What TRAI Chairman should learn from dangerous results of his stunt of publishing Aadhaar details
A cockamamie open challenge on the internet is not a good idea. RS Sharma, the chairman of Telecom Regulatory Authority of India (TRAI), learnt that the hard way.
On July 28, a day after Sharma was quoted by news reports as saying that Aadhaar, India’s unique identity project, does not violate privacy and that the government has a right to create such a database of residents “since it gives subsidies”, technology developer Kingsly John goaded him to “walk the talk” and make his Aadhaar details public.
Sharma, perhaps, in a fit of hubris, followed though and responded with: “My Aadhaar number is **** **** **** [DailyO does not wish to publish his Aadhaar details, in light of what happened next]. Now I give this challenge to you: Show me one concrete example where you can do any harm to me!”
Robert Baptiste, a French security researcher who goes by the moniker “Elliot Alderson” and uses the handle @fs0c131y on Twitter — both references to Rami Malek’s character from Mr Robot, a television series about hacking — and a man whose actions on the internet have been momentous in systematically pointing out vulnerabilities in Aadhaar and other flaws in the establishment’s data security, using Sharma’s Aadhaar number tracked down his phone number, his email address, his PAN number, and his WhatsApp details, that included his photo with his daughter (it's speculative, because the ethical hacker was ethical enough to black out her face before tweeting it).
He also managed to infer that no bank accounts were connected to the Aadhaar number that was provided — which would be hypocritical on multiple levels, given how Sharma has been a proponent of Aadhaar, and the Centre and banks have been subtly coercing citizens to link their Aadhaar details with bank accounts. Sharma has denied this allegation, of course.
And while Baptiste stopped there, others most certainly did not.
One Twitter user claimed that he had made a “fake” Aadhaar card with Sharma’s details and had proceeded to upload the same on Facebook and Amazon Cloud Services. He further claimed that his proof identity was accepted by both services.
Another user discovered his Air India Frequent Flyer number. Another user discovered his voter ID. Other users posted screenshots of sending Re 1 to Sharma via Aadhaar-Enabled Payment Service using apps like BHIM and Paytm, or even Immediate Payment Service (IMPS) — they also posted transaction IDs for the same.
It was all fun and games.
Till it wasn’t.
According to a report published by The Wire, early on July 30, Sharma’s daughter, Kavita Sharma, was threatened via email. The blackmailer, who had also marked two journalists from The Wire in it, warned her that her father’s email accounts had been compromised and that his Punjab National bank account “is under imminent threat of being hacked”. The sender also demanded a ransom, the failure to pay which would end up with all of his details on public domain. “Kavita: If you do not respond to this email in the next 24 hrs [sic]. The consequences would be regretful. Any tip off to law enforcement agencies, would be detrimental. You are advised to act wisely,” the blackmailer wrote.
Threatening the family members of Sharma is an act no one can and should condone. After all, this is a very good example of the kind of vulnerabilities Aadhaar exposes citizens to (and there are many), even if it did happen to a person who denies the existence of such issues.
What should be acknowledged, however, is that Sharma’s conceited open challenge needs to be called out for what it is: ill-conceived privileged nonsense.
Nikhil Pahwa, founder and editor of MediaNama, and the co-founder of SaveTheInternet.in and Internet Freedom Foundation, in an editorial, wrote (before threats to his daughter became public) that if no harm befell Sharma despite such a stunt, it would be used as an example to justify the fact that publishing of Aadhaar number in public does not cause any harm. He argued that this could only be attributed to RS Sharma’s privilege as “a senior government functionary, a technologist, and a man”.
And that is where the problem lies. RS Sharma, by no means, is an ignorant man. A career bureaucrat, Sharma has previously been the Secretary, Department of Electronics and Information Technology, and the Director General of the Unique Identification Authority of India (UIDAI). It is not a stretch to assume that he understands technology, and has access to safeguards and help from the authorities should his security be compromised. This would make his position antithetical to that of a majority of Indians.
Women get doxxed online every day. They receive rape and death threats. Their phone numbers are published and they are also physically stalked. Sharma’s bravado, thus, from a position of power (lots of it) is not ignorant. It is pernicious.
In any case, this whole fiasco should be a humbling experience for Sharma. One would hope that such violent threats to his privacy would finally open his eyes to the pitfalls of Aadhaar.