See Also: Threat Intelligence - Hype or Hope?
Sharma, who's a defender of the security of the nation's Aadhaar digital ID system, attempted to demonstrate that security by tweeting his Aadhaar number and inviting anyone to attempt to use it to access his personal information. The result? Several ethical hackers claimed they used the number to do just that (see: Unusual Attempt to Prove Aadhaar Security Raises Questions).
In Parliament on Tuesday, Congress leader K. C. Venugopal raised questions on Aadhaar security, prompted the UIDAI to issue a statement.
"Such activities (publicly sharing Aadhaar number) are uncalled for and should be refrained as these are not in accordance with the law. Aadhaar is a unique identity which can be authenticated to prove one's identity for various services, benefits and subsidies," UIDAI said.
#PressStatement— Aadhaar (@UIDAI) 31 July 2018
People are advised to refrain from publicly putting their Aadhaar numbers on internet and social media and posing challenges to others. 1/n
UIDAI reiterated that the Aadhaar number should be shared only for establishing identity and for legitimate transactions.
"Authentication through somebody else's Aadhaar number or using someone else's Aadhaar number may amount to impersonation and thereby a criminal offense under the Aadhaar Act and Indian Penal Code. Persons committing such acts or abetting or inciting others to do so makes them liable to prosecution and penal action under the law," the UIDAI added.
So will Sharma face prosecution for his Twitter stunt? We'll have to wait and see.
Don't Set a Bad Example
Meanwhile, government officials should take heed: Be careful to avoid setting a bad example when it comes to privacy.
Sharma's explanation for his twitter stunt didn't help matters, when he tried to defend his actions as a way of demonstrating that Aadhaar is trustworthy.
"Lately, I have been concerned about the sustained campaign against Aadhaar, in which the modus operandi is scaremongering. It has made people hesitant in sharing their Aadhaar details for accessing legitimate services. Slowly, deliberately, Aadhaar is being shown as a dangerous artifact because it could compromise security. The point was to prove that Aadhaar does not contribute to increasing any of your other digital vulnerabilities," Sharma said.
#ExpressOpinion | Thus far I have not lost the challenge and I'm very confident that I will not. I hope this puts an end to the scaremongering so that people can benefit from the technology, writes TRAI chairman @rssharma3 https://t.co/dNAEXCSBaZ— The Indian Express (@IndianExpress) 31 July 2018
Despite the claims of ethical hackers, Sharma said they were able to access his data from publicly available sources, not because they had his Aadhaar number. "Thus far I have not lost the challenge and I'm very confident that I will not. I hope this puts an end to the scaremongering so that people can benefit from technology."
While UIDAI and law enforcement officials decide whether to prosecute Sharma, Indian officials need to continue to work harder on building the credibility of Aadhaar, in light of so many well-publicized Aadhaar-related breaches.
Also, security practitioners in all sectors should follow security best practices, including those spelled out in the Aadhaar Act.
The committee that drafted a data protection bill pointed to the need to review the functioning of the UIDAI, which was a welcome move.
For example, the Aadhaar Act is silent on the UIDAI's powers to take action against companies that wrongly insist on obtaining Aadhaar numbers, those using Aadhaar numbers for unauthorized purposes and those leaking Aadhaar numbers.
Clearly, there's lots of work to do to ensure the public that the Aadhaar system, is, indeed, secure and doesn't place their privacy at risk.