Should the government, or bureaucrats, challenge citizens to an online duel over privacy or any other such sensitive issues? Or should they rather spend that valuable time addressing such sensitive issues in the appropriate fora?

When Trai Chairman R S Sharma tweeted over the weekend: “@rssharma3 My Aadhaar number is 7621 7768 2740 Now I give this challenge to you: Show me one concrete example where you can do any harm to me!", he clarified that he was doing this as an individual.

It’s very hard, though, to ignore Sharma’s official position even if he tweets in his individual capacity and that was not lost on the twitterati.

Aadhaar is indeed a very sensitive issue in India with both its proponents and opponents breathing down each other’s necks--both online and offline. And rightly so! The reason: The scope of Aadhar was very different from what was earlier spelt out by the UIDAI—the 12-digit number (or 16-digit virtual identification, or VID) is now being solicited (and in many cases, being demanded) for everything from getting a mobile connection, banking account, filing tax returns, getting hotel accomodation, and applying for passports. This enlarged scope, of course, has been challenged and the matter is sub judice.

Moreover, the country is on the verge of getting a comprehensive data protection law. Sharma’s tweet, hence, comes at a time when the draft Srikrishna Committee report is out and has recommended that the Aadhaar Act “needs to be amended significantly to bolster privacy protections and ensure autonomy of the UIDAI."

The report also points out that the recent announcements of the UIDAI relating to the Virtual ID--creating an alias for authentication keeping the Aadhaar number out of the knowledge of the entity requesting authentication--"...have significant potential to ensure both collection limitation and data minimisation..."but have “no statutory backing...and it is unclear as to how they are to be effectively implemented."

The committee submitted its report and the draft Personal Data Protection Bill, 2018 to the government on Friday. The bill deals with collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model.

In this context, the question is not whether Sharma, who still codes and has a computer science background, has succeeded in proving his point that the Aadhar number is unhackable, or whether hackers have got the better of the Trai Chairman and proved him wrong. The point is that the country’s debate over the privacy of Aadhar data should not be degraded into a petty online duel that is unlikely to have any positive outcome -- both the proponents and opponents of Aadhar will continue to claim victory and much time will be spent over this unproductive activity.

The government and bureaucrats will do well to take a leaf out of the book of the world’s top companies that employ ethical hackers to proactively identify vulnerabilities in the system. For instance, Google Inc. launched Project Zero in July 2014 to “significantly reduce the number of people harmed by targeted attacks", for which they hired “the best practically-minded security researchers". Companies like International Business Machines Corp. (IBM) also have their own ethical hacking teams.

Sharma, for instance, could bank on the expertise of the Indian Computer Emergency Response Team, or CERT, to hire ethical hackers to check how vulnerable the UIDAI is. It could alternatively, advertise for ethical hackers or organise a public contest for the same. Such moves would increase the credibility of the government.

While Sharma is undoubtedly concerned over the attacks on the integrity of the Aadhar database, opening oneself to ridicule on the internet by challenging the world’s hackers is certainly not the best way of going about the task. It will further alienate his opponents and do disservice to the larger debate on privacy.

Close