Who wins the 'Aadhaar Challenge'?

The storm that brewed over the tweet of former UIDAI chairman and outgoing TRAI head, RS Sharma, asking security researchers to 'harm' him with his 12-digit-Aadhaar number may have settled down. However, the debate over the breach of privacy of the 'largest biometric identification scheme in the world' is heating up.

On July 28, Sharma had asked the Twitter ID @kingslyj to show him "one concrete example" where s/he can do any harm to Sharma, after publishing his Aadhaar number.

Many privacy crusaders, ethical hackers and security researchers cried foul and revealed details of Sharma like the mobile number linked to his Aadhaar, alternate mobile number, service provider, his mobile brand, PAN details, WhatsApp display picture and the Frequent Flyer Number. Not all of these are related to Aadhaar, evidently. "But one information can lead to the leak of the other," says software engineer Anand Venkatanarayanan. "Sharma's mobile number may be available on government sites but his bank account details were obtained only because his Aadhaar number was public."

Sharma maintained that no harm is done to him and defended his position in a blog post in 'Indian Express'.

"Having devoted an important part of my life to contributing to the design and implementation of Aadhaar, I do understand how it works and what can and cannot be done with it," he wrote.

The present CEO of UIDAI, Ajay Bhushan Pandey, in an interview with Scroll.in had said that Aadhaar is not a 'secret number'.

"What I would like people to understand is that Aadhaar is not a secret number like your password or PIN (personal identification number), which can materially affect your life tomorrow if it is leaked without your knowledge. It is not like your Aadhaar number is leaked and your bank account gets emptied out."

But on Tuesday, UIDAI in a press statement said: "Aadhaar number is personally sensitive information like bank account number, passport number, PAN number, etc, which should be strictly shared only on a need basis for a legitimate use for establishing identity and for legitimate transactions."

Why Aadhaar is unique

The pro-Aadhaar campaigners compared the issues with Aadhaar to other ID cards like voters’ ID or driving licence and argued they are no different.

Sharma claimed that Aadhaar is not making any “new vulnerability” in the internet society. These claims intend to say that Aadhaar poses no new challenge to privacy. This argument was debated for weeks in Supreme Court in the Aadhaar case. The verdict is expected in a couple of months.

“There are three types of information -- secret, private and public. Aadhaar, like bank account number or PAN, is a private information. You will not publish the credit card details. But credit card or sim card can be revoked. Aadhaar cannot be. Moreover, it is linked to everything,” said Anivar Aravind, a software engineer.

“Aadhaar, like PAN or Date of Birth is an irrevocable identifier that we are being forced to share with all sorts of entities. This is different from a phone number or an email address -- which we can acquire and discard as many as we like,” says Nilesh Trivedi, a software engineer based in Bengaluru.

"The Aadhaar number by itself does not give away any information. It has to be used with biometrics," says Pandey. "But in reality, at many places, you don't have an option for online verification. The hard copy is enough to harm you," says Anand.

Data everywhere

Aadhaar-related information is available on many government websites including the digilocker.gov.in, which is a "platform for issuance and verification of documents & certificates in a digital way." With the Aadhaar number, researcher Karan Saini shows that you need nothing but some basic computer coding to scrape the mobile number linked to that.

This bug was reported to Unique Identification Authority of India, months back, says Anivar, who sent one rupee to Sharma using the BHIM app. "They did not take action hence the report was published online. They will not take action unless it really affects them."

Sending money to Sharma was a sign to show that how Aadhaar-based transactions are harmful. "One guy sent money and he said that this would not harm him. What if someone sends few lakhs and complains that he accepted it as a bribe," asks Anand. BHIM app, the much-celebrated child of Digital India, allows anyone to deposit money without the receiver's approval. All you need is an Aadhaar number. "I have been campaigning on this issue for the last one year," said Anivar.

"Even if you change the bank account number, you will still have to link it to the Aadhaar and hence the issue will remain," said Anand.

“One guy made accounts on Facebook ad and Amazon with his fake Aadhaar card. So what will happen if he publishes an adult ad with it? Is he saying that all these are not going to harm him?” asks Anand. “He is in a privileged position. What about others?”

“Sharma is the best technology regulator we have in India. He gave us net neutrality. But that doesn’t mean that he is right in this point,” he added.

Many pro-Aadhaar campaigners came forward to publish their Aadhaar number in support of Sharma. The Aadhaar Act, 2016, clearly states that "No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations."

The UIDAI Twitter account in many instances asked the users not to publish the 12 digit number.

Is this real hacking?

Like every time, UIDAI's initial response was that Aadhaar is safe.

"Aadhaar database is totally safe and has proven its security robustness over the last eight years. UIDAI emphatically stated that any information published on Twitter about the said individual Shri RS Sharma was not fetched from Aadhaar database or UIDAI’s servers," UIDAI said in a statement.

"Who said that UIDAI's Central Identities Data Repository was hacked?" asks Anand.

Hacking doesn’t mean that they hacked the central depository of Aadhaar. “You get the information from many other websites,” says Anivar. These are mostly government websites. The Aadhaar system is loosely built, and hurriedly implemented to make it ‘too big to fail’ says Anivar.

In 2013, the founder of Uidai, Nandan Nilekani published his Aadhaar card photo after blackening the first eight digits of the number. Security researchers sent him all the details including the hidden characters with the help of the QR code printed on the card. “The QR code is not encrypted. Anyone can make it. You will get the details if you scan it and you can easily generate the same one,” says Anand. A few months back, UIDAI decided to bring in 'digitally-signed QR Code' on e-Aadhaar to overcome this.

"Thankfully, UIDAI did implement biometric locking after criticism, which allows you to force OTP for e-KYC (Know your customer). Not doing it from day one was a problem because biometrics are irrevocable. So people were asked to share biometrics with all sorts of entities, even with unverified devices. Once I have your fingerprints, I can impersonate you, no matter how the system is improved. Secrets are no longer secrets, once they're leaked," said Nilesh.

Ridiculing the reactions of UIDAI and Aadhaar supporters on the controversy, Nilesh said "When the pro-Aadhaar team talks about "safety", they are (cleverly) talking about the safety of the database. When critics talk about safety, they are talking about the safety of the citizen. A clear difference in perspectives and priorities."