Dear Mr R S Sharma: Aadhaar Number has no place on the Open Web

The Center for Internet and Society recently published a report called Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information. After it was published it got wide media coverage.

R S Sharma, currently chairman of the Telecom Regulatory Authority of India, or TRAI, responded to this report with a blog titled “There has been no Aadhaar ‘data leak’ “. Sharma is the former CEO of Unique Identification Authority of India, or UIDAI, the agency responsible for issuing Aadhaar numbers to Indian residents, and has an inside view on the identity project.

In his blog post, Sharma argues that publication of Aadhaar numbers and other personal details by authorities as part of beneficiary details don’t constitute a data breach or data leak. He further argues, in fact, public authorities are forced to publish personal details for transparency under the Right To Information (RTI) act.

We in the open data and RTI community have been answering such questions for a very long time. Hence, I thought it’s a good opportunity to settle this debate.

I am going to ignore Sharma’s questioning of timing of the reports. He just needs to do a Google search to get previous reports on data leakage or privacy violation in India.

Let’s examine the important parts of his claim.

Sharma starts with “Aadhaar is not a secret or confidential number. It is a random number bereft of any intelligence.” His reason being as per the Aadhaar Act, “An Aadhaar number shall be a random number and bear no relation to the attributes or identity of the Aadhaar number holder.” This statement is from enrolment section of Aadhaar act, which states how a number gets generated. It’s true that the generation of an Aadhaar number is random and not a function of user attributes. But once the generation is complete, it gets attached to a user and stops being random. In fact, it becomes unique.

It is true that you can’t derive an Aadhaar number given the attributes of an user, but the reverse is not completely true. Given an Aadhaar number, you can look up to find the user’s information specially when complete Aadhaar numbers are littered all over open web. One can go further and create a dossier of personal information by finding and joining datasets based on Aadhaar number. Hence, stating “Aadhaar is not a secret or confidential number” is misleading and dangerous.

Further, Sharma quotes two specific laws to say it’s legal to share; in fact, public authorities are mandated by law to share. He quotes section 29(4) of Aadhaar Act prohibits publishing Aadhaar details unless specified by the regulations.

This is what the relevant part of Section 29(4) says: "No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations."

The referred regulation in this case being Section 4 (10) (b) (xii) of RTI Act:

4(1) Every public authority shall—
(b) publish within one hundred and twenty days from the enactment of this Act,— (xii) the manner of execution of subsidy programmes, including the amounts allocated and the details of beneficiaries of such programmes;”

Where the RTI Act says “details of beneficiaries” and, hence, as per Sharma, the Aadhaar number along with other personal information of the beneficiaries is required to be public.

It’s important to note the premise of RTI Act Section 4 is to make public authorities transparent and accountable by publishing the data suo motu. Its requirement is not to expose information of beneficiaries.

Section 4(1)(b)(xii) doesn’t define what exactly is “details of beneficiaries”. It is left to the judgement of information officer. In each case, he is expected to validate the data against Section 8(1)(j) and then publish it.

Section 8(1)(j) prohibits sharing personal information if it causes any “unwarranted invasion of the privacy of the individual” unless the officer thinks there is a larger public interest in disclosing the personal information of every beneficiary.

This is what the relevant part of Section 8 (1) says: Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,—
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Now let’s take example from the CIS report: the NREGA dashboard. For the sake of transparency, wouldn’t it be enough to publish the job card number, name and address of the beneficiary? Is it really required to publish name, address, job card number, bank account number, Aadhaar number, caste etc.? Isn’t exposing a person’s caste, Aadhaar number, or mobile number an “unwarranted invasion of the privacy of the individual”?

Let’s be conscious the information exposed here are not of big contactors or businessmen. It’s that of daily labourers, who earn couple of thousands per month. There is no larger public interest in publishing every bit of information about them. Especially when India is going all digital and leaked info can also cause financial loss. It opens doors for fraudsters to perform attacks such as social engineering on unsuspecting individuals.

Sharma says, "Section 8 exemptions will not be able to hold back the Aadhaar numbers." We have to disagree. We have enough privacy reasons to completely remove Aadhaar number using section 8(1)(j). The authorities need to be sensitised about personal data and citizen need to pressurise them to follow the law.

"Isn’t exposing a person’s caste, Aadhaar number, or mobile number an “unwarranted invasion of the privacy of the individual"?

This is exactly happened with the TRAI in April 2015 when the telecom regulator made public a million email IDs of people who had written in with their views on net neutrality. Rahul Khullar was chairing the TRAI then. Making email data public meant exposing respondents to spammers and cyber criminals. The TRAI tried to defend the act in the name of public consultation, transparency etc. But soon started cleaning up after many media reports put pressure on them to remove the personal information.

After the incident and pressure by the civil society, TRAI announced before its next consultation: “All stakeholders are hereby informed that during submission of their counter comments, if anyone desires that his/her email id should not be displayed, it may be specifically stated so in the email.”

This instance was just about email addresses. Imagine if you had your Aadhaar number, mobile number and much more online. We need to be much more serious because the stakes are higher.

