By K. Raveendran
The Unique Identity Authority of India (UIDAI) never had a smart face. The babujis in charge of managing its affairs applied 18th century logic to the age of artificial intelligence; so the match between what they did and what they intended to do was as grotesque as their organisation’s acronym. An addition of ‘P’ for project would make it sound similar to the Hindi word Udaip, which detractors would like to describe it as. UIDAI lost even its ugly face when it filed an FIR against The Tribune and its reporter Rachna Khaira, who exposed the security vulnerability of the Aadhaar ecosystem. The reporter revealed how it took her “just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for her and gave a login ID and password. On entering any Aadhaar number, the gateway printed out all particulars related to the owner of the number, including the name, address, postal code, photo, phone number and email.
But despite its ostrich-style response, the Authority shamelessly announced in the same week that it was introducing a new layer of security to address privacy concerns. Under the new system, starting from March-end, people can share a randomly-generated 16-digit temporary number, instead of their Aadhaar number, to authenticate their identity for various services. UIDAI said the initiative, aimed at minimising instances of leak and misuse of Aadhaar numbers, would enhance privacy of the 119 crore people who have been issued the identification number. Although it was claimed that the Authority had been working on the Virtual ID for months, the announcement’s timing was too close to the reporter’s breach story that it is impossible for anyone not to link the two as a sequence. It is a different matter whether the new measure will address the vulnerabilities properly. Critics have already questioned the effectiveness of the virtual ID in preventing abuse as long as the authenticating agencies are allowed to store these.
The hurry with which the Authority announced the new measures is a clear vindication of the Tribune expose, UIADI’s response to which was most reprehensible. The knee-jerk reaction invited condemnation from all around, nationally and internationally. It sullied India’s image as home to the world’s largest tech army. Various press organisations, including the Press Club of India, the Editors Guild, Indian Women’s Press Corps, Press Association and the Mumbai Press Club, created a storm over UIDAI’s “a direct attack on the freedom of the press” and demanded immediate withdrawal of the case.
American privacy whistleblower Edward Snowden said the Indian journalist merited an award, rather than the FIR. A former CIA employee, who blew the lid off US surveillance on phone and internet communications, Snowden said the Indian government should reform its policy to safeguard privacy of its citizens. “The journalists exposing the #Aadhaar breach deserve an award, not an investigation. If the government were truly concerned for justice, they would be reforming the policies that destroyed the privacy of a billion Indians. Want to arrest those responsible? They are called @UIDAI,” Snowden posted on Twitter.
What the reporter did was equivalent to ethical hacking, where professionally managed companies spend millions of dollar to engage hackers, who are challenged to exploit vulnerabilities in the system. Ethical hackers conduct penetration tests on organisations to find vulnerabilities and provide insight needed to fix flaws, before they can be exploited. Businesses that hire ethical hackers get unique insights from an intruder’s perspective. These penetration testers are highly-sought after by businesses and the role is increasingly attractive to IT professionals. According to reports, ethical hacking was categorised as the top job of 2017. It is in this context that UIDAI’s action amounts to putting the cart ahead of the horses.
In fact, this is typical of the Indian approach to problem solving. In the 1980s, when an enterprising reporter of a leading national newspaper bought a young woman named Kamla from the Dholpur flesh market at the tri-junction of Rajasthan, Uttar Pradesh, and Madhya Pradesh, and brought her to Delhi and splashed the story in the newspaper the next morning, the government booked him under the law against trafficking in women!
In 2013, when the Manmohan Singh government was seeking a trust vote in the wake of a crisis relating to India’s support to the US on the nuclear issue, three opposition MPs rushed to Parliament with bundles of notes purportedly paid to them to seek their abstention from voting so that the government could survive the ballot. The government won the vote, while the MPs were put in the dock for breaching the sanctity of parliament by exhibiting unauthorised material! There are numerous such examples of the authorities shooting the messenger, instead of acting on the message.
The least that UIDAI can now do is to reward Rachna Khaira for her efforts and apologise to her, the Tribune management, journalistic fraternity and the whole country for how it responded to the Aadhaar security breach. That they have acted on the vulnerability is welcome, but not good enough. (IPA Service)