TRAI Chief, and now #AadhaarChallenge propagator, RS Sharma has explained, in an article in The Indian Express, his reason behind giving out his Aadhaar number. In doing so, Sharma has made a number of claims about the Aadhaar. Nine of of those claims warrant further questions.
After Sharma published his Aadhaar number on Twitter on 28 July, Aadhaar and security concerns related to it have dominated discussions on news and social media platforms.
“Thus far I have not lost the challenge and I’m very confident that I will not,” claims Sharma.
Having read his words carefully and identified the claims he has made, The Quint raises 9 questions seeking clarifications from Sharma.
1. “Aadhaar doesn't contribute to increasing any of your other digital vulnerabilities.”
Sir, you will be aware of the fact that UIDAI had temporarily suspended the e-KYC licence of Airtel Payments Bank in December, 2017 and slapped a fine of Rs 2.5 crore on the company.
We bring up this example because it refutes the claim about other digital vulnerabilities not increasing.
It was alleged that Airtel had opened bank accounts and force-seeded them with Aadhaar, without having obtained the prior informed consent of the customers. As complaint letters piled up at the UIDAI and Ministry of Petroleum offices, it came to light that LPG gas subsidies of Airtel customers were routed to their Airtel payments bank instead of their bank accounts – which they had no knowledge of.
This has occurred because citizens were mandated to link their mobile numbers with Aadhaar. The Supreme Court had not made this linking mandatory and citizens have been harassed by the confusion that ensued.
2. “Another trend is to blame Aadhaar for vulnerabilities of other systems.”
Sir, in an open letter to you on Monday, we had pointed out specific vulnerabilities in government and private applications. In doing so, we explained how the Aadhaar number was instrumental in exploiting these vulnerabilities. While the flaws of the websites and portals are not disputed, their exploitation has been aided by the public availability of your Aadhaar number.
3. “It has made people hesitant in sharing their Aadhaar details for accessing legitimate services. Slowly, deliberately, Aadhaar is being shown as a dangerous artefact because it could compromise security.”
Sir, you must be aware that in January, The Tribune had reported how its reporter was granted access to the Aadhaar database for a sum of Rs 500, paid to an anonymous seller. The reporter, Rachna Khaira reports that she was provided a login ID and password which enabled her to gain access to a database of over a billion Aadhaar numbers created in India.
This contained the name, address, phone number, postal code, e-mail address and photograph. According to the reporter’s account, the UIDAI officials had admitted to the incident as a national security breach.
Sir, instances of a leaky Aadhaar ecosystem have emerged at periodic intervals. Under such circumstances, you may appreciate why citizens are “hesitant in sharing their Aadhaar details.”
4. “But if you define crediting a rupee to an account as hacking, well, more people might be happy to be hacked.”
Sir, in making this claim you run the risk of discrediting the harms that are attached to this vulnerable aspect of the BHIM app. The ability of an anonymous entity to make an Aadhaar transfer of unaccounted money into your bank account through your Aadhaar number has several serious implications.
- The ability to transfer money without your consent means a public official can be blackmailed in many ways. “A possible harm for a public servant is getting unaccounted money from unknown people in his account and bribery charges. With Aadhaar as public (same with UPI) , anyone can send you money and accuse you of bribery,” Anivar Aravind told The Quint.
- The sending of Re 1 also returned a response by the app which revealed that RS Sharma was using a Bank of India account – yet another vulnerability. A statement made in jest may encourage others to try the same and have their bank name exposed through the metadata.
- It proved that one does not have to hack into UIDAI’s database to steal protected information. There are existing vulnerabilities in several government platforms that can be manipulated if one has an Aadhaar number.
5. “My purpose in engaging in debate is to prove by my own example that Aadhaar number disclosure cannot cause any harm.”
“no harm can be caused if the Aadhaar number is leaked or shared”
Sir, it has emerged from your tweets and your piece in the newspaper that your interpretation of harm is narrow. You have predicated the occurrence of harm in the context of your Aadhaar number being publicly available on two things:
1. Financial loss
2. Breach of UIDAI databases
This constitutes a blinkered vision of the real extent of harm that can come upon an individual by virtue of having her Aadhaar number made public.
In order to explain how you have been harmed, it is necessary to describe what constitutes harm. Say, for instance you possess an ID card. You have ownership over the data in that card. That data is your property. Now, if someone were to steal that ID card, you would still have ownership of the data but not control over that data. The control of the data would now be with the individual in possession of it.
The individual controlling your data chooses to use it for, say, gaining entry into a space that requires an ID card.
In security parlance, the use or processing of data in a manner that is not intended to be used is what constitutes harm.
6. “I thought about it and decided I should have the courage to act on my belief. While I am an impulsive person at times, this tweet was not an impulsive one.”
Sir, since you have explicitly stated that your decision “was not an impulsive one”, we are surprised that you chose to share your Aadhaar number publicly, in violation of the law. This assumes greater significance given that you were the former Director-General of UIDAI.
Section 29 (4) of the Aadhaar Act, 2016, states that an Aadhaar number should not be published, displayed or posted publicly. However, in your piece you make no mention of the act being a criminal offence. It has also been observed that several others on Twitter have followed your lead in making their Aadhaar numbers public.
7. “At the UIDAI I had the opportunity to work with the finest brains in developing a system that can deliver what it was designed to, while resisting malevolent attacks.”
It needs to be mentioned that while you were CEO of UIDAI, State Resident Data Hubs (SRDH) were built using the Aadhaar data provided by UIDAI. While the justification for building SRDH was the identification of beneficiaries for providing services, it has displayed insecure infrastructure that reveals Aadhaar data. In the case of Andhra Pradesh, this data was used to build search systems which an individual can use to find sensitive personal information like medical details, family details and property ownership.
As per this report, a State Resident Data Hub is a repository of UIDAI data of residents, along with their demographic data and photograph. The biometric details like iris and fingerprints are not stored at the state level and are available with the UIDAI CIDR only. This helps the state government in maintaining a lean database, and ensures privacy of data. However, in the case of some states it has been reported that SRDH has also collected biometric information.
8. “One interesting hack was to deposit one rupee in my account through the marvel of a system called UPI.”
In your tweets as well as in your piece, you have praised the BHIM UPI for its design. However, as has been reported, the BHIM UPI suffers from a range of issues, both in its design as well as its security. The “interesting hack” of depositing Re 1 was carried out with ONLY your Aadhaar number using the “Pay by Aadhaar” feature of the app. Here’s why the UPI is faulty:
Transfer to <aadhaar no>@aadhaar.npci will work as an Immediate Payment Service (IMPS) Bank transfer to the account number in the Aadhaar account mapper in the National Payment Corporation of India (NPCI). In this case it has been revealed that the money went to RS Sharma's Bank of India account as per Anivar Aravind’s post.
But BHIM app won’t list those transactions in the receiver's BHIM app. It will only reflect in RS Sharma's bank account statement. “Since it is a successful transaction, I can see that in my account statement,” Aravind has told The Quint.
9. “While I did reveal my own number, I am not suggesting for a moment that any of you could also publicly share your Aadhaar number.”
Sir, this statement stands contrary to your activities on Twitter. You appear to have retweeted tweets of multiple individuals who, following your lead, chose to publicly share their Aadhaar numbers. As we have pointed out, the public display of Aadhaar amounts to violating the law.
You categorically mention “not suggesting for a moment that any of you could also publicly share your Aadhaar number”. Your retweet could be interpreted by some as endorsing their actions.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)