R.S. Sharma's challenge to hackers was irresponsible in more ways than one and showed how knowing an Aadhaar number can be a very useful starting point to dig up private information on anybody.
TRAI chairperson Ram Sewak Sharma. Credit: Facebook/Ram Sewak Sharma
30/JUL/2018
On Saturday night, in response to technology developer Kingsly John, the TRAI chairman R.S. Sharma published his Aadhaar number, challenging John to give one concrete example of harm that could be done to him.
Following the tweet, users on Twitter were able to dig up the TRAI chairman’s mobile number(s), Gmail and Yahoo addresses, physical address, date of birth, and even the frequent flyer number which is believed to be a response to the security question for changing Sharma’s Gmail password. Multiple bank account numbers have been made public, although one security researcher said that his Aadhaar hasn’t been linked to his bank account, although the chairman contested that. Using his mobile number, his WhatsApp photo (which also had someone who is possibly his daughter) was also made public (but with the woman’s photo cropped out by revealer). They’ve also been able to identify that he uses an iPhone, and sent him money using UPI payments.
Update: Apparently someone has ordered a OnePlus 6 for the chairman, via Amazon, cash on delivery.
Why this is an important development
To understand the importance of this public experiment, we need to understand the importance of the man himself: R.S. Sharma was previously the founding CEO of the UIDAI, which issues Aadhaar numbers. The now TRAI chairman understands technology, has weighed in repeatedly on privacy and security issues, defending Aadhaar. Under his watch, the TRAI even did a privacy consultation, which isn’t a part of the TRAI’s remit, and has sought to expand its jurisdiction beyond telecom to the Internet, even though the TRAI Act limits the regulators actions to telecom alone. The privacy recommendations suggest Privacy by Design. There are rumours that Sharma might be in line to become the first head of India’s Data Protection Authority, if and when that is set up.
This is thus, by no means, a small development. RS Sharma is an important man. Publishing Aadhaar numbers is illegal.
Some comments on this disclosure and the response to it
1. The disclosure will be used to suggest that leaking Aadhaar numbers does no harm: If no harm comes to Sharma because of this – and I hope it won’t – it will be used as an example to justify the fact that publishing of Aadhaar number in public does not do any harm.
That speaks to the privilege enjoys as a senior government functionary, a technologist, and a man.
Understanding technology means that R.S. Sharma would possibly know how to keep his accounts more secure, and might even have two-factor authentication for his email when most people may not. R.S. Sharma has easier access to law enforcement, banks and mobile operators, as well as understanding how they are supposed to work, and access to people who can make them work swiftly for him. Him being harmed would make the front pages of newspapers, and the case could possibly get greater attention and scrutiny, and hence swifter justice.
It’s not clear what R.S. Sharma deems as harm, but harm for him might be money being moved out of his bank account. Well, that and more has been done using Aadhaar: here’s a list of over 100 instances of Aadhaar related fraud.
As Karthik S. said on Twitter, “What’s ‘harm’ to a 25 yr old working woman professional, or a 70 yr old pensioner may not be ‘harm’ to you.”
Doxing is a well known attack vector. To cite Wikipedia on doxing,
“Once people have been exposed through doxing, they may be targeted for harassment through methods such as harassment in person, fake signups for mail and pizza deliveries, or through swatting (dispatching armed police to your house through spoofed tips)”…”The victim may also be shown their details as proof that they have been doxed in order to intimidate. The perpetrator may use this fear and intimidation to gain power over the victim in order to extort or coerce.”
For someone else it could mean monitoring of communications to determine when there’s no one at home, and robbing the house. For a woman, it could mean someone stalking her, and landing up at her house. Being a man means that Sharma won’t ever fully understand or appreciate the insecurity that women feel while living in and traveling in our cities. For someone else, it could mean a stranger gaining access to her email and publishing personal communication. For a business, it could mean revealing of trade secrets from an email account.
The Aadhaar number being made public can be a very useful starting point because of the information it can lead to, as has been demonstrated from the disclosures related to RS Sharma.
2. The disclosure will be used to say that Aadhaar is not necessary for profiling: Essentially, because Sharma is a public personality, it was easier to build a profile for him, pulling out information from current and old government records. Thus, there can be an assertion that Aadhaar is not necessary to build profiles. This ignores the fact that not everyone’s mobile number is publicly available, and profiling can only be done once an identifier is known and linked to multiple activities. Data science has evolved largely to solve this exact problem: People are more secure when there are silos, and companies, hackers, advertisers and many others seek means of breaking down those silos.
It’s why the more evolved and aware technology users use multiple email addresses, each for different purposes. Aadhaar (for government) and the usage of a mobile number (for businesses) as an identifier removes such silos, enables more accurate profiling. This is why this information needs to be treated as sensitive personal data, thus limiting its usage and sharing.
3. It will be used to say that there’s a lot of information about individuals available online, so privacy is a myth: Apart from the fact that usage of different identifiers enables privacy, not everything about everyone is public. We might have medical reports in our inboxes, or linked to our mobile number with some pathology lab that we don’t want published publicly.
Not everything is easily connected either. Often it is the combination of information that can be used to compromise people.
An example of this danger is that once Sharma’s mobile number, email address and date of birth were gleaned, it was used to get his frequent flyer number via an Air India chat-bot. That frequent flyer number is not public, but it is important because that’s the response to his security question for changing his gmail password. A hacker could have changed the TRAI chairman’s email password and gained access to it.
Many government officials use gmail for official work. Uncertainty about the security of our communications chills speech and greatly impacts our behavior and trust of the tools that we use.
4. Harm need not be demonstrated now: Much of the information that has been revealed about Sharma is permanent – it is not clear how soon any harm may come to him because all of these details have been made public. If that does happen – and I sincerely hope it doesn’t – it might not be easy to attribute it to this specific case. The point here is that it’s difficult to always link harm back to a loss of personal data.
Kingsly John publicly sought legal opinion, beyond R.S. Sharma’s assurance that no action will be taken against him if he can demonstrate how R.S. Sharma can be harmed. Rest assured, if it wasn’t a person with the privilege that R.S. Sharma enjoys, and if Kingsly John wasn’t a responsible person, this wouldn’t have happened. They would have just compromised him, just as easily as they could have compromised his gmail address, and never told him.
R.S. Sharma remains susceptible to attacks even now.
5. This is dangerous and not very responsible, perhaps even not legal: In response to the TRAI chairman’s tweet, I’ve seen instances of few people publishing their Aadhaar numbers online, challenging others to compromise their privacy. That is a risk that they are taking, but this is poor form from the TRAI chairman: he may be protected by his privilege, but his actions have directly emboldened other people to foolishly risk compromising their own security.
Srikrishna Committee recommendations treat the Aadhaar number as sensitive personal data, and the Aadhaar Act says that it is illegal to publish Aadhaar numbers. It’s possible that the TRAI chairman has done something illegal by publishing his own Aadhaar number publicly, and also that this act is encouraging illegal activity when others do the same, following in his footsteps.
The TRAI chairman should have been more responsible and cognisant of the possible outcome of his actions, even though he not directly accountable for others publishing their Aadhaar numbers. Even after so much personal information has been revealed about him, he is brushing that aside and asking people to prove harm. He is normalising leaking of sensitive personal data.
This was not very thoughtful of him and his bravado is misplaced and dangerous.
Note: We are not linking to any tweets which detail R.S. Sharma’s personal information even though these are public, in his interest.
