A case of misplaced enthusiasm
New Delhi: Telecom Regulatory Authority of India (TRAI) Chairman R S Sharma’s open Aadhaar challenge to critics and hackers is nothing but a case of "misplaced enthusiasm" which dilutes the debate on securing the Aadhaar eco-system, emphasise cyber law experts.
Sharma, who made his 12-digit Aadhaar number open on July 28 and created a tweetstorm – not as a government servant but as a normal citizen of India – can set a dangerous precedent for millions of Indians who are still not aware what privacy is all about.
"Throwing such a challenge only shows misplaced enthusiasm. He is treading a dangerous path which can be detrimental in days to come as his personal and bank details are now out in the open," Pavan Duggal, one of the leading cyber law experts in the country, told IANS.
What the TRAI Chairman has perhaps forgotten is that the central data repository at the Unique Identification Authority of India (UIDAI) may be secure, but several third-party vendors are now increasingly accepting Aadhaar as a key document – and that opens it up for misuse, especially given the weak cyber security laws in the country.
"Several FIRs have been lodged against Aadhaar misuse across the country. People's confidence in Aadhaar is slowly being eroded and, at this juncture, rather than working extensively on securing Aadhaar, we see a top government official posting his Aadhaar number on Twitter," Duggal lamented. Ethical hackers have exposed at least 14 personal details of the TRAI chairman since he revealed his Aadhaar number – including mobile numbers, home address, date of birth (DoB), PAN number and voter ID, among others. They can't go beyond this as creating financial break-ins will land them in legal trouble.
"By the way, were you able to cause any harm to me, because now you know my Aadhaar number?" Sharma tweeted to a French security expert, who goes by the nickname Elliot Alderson and uses the twitter handle @fs0c131y, as his personal details began flying all over Twitter. Alderson replied: "If your phone numbers, address, DoB, bank accounts and others personal details are easily found on the Internet you have no #privacy. End of the story."
According to Duggal, personal privacy breach begins with the phone number and it is a tragedy that most Indians – unlike Europeans or Americans – are still not aware what exactly constitutes privacy. "Your phone number (becoming public knowledge) is the first hint that your private space has been breached. Would you wait for hackers to clean up your bank accounts?" asked Duggal.
As part of the European Union's General Data Protection Regulation (GDPR) that came into force from May 25, EU citizens may, at any point, object to an organisation's handling of their personal data. The regulation specifically names "direct marketing and profiling" as personal data uses to which individuals may object to.
The Justice BN Srikrishna Committee on data protection in India has also suggested amendments to the Aadhaar Act to provide for imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law. The 213-page report suggests amendments to the Aadhaar Act from a data protection perspective. Jared Cohen, a former US State Department official and an expert on social media and cyber-crime issues, has also stressed there are serious concerns about the collection of biometric data for Aadhaar cards in India and these must be allayed.
"I don't want to meddle in India's politics. But there are concerns (about collection of personal details for Aadhaar card)," Cohen told an IANS correspondent on the sidelines of the third annual BCTECH Summit at Vancouver, Canada, in May. Cohen, currently the CEO and Founder of Jigsaw, a Google arm started to tackle threats to online security, conceded there are arguments on the merits of the Aadhaar system but there are also concerns that must be addressed.
According to Duggal, "Not just cosmetic changes, there is an urgent need for addressing newly-emerging legal and cyber-security challenges concerning the Aadhaar ecosystem on an urgent basis." "There is a need for a more comprehensive legal framework to protect and preserve data and the privacy of individual Aadhaar account holders in particular, and the Aadhaar ecosystem stakeholders in general," he noted.