Digital Native: Double Speak
Aadhaar’s danger has always been that it opens up individuals to high levels of vulnerability without providing safeguards.
The article was published in Indian Express on August 12, 2018.
This has been a month of Twitter drama. In the latest episode, Twitter exploded once again with RS Sharma, the chief of the Telecom Regulatory Authority of India (TRAI). Sharma revealed his Aadhaar number on Twitter and challenged the world (#facepalm) to do their worst. The Twitterati moved quickly and decided to go 50 Shades of Grey on Sharma.
In less than 24 hours, French security researcher Elliot Alderson, who has been systematically showing vulnerabilities in Aadhaar’s technical infrastructure, fished out Sharma’s personal address, birth date, email, alternate phone number, and PAN number. A few other ethical hackers got hold of his bank account details and used Paytm apps to transfer money to one of his bank accounts. Sharma made a grandstand of how this information is not “state secret” and that this was already peppered across the internet for anybody to find. The UIDAI, while calling his tactics a cheap hack, announced that the Aadhaar database was not “hacked” to retrieve this information and that our precious private data is safe in those hands.
What remains really bizarre, in both the responses from Sharma and the UIDAI, however, is their willing blindness to what networked information systems do and look like. There are three main points to consider here. Sharma, marked by privilege, protected by power, and confident in his ability to protect himself in case of threat, might dismiss this private information as non-critical. However, what he fails to realise is that the same data, for somebody in a precarious condition might be sensitive enough to have their life collapse on them. On the nefarious digital worlds of the Indian web, where women are regularly threatened with rape and death as a form of silencing them, where queer people are stalked and followed in real life for blackmail and abuse, where resistant actors find their families threatened, this information in the public domain could literally be a matter of life and death. In the past, with much less information available, we have seen how specific communities could be targeted in times of communal tension and violence. The fact that the head of TRAI cannot look beyond his gilded privilege to the conditions of precariousness that data leaks like these could lead to is shameful.
Perhaps, even more alarming is the UIDAI’s consistent myopic focus on what constitutes safe data. While I have no doubt that the incredible engineers and security experts are working hard to keep the Aadhaar data secure, the Twitter ethical hackers were not making claims of hacking a database at all. They were merely demonstrating why centralised unique ids, which perform acts of causative correlation, have the capacity to build surveillance states without even meaning to. Their data exposure is indicative of the fact that while Aadhaar itself does not carry much information, the linkages it makes with multiple other databases — tax offices, bank accounts, public services, emails, phone numbers, etc. — can expose information profiles without our consent. In fact, the danger of Aadhaar has never been that as a technical system it doesn’t work. The threat that it posits is that as a social and a cultural transaction system it opens up individuals to high levels of precariousness without building privacy safeguards for those who might fall through the cracks.
What remains the most disappointing in this entire piece of melodrama is that the conversations keep on unfolding at two different registers. The Aadhaar activists have been asking not for a dismantling of the system but to build ethical, compassionate, flexible and constitutional checks and balances at the core of the system. Ever since its inception, the demand has been clear: build privacy, security, safety, and human care into the DNA of the system, and not in its afterthought. The UIDAI has persistently neglected and willfully dismissed these demands, thus privileging the security of their infrastructure and data over the safety of their citizens.