utterly misleading. These are diverting the focus from real debate about protecting and proclaiming our constitutional rights which are threatened by the Aadhar project and it's reckless use by the state machinery.
Post a Comment