Dear Mr Sharma, the Aadhaar Harm is Real, Time to Recognise It

Dear Mr Sharma,

On Saturday afternoon you decided to make your Aadhaar number public on Twitter. You challenged users to show “one concrete example where you can do any harm to me!”.

The big question is, can ‘harm’ be caused using your Aadhaar number? Short answer – YES.

The purpose of this letter is to precisely explain how the availability of your Aadhaar number has acted as a key to exploiting existing vulnerabilities in government apps and websites.

As former Director-General of UIDAI, your insistence on no harm being caused is baffling. While the #AadhaarChallenge that you have inadvertently sparked is problematic and dangerous for several reasons, we shall restrict the scope of this letter to explain the ‘harm’ bit.

First, What Really is “Harm”?

The individual controlling your data chooses to use it for, say, gaining entry into a space that requires an ID card. In security parlance, the use or processing of data in a manner that is not intended to be used is what constitutes harm.

“Harm occurs when someone else is in control of your data and uses it on your behalf without your consent. It doesn’t have to be a financial loss for it to count as harm,” said Anand V, a security researcher, who has written extensively on Aadhaar.

Your Aadhaar number, thus far, has been used to send money to you without your consent, to access your PAN number, to open accounts on Facebook and Amazon cloud services, and also to obtain your Air India frequent flier number. In all these cases, the data has been used in ways you did not intend it to be used.

You, sir, have been ‘harmed’. Let us now go through some concrete examples of this.

UIDAI Says its Database has Not Been Breached

Sir, as you may be aware, one need not break into the “Aadhaar database or UIDAI servers” in order to misuse the Aadhaar number or gain personal information. There are several vulnerabilities and leaks in other databases as well as apps and portals that can be exploited with an Aadhaar number. To assert that no harm has occurred just because UIDAI’s Central Identities Data Repositories (CIDR) has not been breached is not a meaningful justification.

Why the Re 1 Transfer is So Important

On Saturday night, a user transferred Re 1 to your Bank of India account. It was the availability of your Aadhaar number that enabled this transaction on the BHIM UPI app.

Since you have persistently denied harm, here’s why this is important:

• The ability to transfer money without your consent means a public official can be blackmailed in many ways. “A possible harm for a public servant is getting unaccounted money from unknown people in his account and bribery charges. With Aadhaar as public (same with UPI) , anyone can send you money and accuse you of bribery,” Anivar Aravind told The Quint.
• The sending of Re 1 also returned a response by the app which revealed that RS Sharma was using a Bank of India account – yet another vulnerability.
• It proved that one does not have to hack into UIDAI’s database to steal protected information. There are existing vulnerabilities in several government platforms that can be manipulated if one has an Aadhaar number.

Someone Subscribed to Facebook and Amazon Cloud with Your Aadhaar

Sir, this example is yet another damaging proof of the extent of the harm that can be caused with an Aadhaar number. A user created a fake Aadhaar ID card with your number and other details like date of birth and address. He used it as identity proof to create the account and surprisingly it was accepted.

He can potentially avail of services and also place advertisements in your name. He has said on record that he has only done so for “educational purposes” and did it to show how the public availability of an Aadhaar number can lead to this.

Your Aadhaar Can be Used to Access Your Income Tax Info

Sir, we are sure you will appreciate the magnitude of this harm. This expose is important also because it has pointed at another serious vulnerability of a government portal – www.incometaxindiaefiling.gov.in.

The user, Kanishk Sajnani, has demonstrated how one can easily obtain your PAN number by exploiting a shocking flaw in the website’s design. All he had to enter was your name, gender, date of birth. These details were obtained from your Aadhaar number. The portal, though, allowed him to enter his own mobile number as a result of which the OTP request went to his phone. Once he entered the OTP digits, the portal revealed your PAN number.

The portal allows the use of one’s PAN number to gain access by resetting the victim’s number. In your case, the question was "What was your favourite time?" Turns out, the portal lets you try for an answer indefinite number of times. There is no rate-limiting mechanism in place.

While this reveals serious flaws in the e-filing portal’s design, it also unequivocally demonstrates how an Aadhaar number can be used to cause harm.

Aadhaar Can Reveal Phone Number – Why is it Dangerous?

A security researcher, Karan Saini, in his blog has documented a vulnerability that allows phone numbers to be extracted from known Aadhaar numbers. You can read about this massive vulnerability here.

“The digilocker.gov.in website reveals the last four digits of linked phone number prior to successful authentication. This means that a user would simply have to enter an Aadhaar number when signing up for DigiLocker and the last four digits of the linked phone number would then be displayed,” mentions Saini in his blog.

Even though this has been revealed months ago, it remains unresolved.

While you claim that revealing your phone number is not a big deal, it would be wise to appreciate that for millions of Indians, especially women, the leak of one’s mobile number can lead to harassment, blackmailing, and in some circumstances, attacks.

Gentle Reminder: Revealing Your Aadhaar Number is a Criminal Offence

As you may already be aware, publicly posting an Aadhaar number is a criminal offence under the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.

By making your number public, you are committing an act that is against the law. By challenging others to ‘cause harm’ you are also inciting others to break the law and be guilty of criminal offences. This assumes greater significance given that you are a public servant yourself.

Sir, UIDAI CEO Ajay Bhushan Pandey had shared his Aadhaar details with the Supreme Court in March and that did not go down well either. This must not devolve into a trending challenge.

Therefore...

Sir, thank you for your patience in reading this letter. The purpose of this letter is to explain and demonstrate how you have already been harmed. In all the examples provided, individuals have not had to attack the UIDAI database. They have simply pointed towards porous applications and websites which can be exploited with your Aadhaar number and in a manner you didn’t intend for it to be used.

The harm is real and has been caused already. We are waiting for you to recognise the same.

Sincerely,
The Quint