Yesterday, Chairman of Telecom Regulatory Authority of India (TRAI), Mr. Ram Sevak Sharma, threw a challenge to the world. He gave out his 12 digit Aadhaar number (which I don't want to publish here) and tweeted:
"Now I give this challenge to you: Show me one concrete example where you can do any harm to me!"
The Internet world quickly found out the phone number linked to his Aadhaar, and slowly more information started coming in, his previous and current addresses, date of birth, his frequent flier number, his email addresses, PAN number, bank account details, voter-ID card number and all associated details, alternate phone numbers, the model of his phone, his pictures and that of his family, current location, secret questions to his email addresses, and so on.
Much of this information was in public domain anyway. He kept making two claims: One, all this information could have been found (and perhaps has been found) without knowing Aadhaar. Two, putting all this information in public domain results in no harm to him.
I have refrained from writing on Aadhaar, since a large number of pro and anti-Aadhaar people are divided on political lines, and hence most of the debate is ill informed. Also, the debate does not have to be "Aadhaar compulsory for everything" versus "Kill Aadhaar." But that is how it plays out in public arena.
Coming back to his challenge, I wonder if he has an agenda. Otherwise, a smart and wise man that he is (after all, he is a fellow alum of IIT Kanpur :-) and a Distinguished Alumnus Awardee), he would know that such challenges do not prove anything. If indeed someone is able to get information that can potentially harm him, he will keep arguing that this information was not found using Aadhaar (and most hackers would not reveal their methods). But on the other hand, if no one is able to get any important information in a short period of time, that is not at all an argument in favor of Aadhaar's security. May be it takes more time. So, either way, it proves nothing.
Also, he is big enough man to fight legal battles and has a large network to undo most of the harm, if something does happen. So it is very little risk to him personally. But throwing such a challenge is not in national interest. Since there is a possibility, however small, that some harm may happen, that some people may actually succeed in hacking. That a person at such a responsible position is throwing such a challenge is just so sad. The only reason I can think of is that he is playing to the gallery and his supporters and supporters of Aadhaar will be very happy with him.
He has been arguing that just knowing bank account number will not harm him. What he has not yet said is whether the bank account numbers should be in public domain. If indeed his bank account number has been found using Aadhaar number, isn't that a failure of Aadhaar. Of course, the supporters would argue that the bank account number may have been found not from UIDAI site but from some other source. But the issue is different. Even if we assume that five feet thick and thirteen feet high wall is enough to secure data on the servers inside those walls, shouldn't this be the responsibility of UIDAI to secure the entire Aadhaar eco-system. Shouldn't every Aadhaar center be secure. May be not 5' by 13' wall, but 1' by 7' wall :-) In fact, I would go a step further. How businesses and government departments keep Aadhaar and use them should also be controlled by UIDAI. If they have no control over such use, they shouldn't insist on compulsory sharing of Aadhaar. Of course, today's discussion is not even touching upon the issue of government potentially having access to every interaction that happens between me and UIDAI.
I know most of the information that people have found out about Mr. Sharma can also be found about me, but unlike him, this reality gives me stress. Of course, many will argue that no honest person needs to worry, almost suggesting that if I am stressed about it, I must be dishonest. But the way our government systems and courts work, undoing any damage is extremely slow and expensive, and I don't want to go that route.
Added on 29th July:
Another much more detailed and well articulated article on why this challenge is irresponsible.
Issues with TRAI Chairman RS Sharma publishing his Aadhaar Number, challenging hackers to harm him by Nikhil Pahwa
A 3-Tier Higher Education System for India
10 hours ago