The Twitterati have had a long run since I responded to a challenge to reveal my Aadhaar number. It was a challenge I could not have declined without accepting that Aadhaar is vulnerable to attacks. The social media, television and print media have had time to weigh in with their perceptions. It’s time to take stock of what really happened last week.
Knowledgeable people have expressed viewpoints, on both sides of the debate. Unfortunately, finer points about technology, law or public policy were lost in the cacophony of trolls. What has emerged is a distorted, collective viewpoint aggregating the loudest voices of those who understood the least. That’s not the outcome we want from debates. Do we?
The lesson is that social media is not the place to discuss complex issues, especially when the atmosphere is vitiated and emotionally charged. As we reflect upon the wreckage of the twitterstorm, the first question is the harm which arose from the disclosure of the Aadhaar number itself and not from the drama that unfolded.
The first claim of harm was the breakthrough discovery of my mobile number. You can get the last three digits of the mobile number from UIDAI as a hint to the Aadhaar holder about their number. After that, it requires brute force to fill in the remaining digits. Instead of going through the millions of combinations, it is easier to find someone’s mobile number from other places where he may have provided it. Mine was found by searching the internet, as revealed by “the finders” on Twitter.
The second claim was the publication of a photograph of mine with my daughter, taken from my WhatsApp account. Everyone who includes a photograph in their profile on WhatsApp or in other social media runs the same risk. You don’t need Aadhaar for that (most people don’t look too good in their Aadhaar photograph anyway).
Next, some hackers claim to have deposited money in my bank accounts. That has been possible since the early days of banking, and this never requires the account holder’s consent. Though making deposits have now become easier thanks to an innovation called UPI. You can pay using Aadhaar number, or bank account number or telephone number or by scanning a barcode. Businesses too can present an invoice using the same system, making banking frictionless. This is a great achievement of the banking sector in India. Billions of rupees have been credited to beneficiaries’ account as Direct Benefit Transfer (DBT) through the Aadhaar-Enabled Payment Services (AEPS) and Aadhaar Payment Bridge (APB). This has empowered the poor and the needy by eliminating middlemen and other rent-seekers. Actual harm would have been if someone had taken money out of my account. The hackers did try with “collect requests”, but in such cases, our banks appropriately require the account holder’s approval.
Next comes publication of my bank account details. I’m not sure of the methods used, but the list of accounts and even the banks is incorrect. A more reliable way to find account numbers is from the account holder’s cheques on which the bank prints it clearly.
Interestingly, a smart alec got my Air India frequent flyer number and provided the transcript of the interaction on Twitter. Air India too has independently mailed the transcript to me. People do forget their frequent flyer numbers and airlines are helpful in such cases: They ask a few basic questions to verify you are indeed who you claim to be and tell you the number. That’s what happened, only this time it was an imposter. If the airline wanted to secure that information better, they could have sent an OTP or used the Aadhaar authentication service. Indeed, when an imposter tried to book a first class ticket to New York, the airline demanded stronger proof of identity and the attempt failed.
People tried to buy or subscribe to things on my behalf. I received OTP and confirmation requests from Zestmoney, Mobikwik, Bankbazar, Snapdeal, Amazon, Flipkart, Hotelbids, Joister, Treebo, Behrouz Biryani, Freecharge, Xiaomi, Redbus and Polbuz etc. I just ignored the OTPs and the transaction did not materialise.
Aadhaar offers both demographic and biometric authentication. The hackers have made more than 500 authentication attempts against my Aadhaar number thus far. These efforts have come to nought as the OTP comes on my mobile and it is impossible to correctly guess and plug a six-digit number, that too in 30 minutes.
Though unrelated to Aadhaar, the hackers claimed to have discovered a subscription to some “right-wing” magazine in my name. I am unable to recall subscribing to any magazine, nor is it being delivered to me. I do wish to know more details about it so that I can either get the service started or ask for a refund.
Another incident included a mail sent to my daughter on her official email ID. It has been marked to some journalists too. It has nothing to do with Aadhaar nor is it an example of hacking. It is a criminal act borne of sheer desperation.
From all that is recounted and has happened, the conclusion is that nothing was hacked and no harm caused because some people got hold of my Aadhaar number. Whatever they could obtain is information available on various websites. The inconvenience caused did not arise from any vulnerability in Aadhaar. It was caused by people feeling vulnerable in their stand against Aadhaar, who resorted to absurd, unethical and downright criminal acts, proving nothing but the hollowness of their claims. There is a concerted effort to discredit Aadhaar by vested interests.
This episode highlights that basic precautions are necessary in the digital world. For instance, if you haven’t secured your email account with a strong password and by a second-factor of authentication, you could come in harm’s way.
I was trolled for a week. When the so-called hackers failed to get anything using Aadhaar, they tried other means, all foul. In their frustration they resorted to threatening my family, asking for ransom, impersonation and mud-slinging. Personally, I believe that words like “hacker” or “security researcher” would be too honorific a description for them.
Ultimately, the truth prevailed, which cannot be hacked or trolled — certainly not for long.
It stands reaffirmed that Aadhaar is a safe and secure public utility: Do not be afraid to share your Aadhaar number, whenever and wherever needed. No harm can come to you due to this. To dispel such doubts, the Press Information Bureau has released a video recently, informing people of the truth.
Finally, to those who question this challenge emanating from a public servant, I swear to acting on my conscience and conviction, consistent with my allegiance to the Constitution of this great country.
- Why I gave out my Aadhaar number
The point behind it is simple: Aadhaar does not contribute to increasing any of your other digital vulnerabilities..
- Who owns my data?
A citizen-centric data eco-system is necessary to protect privacy. ..
- Aadhaar, then and now
The UIDAI has gone from being an object of ridicule to an admired project ..