Further under Aadhaar Law section 28(4)(c), it’s the responsibility of UIDAI ensure third parties keep information secure and confidential. UIDAI is expected to make proper agreements and arrangements to ensure this happens

Further under Aadhaar Law section 28(4)(c), it’s the responsibility of UIDAI ensure third parties keep information secure and confidential. UIDAI is expected to make proper agreements and arrangements to ensure this happens:

"28. (1) The Authority shall ensure the security of identity information and
authentication records of individuals.
(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.
(3) The Authority shall take all necessary measures to ensure that the information inthe possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to sub-sections (1) and (2), the Authority shall—
(a) adopt and implement appropriate technical and organisational security
measures;
(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and
(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority…
"

It’s a legal requirement, in short. UIDAI simply can’t pass the buck and act innocent about such data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible.

Though Sharma disagrees with the term “data leaks” stating, “However, to say that publication of Aadhaar numbers by authorities constitutes a data breach, or data leak, is far from the truth,” which can be debated, to his credit he agrees that publishing full Aadhaar number may not be the right thing to do. He suggests: “My personal view is that the last four digits of Aadhaar number can be published and the first eight digits be masked. This will satisfy the provisions of both RTI and the Aadhaar Acts.”

It’s a legal requirement, in short. UIDAI simply can’t pass the buck and act innocent about such data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible

We completely disagree. As we have seen before, there is no need to publish Aadhaar in full or partial to satisfy section 4(1)(b)(xii) of RTI. In fact, UIDAI should enforce non publishing of Aadhaar using section 28(4)(c) of the Aadhaar Act with the support of section 8(1)(j). An Aadhaar number, full or partial, doesn’t have a place on the open web. Publishing it on the open web will put too many unsuspecting people at risk.

We need to stop blaming the transparency requirements of the RTI. We need to sensitise the public authorities about privacy and responsible data sharing. We need to pressurise the UIDAI to enforce its agreements with its partners. Whether you call it a data leak or not doesn’t reduce the harm done if the authorities continue to publish Aadhaar details on the open web.

This post first appeared on FactorDaily as Dear Mr R S Sharma: Aadhaar has no place on the open web. Edited by Josey.

2 Responses

  1. Gapp says:

    Firstly, I should clarify, I am not for displaying Aadhaar number publicly. With that said the intention of the following points is only to seek clarification and if possible strengthen your argument, for I am sure this post will be circulated more.

    A) Twisted inference: you have put caste, mobile number and aadhaar number in the same bucket to show how it is a privacy issue without showing how aadhaar number is in the same bucket as mobile number and caste. Caste has layers. Higher and lower. A person’s caste is used to judge him (not right, but it happens) hence a privacy issue. Mobile number let’s others harass the person by calling them and smsing them. The business model of Telecom let’s the caller decide the value of the receiver’s time, which is why people don’t share their phone numbers. We have to justify why aadhaar number is in the same bucket as these before using the bucket to prove it is a privacy issue.

    B) social engineering. There is no clear use case here for social engineering. Aadhaar number like email id, littered around can give some information about the person. But all that information shouldn’t be used as authentication. There is a new service on product hunt, which when given a name and organization finds that person’s email id and then you can do a deep search on that person. All his online profiles etc. If some business, like bank, let’s you reset the account or withdraw from it based on such information (like aadhaar number) then those businesses must be educated. Not the other way around. Arguing for aadhaar number to be private because businesses use them to authenticate transactions is a nightmare. It is similar to saying email id should be private, for someone might use it to claim someone’s bank account.

    C) Real life use case of a social engineering hack with just aadhaar number needs to be proved. Singapore has NRIC number. From registering for an event (even private event like a race) to opening a bank account requires it. 100s of people have seen my NRIC number. They aren’t able to invade into my privacy. Knowing my number doesn’t let them judge me, deny me something or get me into trouble.

    D) Reference to law sections to show it is illegal is circular logic. Law is formulated based on certain arguments. We have seen many laws in India which have failed arguments. We use reason to prove those laws are meaningless.

  2. Gapp says:

    Following up on the comment. A good way to prove privacy issue is by asking a question “I know your aadhaar number, what can I do”

    Eg: I know your caste. What can I do?
    Judge you, deny you an opportunity, abuse you for no fault of you, generalize you, in some cases rape and burn you.

    Eg: I know your mobile number, what can I do?
    Call you at random times, publish the number on Indian train toilet and get others to call you. SMS you. Register for services and give your number and they will probably send you my shopping confirmation, bank deposit and withdrawal info etc. That is more SMS and phone calls. The industry came with a solution – verify phone number ownership. They SMS or call you with a code. It takes care of the privacy issue aka unwanted SMS and calls.

    Eg: I know your email ID. What can I do?
    Register it for random newsletters. Register it for my bank account where I put my own money and you get my monthly statements, register for random events, pass it to my friends as my email and you get their mails to me. In short I can spam you. I can’t take your money. I can’t read your emails. I can do a thousand things, but all that will end up just spamming you. So the industry responded with a mechanism – verify email. That stops the spam.