Accounts can be hacked, but not through Aadhaar

On the evening of August 2, French security expert and ethical hacker Elliot Alderson A.K.A @fs0c131y tweeted, “Many people, with different providers, with and without an #Aadhaar card, with and without the Aadhaar app installed, noticed that your phone number is predefined in their contact list by default without their knowledge. Can you explain why?” After the tweet, Twitter was soon trending with allegations of privacy violations by UIDAI. While some compared it to NSA’s snooping, others cast wild aspersions of an imminent police state in India. 

By August 3, many newspapers and product websites had circulated the IANS syndicated news feed: ‘People aghast as UIDAI helpline number mysteriously appears in phonebooks.’ However, UIDAI was quick to rebut the charge of issuing a directive to telecom companies, though the news went viral on the internet and national television channels. A political slugfest erupted between the Government and the Opposition, both in the Parliament and the media. On Saturday, August 4, most national papers front paged the news with a clarification. They confirmed that the UIDAI helpline number that had popped up in phones, turned out to be an inadvertent error by Google. So was it a secret directive, a goof up, a hoax scare or just calling wolf? 

Over 70 years ago, British novelist George Orwell published a fictional futuristic novel titled 1984 in which he predicted a police state, a perpetual state of war and public manipulation by national Governments using surveillance. Since then the bogey of the ‘Big Government’ has been raised time and again, with fear mongering about privacy violations across the world. But, nonetheless, it is important to explore the capability of UIDAI to violate citizen’s privacy with the use of Aadhaar, as well as the citizens’ vulnerability once the number is known.  

Let us first understand the role and capability of the UIDAI. The UIDAI is not in any way a telecom regulatory authority and cannot issue directives to telecom companies by itself. It maintains the Aadhaar database and has two data centres — one in Bengaluru and one in Gurugram. It has 10 offices, less than a 1,000 people, and no dedicated surveillance team. It has no capability or manpower or authorisation to collect any other data other than that required for Aadhaar. But irrespective of its security measures and claims, it is not possible for it to  protect any Aadhaar identification number from ethical or unethical hackers, if the data has been loaded on the internet. 

The Aadhaar number is simply like a social security number issued around the world. Though it does not provide comprehensive social security, it helps the Government identify recipients for subsidies and Government services. But since the number is often uploaded on the internet every time a digital transaction is done against it, it becomes a soft target that can be tracked. Simply speaking you, don’t have to hack UIDAI to get somebody’s Aadhaar number, or hack the Government’s IT database to get the PAN number, the Election Commission to get the voter ID or a banking website to get the bank account number of an individual. There are simpler ways to do it without having to hack government databases and it is the private sector and not the government that holds the key.

Essentially, all our information stored in our mobile phones can be accessed by the phone company, like Samsung, the software company, like Android Google, and a service provider like Airtel or any other. The current UIDAI data insertion was inadvertently done by Google. But, of the three, the mobile services companies have been traditionally suspected of accessing and even selling user data, though they deny it. The cold calls by bank executives, credit card companies, real estate agents or educational institutions that spam you relentlessly happen only because a service provider could possibly have sold the data. They reportedly provide unlisted numbers to buyers of bulk data bases, so that you or a regulatory body to whom you complain, cannot track back and identify the cold caller. 

The internet is a big open pipeline and whether you are using a desktop or smartphone, you are uploading data on the internet that can be hacked or simply copied. Whether it is from social media or e-commerce, search websites or institutional ones, all data can be reproduced. Similarly, the websites you visit, your Google search, your CV data is traceable through web scraping by python code or any other advanced software. Millions of people upload data on thousands of websites through hundreds of devices every day, and very little of that data is encrypted. But what is encrypted or time barred to elapse is your online payments transaction: your OTP numbers, your fingerprints, your bank signatures and passwords. And once they are secure, any Aadhaar number leakage cannot compromise your privacy. This is not to say that your bank accounts can’t be hacked, but it is not by knowing your Aadhaar number.

The writer is an author and senior journalist. Views are personal.