Ram Sevak Sharma, the current Telecom Regulatory Authority of India chairman and ex-CEO of the Unique Identification Authority of India (UIDAI), had recently been quoted in an article questioning what harm could be done if people knew his Aadhaar number. His line of argument triggered a demand on social media, with people saying if he really believed this, he should make his Aadhaar number public. Sharma picked up the gauntlet, published his UID number on Twitter and went one step further, challenging people to use the information to ‘harm’ him.
Many individuals took up the challenge, unearthing several personal details of Sharma. They claimed that his Aadhaar aided the process due to its ubiquitous nature.
People have obtained Sharma’s personal information such as his phone number, date of birth, PAN number, bank account number, email address, postal address, voter id, telecom operator, phone model, Air India frequent flyer number and photos of immediate family (from his WhatsApp profile).
Sharma responded by saying these details were already public and he has yet to see any form of ‘harm’ caused specifically by his Aadhaar details. What Sharma means by “harm” is not entirely known, but the term is widely understood to mean some form of physical hurt or threat or financial loss.
Thanks to this, I now know that you have an Airtel phone number attached to your Aadhaar (99XX5XX977) https://t.co/jG1bqjh57k
— Karan Saini (@iasni) July 28, 2018
Sharma’s insouciance made some on social media use his information in creative ways. Some people have made a copy of his Aadhaar card (with original info) using the UID number to create online accounts on Amazon and other such e-commerce websites. People deposited money into his bank account using Aadhaar Pay in the BHIM app. However, no reports of anyone using his fingerprints or one time passwords to withdraw money have come to light yet. The kind of financial harm which is possible and which Sharma wants others to demonstrate has not surfaced.
People managed to get your personal address, dob and your alternate phone number.
— Elliot Alderson (@fs0c131y) July 28, 2018
An important question that needs answering is whether people unearthed this information using the Aadhaar number which Sharma had made public or was it already public? The simple answer is Aadhaar may have been used to find some information, while other personal information like his voter id, which is not linked to Aadhaar, was already public. The risk of personal data going public exists in today’s digital age and the risk levels multiply when there is linking of data to Aadhaar – or any other unique identifier – which can be used to combine multiple databases.
Aadhaar is being demanded for every service instead of phone numbers or email ids. The risk of information becoming public is higher with Aadhaar number than with a phone number. The unique identity project has had many mishaps in the past. Around 210 websites published personal information linked to Aadhaar, as revealed in an answer to a parliamentary question. The personal Aadhaar data of an estimated 13 crore individuals was published by four websites alone, according to research carried out by the Centre for Internet and Society (co-authored by the writer).
None of Sharma’s personal details have been accessed from the main Central Identities Repository Database (CIDR), as clarified by UIDAI. This main database of the Aadhaar project stores the biometric data and is classified as national critical infrastructure, thus protected with utmost security. The issue though, is that this same information is in the public domain, the data that state governments and public departments collect and publish. Fingerprints in CIDR being secure is of no significance. Thus, the fact that Sharma’s personal data, including Aadhaar, has become public is not UIDAI’s problem or an Aadhaar problem, but it is a problem nevertheless for individuals. This is the issue people are highlighting on social media and want to show Sharma that there is no redressal mechanism for it.
The individuals who have found information about Sharma are by no means hackers in the literal sense. The word ‘hacking’ refers to nothing but breaking things and learning, which is misinterpreted by almost everyone. Then there are the famous ethical hackers, who may just be con artists trying to make money elsewhere. The idea of ethical hacking is great, but what is ethical may not be legal and what is legal may not be ethical. None of the individuals who pointed out Sharma’s personal information have committed online fraud; not yet, at any rate.
The reasons why people are doing this could be many; they probably don’t like Aadhaar or Sharma, are eager to challenge the status quo or are just having fun. A documentary on Anonymous and Church of Scientology points to a similar set of incidents and how people on the internet can target institutions or individuals.
But it is important to recognise that we, as a society, want to debate these issues and are not being provided a safe space by the media, political parties or institutions to establish the facts. Thus, arguments over Aadhaar and data protection occur over social media and carry various risks, including that of getting trolled.
Srinivas Kodali is an independent researcher who works on data and internet. He considers himself as a civic hacker and not an ethical hacker.