Lately I have been concerned about the sustained campaign against Aadhaar, in which the modus operandi is scaremongering. It has made people hesitant in sharing their Aadhaar details for accessing legitimate services. Slowly, deliberately, Aadhaar is being shown as a dangerous artefact because it could compromise security. Hashtags like #destroyAadhaar have been created. Another trend is to blame Aadhaar for vulnerabilities of other systems. A recent example was the data leak in EPFO, which was presented as an Aadhaar data leak because the records of EPFO beneficiaries have their Aadhaar numbers in the data. Reacting to such distorted presentation of facts, somebody asked an interesting question: If cash gets stolen, can it be termed as an RBI data leak because the currency notes carry RBI serial numbers?
In my view, what needs to be understood is that Aadhaar demographic data itself is nothing secret. The linking too is one-way and no harm can be caused if the Aadhaar number is leaked or shared. I had said so in an interview recently. In reaction to the article, one Twitter user challenged me to publish my Aadhaar details if I had so much trust in the system. I thought about it and decided I should have the courage to act on my belief. While I am an impulsive person at times, this tweet was not an impulsive one.
I hadn’t expected it, but the tweet became viral. It also alarmed some of my well-wishers about the risk I had taken. To them, to the general public and to the hackers who dared me to reveal the number, I have the following thoughts to share.
First, to my well-wishers: Having devoted an important part of my life to contributing to the design and implementation of Aadhaar, I do understand how it works and what can and cannot be done with it. At the UIDAI I had the opportunity to work with the finest brains in developing a system that can deliver what it was designed to, while resisting malevolent attacks. I wanted to prove the larger point that Aadhaar is designed in such a way that it cannot cause harm to the holder, but only empowers him or her. You would agree, my dear friends, that at the end of the day if one lacks courage of conviction then one’s life has been a waste.
Second, to the general public, which includes many talented and thoughtful people: The truth is that people are proving their identity today through the Aadhaar online platform. This is empowering millions of people who get subsidies into their account or obtain other benefits. (People are also providing a copy of their Aadhaar cards to various service providers, though this is neither required nor desirable.)
Widespread adoption of Aadhaar has started affecting those who want to game the system for tax evasion, benami properties and other such activities. By creating a scare, their objective is to discourage people from sharing the Aadhaar number, thus allowing the vested interests to continue to play as before. To reassure everyone that Aadhaar was indeed safe to share in actual use, I disclosed my Aadhaar details. My purpose in engaging in debate is to prove by my own example that Aadhaar number disclosure cannot cause any harm. Aadhaar provides only authentication services and in doing so, the UIDAI does not know where it is linked to, in a federated data model. Unfortunately, the critics of Aadhaar attribute the vulnerabilities of those domains to which Aadhaar provides service as vulnerabilities of the Aadhaar system itself, as in the EPFO case.
We live in a digital world and interact with multiple systems. These systems many times are not built robustly, making their users vulnerable. Similarly, users are also not careful to use strong passwords and keep their systems clean. This compromises their security. All of us need to work to harden the systems. But all such weakness in the ecosystem cannot be laid at the door of the UIDAI. My point is simple: Aadhaar does not contribute to increasing any of your other digital vulnerabilities.
While I did reveal my own number, I am not suggesting for a moment that any of you could also publicly share your Aadhaar number. Far from it. Replicating the same challenge doesn’t prove anything more. Finally, to the so-called hackers who actually challenged me, rather than the other way around: You have found information about me that other users could have obtained by a determined Google search without the benefit of knowing the Aadhaar number. Having failed to penetrate the UIDAI’s system, you have tried to hack my email accounts (unsuccessfully) and to subscribe me to a large number of services. Many of these services take reasonable precautions and have sent me innumerable OTPs in their attempt to authenticate my ID. That’s been a waste on their part and a waste of my time. Your time is wasted too, but apparently you don’t care.
One interesting hack was to deposit one rupee in my account through the marvel of a system called UPI, which has been built by our country to enable financial inclusion on the scale we need. The world is in awe of this technology. But if you define crediting a rupee to an account as hacking, well more people might be happy to be hacked. In the last two days, there have been hundreds of attempts at false authentication from UIDAI servers and not even a single one of them has succeeded. Thus far I have not lost the challenge and I’m very confident that I will not. Yes, some distress may be caused to me by the concerted effort of so many people. However, for that Aadhaar is not to blame.
Would it be too much to expect an honest admission of these facts from the so-called hackers or critics of Aadhaar? I hope this challenge would put an end to the scaremongering so that the people of India, for whom this infrastructure was built, can benefit from the technology and go about their lives in peace.