advertisement
Dear Mr Sharma,
On Saturday afternoon you decided to make your Aadhaar number public on Twitter. You challenged users to show “one concrete example where you can do any harm to me!”.
The big question is, can ‘harm’ be caused using your Aadhaar number? Short answer – YES.
The purpose of this letter is to precisely explain how the availability of your Aadhaar number has acted as a key to exploiting existing vulnerabilities in government apps and websites.
As former Director-General of UIDAI, your insistence on no harm being caused is baffling. While the #AadhaarChallenge that you have inadvertently sparked is problematic and dangerous for several reasons, we shall restrict the scope of this letter to explain the ‘harm’ bit.
The individual controlling your data chooses to use it for, say, gaining entry into a space that requires an ID card. In security parlance, the use or processing of data in a manner that is not intended to be used is what constitutes harm.
“Harm occurs when someone else is in control of your data and uses it on your behalf without your consent. It doesn’t have to be a financial loss for it to count as harm,” said Anand V, a security researcher, who has written extensively on Aadhaar.
Your Aadhaar number, thus far, has been used to send money to you without your consent, to access your PAN number, to open accounts on Facebook and Amazon cloud services, and also to obtain your Air India frequent flier number. In all these cases, the data has been used in ways you did not intend it to be used.
You, sir, have been ‘harmed’. Let us now go through some concrete examples of this.
Sir, as you may be aware, one need not break into the “Aadhaar database or UIDAI servers” in order to misuse the Aadhaar number or gain personal information. There are several vulnerabilities and leaks in other databases as well as apps and portals that can be exploited with an Aadhaar number. To assert that no harm has occurred just because UIDAI’s Central Identities Data Repositories (CIDR) has not been breached is not a meaningful justification.
On Saturday night, a user transferred Re 1 to your Bank of India account. It was the availability of your Aadhaar number that enabled this transaction on the BHIM UPI app.
Since you have persistently denied harm, here’s why this is important:
Sir, this example is yet another damaging proof of the extent of the harm that can be caused with an Aadhaar number. A user created a fake Aadhaar ID card with your number and other details like date of birth and address. He used it as identity proof to create the account and surprisingly it was accepted.
He can potentially avail of services and also place advertisements in your name. He has said on record that he has only done so for “educational purposes” and did it to show how the public availability of an Aadhaar number can lead to this.
Sir, we are sure you will appreciate the magnitude of this harm. This expose is important also because it has pointed at another serious vulnerability of a government portal – www.incometaxindiaefiling.gov.in.
The user, Kanishk Sajnani, has demonstrated how one can easily obtain your PAN number by exploiting a shocking flaw in the website’s design. All he had to enter was your name, gender, date of birth. These details were obtained from your Aadhaar number. The portal, though, allowed him to enter his own mobile number as a result of which the OTP request went to his phone. Once he entered the OTP digits, the portal revealed your PAN number.
The portal allows the use of one’s PAN number to gain access by resetting the victim’s number. In your case, the question was "What was your favourite time?" Turns out, the portal lets you try for an answer indefinite number of times. There is no rate-limiting mechanism in place.
While this reveals serious flaws in the e-filing portal’s design, it also unequivocally demonstrates how an Aadhaar number can be used to cause harm.
A security researcher, Karan Saini, in his blog has documented a vulnerability that allows phone numbers to be extracted from known Aadhaar numbers. You can read about this massive vulnerability here.
“The digilocker.gov.in website reveals the last four digits of linked phone number prior to successful authentication. This means that a user would simply have to enter an Aadhaar number when signing up for DigiLocker and the last four digits of the linked phone number would then be displayed,” mentions Saini in his blog.
Even though this has been revealed months ago, it remains unresolved.
While you claim that revealing your phone number is not a big deal, it would be wise to appreciate that for millions of Indians, especially women, the leak of one’s mobile number can lead to harassment, blackmailing, and in some circumstances, attacks.
As you may already be aware, publicly posting an Aadhaar number is a criminal offence under the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016.
By making your number public, you are committing an act that is against the law. By challenging others to ‘cause harm’ you are also inciting others to break the law and be guilty of criminal offences. This assumes greater significance given that you are a public servant yourself.
Sir, UIDAI CEO Ajay Bhushan Pandey had shared his Aadhaar details with the Supreme Court in March and that did not go down well either. This must not devolve into a trending challenge.
Sir, thank you for your patience in reading this letter. The purpose of this letter is to explain and demonstrate how you have already been harmed. In all the examples provided, individuals have not had to attack the UIDAI database. They have simply pointed towards porous applications and websites which can be exploited with your Aadhaar number and in a manner you didn’t intend for it to be used.
The harm is real and has been caused already. We are waiting for you to recognise the same.
Sincerely,
The Quint
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)