Vol. XLII No. 32 August 12, 2018

RS Sharma’s Aadhaar Challenge: Claiming Victory from Defeat

Prabir Purkayastha

BY a sleight of hand, RS Sharma, the TRAI chief, has changed his irresponsible challenge “harm me using my Aadhaar” to “hack my Aadhaar database”. The two are completely different issues. What the ethical hacker community – yes, there is one – has shown is the immense harm that they could have done to Sharma, but did not. They only showed us the danger from Aadhaar to our privacy, and they succeeded quite convincingly.

Sharma claims that whatever the hackers did, it did not involve hacking of the Aadhaar database; and that his emails were not hacked. He even crows about the Re 1 deposited to his account as a benefit, “forgetting” that for a civil servant, the answer “I don’t know where this one lakh (for a computer, Re 1 or Rs 1,00,000 is same) came from” may not be an answer that the vigilance authorities may buy. The plain fact is Sharma lost his challenge and he knows it. Therefore the obfuscation!

So what did the hacker community establish in the RS Sharma challenge? It showed that his Aadhaar number made it easy to access his private information: it did not take much skill to put in his Aadhaar number and search various databases for his personal details. With his personal details, they could access his Air India frequent flyer number, which was the security question to one of his email accounts. For anybody who operates a Gmail or Yahoo account, they would know that the hacker was quite close to hacking his emails.

The Unique Identification Authority of India (UIDAI) is obviously aware that Sharma’s vainglorious challenge has severely dented its claims of protecting our privacy. In a series of tweets – this is how the various governmental authorities now communicate to the public – UIDAI said that such a challenge was a violation of the UIDAI Act, and a criminal offence. It also advised others not to follow in Sharma’s footsteps, and warned that anybody responding to these challenges would be guilty of impersonation, therefore committing a criminal offence. After making sure that anybody using the Aadhaar number to get any personal details would be charged with criminal cases, UIDAI, like Sharma, is now claiming “victory” for the Aadhaar data not being hacked.

We have argued earlier in these columns that Aadhaar was originally envisaged as a biometric verification system. With failure rate of at least 10 percent – one in ten cases failing such biometric identification – Aadhaar switched to the Aadhaar card being the proof of identity. The problem is that this is the only ID in the country that has no security feature in it, and every copy is an original, making it a photo-shoppers delight. It is almost the same as self certification – take a copy of any of your ID’s and certify that it is yours. Why do we as a country have to spend tens of thousands of crores for a UIDAI system, if self certification is all that we need as proof of ID?

The tragedy here is, the only sections for whom biometric verification is mandatory, are the poor: those who need rations, pensions, disability benefits, etc. Instead of being a welfare measure, it is directed against the poor. Any deletion which leaves out the old, the disabled, and the weak from Aadhaar, is seen as its “success” of weeding out fraud. Fraud is not what an Ambani or an Adani commit: they only have non-performing assets; it is only the poor that commit fraud.

Let us forget Sharma and his antics, and look at the larger issue of privacy and Aadhaar. All of us have data that are in different places; or in different data silos. We have bank accounts, which record our transactions, our circle of friends who are linked by our telephone calls and our emails, our tax records that are accessed by our PAN number, and so on. Each of these silos can be hacked, and if they are, the other silos are not affected. Further, we can change our bank accounts, our ID’s, our passwords, etc. and restart our privacy, even if the earlier hack could have led to our past data in that silo being compromised.

Aadhaar has a number of threats to our privacy. One is that it provides a common link to all the separate silos, providing a common mode failure in the system. Through my Aadhaar number, all the silos are now connected. That makes the task of hacking the silos that much easier. Like the Tolkeim’s Lord of the Rings, where the One Ring commanded all the others, the Aadhaar ID rules over all our other IDs!

If the account by hackers in the Sharma episode is true, then by answering Sharma’s security question in his Gmail account, it could have been hacked. His Aadhaar number was used to identify his Air India Frequent Flyer number, and this was his Gmail security question. And Sharma, like many of us, uses personal information as a part of his passwords, or as a security question for password recovery.

There are further protections that Sharma might have taken. After all he is supposedly a techie, who had headed the UIDAI earlier, and therefore presumably knows a little about security. For most of us lesser mortals, we would not have many layers of security, e.g., two factor logging into the Gmail account – using a password and an OTP – and could have seen our email account hacked. Once it is hacked, a huge amount of personal information would also have been hacked. So also our phones, as Google backs up our android phones in our Google account as a default. And as we store various information on our phones and emails, this can also lead to our privacy being compromised in various other ways.

For this huge security hole, Sharma’s answer is simple. All of us should switch to higher levels of security – two factor log in for our emails, creating long and complicated passwords, secure storage of our many passwords – measures that most people won’t or can’t take. For them, as with the “undeserving” poor, who do not have finger prints, Sharma and UIDAI have little sympathy.

The second problem with Aadhaar is that if the Aadhaar database – and I am not talking about the biometric database, which is what UIDAI authority claims is behind seventeen feet walls – is as easily available as the Tribune report showed, the information connecting all our silos is now available for a small sum of money. And Sharma just showed us why this is so dangerous.

The third threat of Aadhaar is that if the biometric database is compromised, we will all be permanently in trouble.  We cannot withdraw our biometrics from the system. Even if there is a single hack of the biometric database, it means the Aadhaar project is over: there would be a catastrophic failure of the system. In engineering, we do not build systems in which a single failure means the end of the system. And we do not build a system which has no chance of a recovery from one such failure.

Before Sharma and Nilekani wax eloquent about UIDAI and the beauty of the engineering of the Aadhaar system, let us reflect on that other monolith, the National Security Agency of the US. They surely had as good security experts as UIDAI has. One Snowden in such a system could walk away with the entire database. And compromise all its data. This is what a single point failure of the system means.

All systems need human beings, and human beings will find ways around the security that they themselves have built. The chance of failure must take human failure into account. It is people who code security into the system and know in how many ways it can be hacked.

It is not an accident that many countries considered an Aadhaar-like national registry and gave it up.  Why Aadhaar persists in India is the combination of naive technological hubris, combining with the dream of a security state – a perfect fusion of Big Data meeting Big Brother. That is what we are fighting in India today.