16 INDIA TODAY AUGUST 13, 2018
T
his past week, TRAI chairman Ram Sewak Sharma
responded to a heckler on Twitter by sharing his
Aadhaar number and daring the heckler to harm
him. He expressed confidence that no harm would befall
him, but promised no retaliation against anyone who tried
and succeeded. A number of individuals stepped up to the
challenge. Sharma’s primary and backup mobile numbers,
PAN, residential address and even bank account numbers
quickly became public. One researcher demonstrated how
he could deposit a rupee into Sharma’s account without his
consent, using his Aadhaar number alone, thereby creating
an electronic trail of financial relationships.
Sharma’s stunt became national news. Commentators
expressed shock at how easily so much private information
came out in public. Three days later, Sharma wrote his
own op-ed claiming victory because no harm
had befallen him, after all, despite severe
inconveniences. Aadhaar remained secure
because no one had managed to authenticate
himself as Sharma. The votaries of Aadhaar
pointed out that, as a public figure, much of
Sharma’s private information was already public,
so Aadhaar wasn’t a vector. And yet, at least some
of his information was discovered via Aadhaar,
and one researcher even opened accounts
at various merchants on his behalf using a
reconstructed copy of the paper Aadhaar card.
To understand this dichotomy, where both
sides believe they are right while making
opposing claims, we must examine what they
mean when they say “Aadhaar” and “harm”.
Sharma appears to have chosen a very
narrow definition: ‘harm’ via Aadhaar is if
someone manages to use the UIDAI’s services
to authenticate himself at any service provider;
nothing else is harm. So, the researcher who
successfully impersonated Sharma at various merchants had
not harmed him, because those merchants had not followed
procedure specified by the UIDAI.
Sharma’s quest to establish the UIDAI’s innocence is an
unfortunate feature of much pro-Aadhaar commentary.
The UIDAI serves a central but small role in the overall
Aadhaar ecosystem. Any beneficial use in the ecosystem
is to Aadhaar’s credit, but harmful use is not because of
Aadhaar, but because some other organisation did not
act appropriately. When a citizen receives her rations via
Aadhaar authentication, it gets credit for making her life
easier; when she is denied rations, however, it is the PDS
(public distribution system) that shoulders the blame.
The UIDAI’s tendency to appropriate credit while
distancing itself from blame reflects a deep insecurity
over its own survival. The insecurity shows up tellingly
in the deliberate obliteration of the difference between
identification, authentication and authorisation.
The researcher who cloned Sharma’s Aadhaar card made
a valid copy even though the UIDAI recognises only the
electronic record as valid; all paper cards are just copies.
The merchant that accepted this card is then expected to
validate it against the UIDAI’s electronic record, which most
never do. The UIDAI ignores this malpractice to encourage
greater use/ acceptance of Aadhaar. Even if the merchant
were to validate it using the ‘demographic authentication’
protocol, it only proves that the details on the card are valid.
The merchant cannot distinguish between
Sharma and an impersonator using his
card. This confusion between ‘identification’
and ‘authentication’ places the onus of
authenticating the individual on the merchant,
while Aadhaar just hogs the credit for it.
The UIDAI also provides an eKYC service
that performs actual authentication via
biometrics or an OTP. Thanks to pro-Aadhaar
lobbying, eKYC is mandated for phone
connections and bank accounts. However,
when an individual proves that s/he is who
s/he is, it doesn’t mean s/he is implicitly
authorising a transaction on her/ his behalf,
and yet this confusion between ‘authentication’
and ‘authorisation’ was the basis of the Airtel
Payments Bank fraud, in which Rs 190 crore
of subsidy money was diverted using the exact
procedures the UIDAI had prescribed, without
the knowledge of the affected individuals.
Sharma might as well have issued a
challenge to be infected with a disease, and then claimed
victory that no one had managed while he stood in splendid
secure isolation. Such a stunt would miss the point that
diseases are opportunistic, and no one is safe when Aadhaar’s
hygiene is so poor. Sharma would do well to advocate better
hygiene instead, starting with an honest assessment of the
status quo. We should expect no less after the stellar work he
has done during his stint as TRAI chairman. nKiran Jonnalagadda hosts peer-reviewed discussions for
technology practitioners at HasGeek and advocates for digital
civil liberties at the Internet Freedom FoundationAADHAAR’S FAILSAFE
BRAG IS EXPOSED
GUEST COLUMNUPFRONT
KIRAN JONNALAGADDAIllustration by TANMOY CHAKRABORTYSharma should
advocate better
hygiene for
Aadhaar, starting
with an honest
assessment of
the status quo