Thumbprint image via Pixabay. CC0 public domain.

India's biometric state ID system has been leaking citizens’ data for months. When this information surfaced in April 2017, it stoked fears that the system could be used as an instrument of surveillance against Indian residents.

The Unique Identity Authority of India (UIDAI), which administrates the system known as Aadhaar (meaning foundation in Hindi) maintains that it only collects minimal personal data and stores it securely. But critics have firmly expressed doubts about these claims.

Repeat after me: Aadhaar is surveillance technology masquerading as secure authentication technology.

— Sunil Abraham (@sunil_abraham) February 24, 2017

The implications of these leaks, and of any system flaw in Aadhaar technology, are substantial, especially for Indians who depend on the Aadhaar system in order to authenticate their identities when they use any number of government services. The Aadhaar system has become the gatekeeper of state systems and services ranging from voting to financial savings to food subsidies.

The digital sphere is now starting to see a pushback against Aadhaar critics through articles and blogposts that describe concerned citizens and privacy experts as the ‘anti-Aadhaar brigade‘ and accuse them of publishing “half-truths” and “spread[ing] confusion to advance their own interests.” One such article was even featured on the UIDAI website.

Some of the most well-researched critiques of the system have come from the Centre for Internet and Society (CIS), an inter-disciplinary research organisation in Bangalore that has now become a target of the pro-Aadhaar lobby. Shortly after CIS released a report that pointed out security flaws in the Aadhaar ecosystem, the UIDAI accused the organization of hacking into the Aadhaar system themselves.

In fact, CIS had investigated databases of four specific government websites. Three were available publicly, the fourth one was accessible by simply changing one of the URL parameters. Following the accusation from UIDAI, CIS clarified that the Aadhaar numbers along with other sensitive personal financial information like bank account details were made available by government websites themselves, putting a sizeable portion of Indian citizens at risk of financial fraud.

The Press Trust of India (India's largest news agency) referred to it as a “flip-flop”, which was contested by researchers at CIS.

Points to note: 1) As per OED, this was a “leak”. So PTI report this morning on our clarification is 100% wrong on that. 1/ https://t.co/ywhCzVZFn3

— Pranesh Prakash (@pranesh) May 19, 2017

Independent technology news platform Medianama reported that the accusation by the UIDAI is regrettably consistent with previous actions in which they filed a case against a journalist for exposing flaws in Aadhaar's enrollment mechanism.

A website called ‘Support Aadhaar‘ and its Twitter handle sought to collate opinions supporting Aadhaar and quell those speaking against it. However, most of their messages appear to evade or deflect the concerns that critics have raised by touting the benefits of the system and portraying critics as having a poor understanding of the benefits of technology.

Many Twitter users have also begun noticing patterns in the pro-Aadhaar posts:

Delicious irony, when those fighting for privacy list themselves on their site, but pro-surveillance (ahem, @UIDAI) stay anonymous. pic.twitter.com/dQchSby6zQ

— Aravind R S (@aravindet) May 5, 2017

@jackerhack @DiptiDaveNair @YourStoryCo @SharmaShradha @thej @iotakodali Did @YourStoryCo verified authorship? many parts of the text is a copy paste from an Aadhaar support website with extra care on anonymity.

— Anivar Aravind (@anivar) May 8, 2017

“About” page is still devoid of info. Domain reg. info is anonymized. Now safe to conclude that this is just astroturfing. https://t.co/gmzUieFFnH

— Nilesh Trivedi (@nileshtrivedi) May 17, 2017

Meanwhile, several critics of Aadhaar have repeatedly been trolled by anonymous handles on Twitter:

1 / @TheKenWeb throw your ethics/ code of conducts books, suggest you burn them, look at your house first – full of horse shit you talk

— Indiaforward (@Indiaforward2) May 3, 2017

.@hasgeek Three guiding principles of Hasgeek and @jackerhack

Greed, Profit & Deceit

Got to know from people who have worked with them in the past!

— Rahul (@criticrahul) May 8, 2017

These ‘sock puppet’ accounts seemed to be targeting those who criticise Aadhaar on social media.

So many sock puppet accounts have popped up to defend Aadhaar, almost all of them have fewer followers than tweets.

— @kingslyj (@kingslyj) May 7, 2017

One of the most active trolls issued an open challenge to reveal their identity with just their Aadhaar number.

@KunalWalia @SupportAadhaar @sharads @UIDAI You challenged me to give you my Aadhaar # and I did that. Now pls unmask me. Pls compromise my privacy! If you can't pls stop bullshitting.

— Confident India (@Confident_India) May 5, 2017

Technology entrepreneur Kiran Jonnalagadda accepted the challenge and found that ‘@Confident_India’, one of the many anonymous troll Twitter handles, is Sharad Sharma, the co-founder and director of iSPIRT Foundation (Indian Software Product Industry Roundtable), the software lobby that built the backbone of the Aadhaar ecosystem.

Screenshot from iSPIRT website.

Sharma accidentally tweeted a denial from the troll account which has since been deleted. He then tweeted again from his personal handle which was captured.

@Product_Nation You can't make this up.@sharads accidentally tweeted his denial from *another* anon troll account (then deleted it)

Boss, stop digging. pic.twitter.com/URzZzKkU4p

— Karthik Balakrishnan (@karthikb351) May 18, 2017

iSPIRT officially denied allegations by Jonnalgadda that the “evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.” India Stack is the digital infrastructure that has been built over Aadhaar.

But several other Twitter users have confirmed that Sharma's phone number is linked to ‘@Confident_India’.

@nixxin @Confident_India I looked up the number @jackerhack has shared in his tweet on FB, and … pic.twitter.com/ZDldC28yAG

— Manish Singh (@refsrc) May 17, 2017

By their own admission, iSPIRT seemed to have an officially sanctioned project intended to systematically challenge anti-Aadhaar campaigners in online platforms. But they refuse to term these actions as “trolling”.

However, Sharma later made an apology for trolling and called it a “lapse of judgement”:

On my flight back from the US, I reflected on my recent behaviour on Twitter…. I unreservedly apologize to all who were hurt… more below pic.twitter.com/IinZIg2yi2

— Sharad Sharma (@sharads) May 23, 2017

CIS Executive Director Sunil Abraham seemed to appreciate the message. He tweeted:

Bravo to @sharads for this! All of us at @cis_india look fwd to collaborating with @Product_Nation & @sharads to serve Indian s/w sector. https://t.co/TEz0fxnloo

— Sunil Abraham (@sunil_abraham) May 23, 2017

Others were less forgiving:

This all was public. Even today people by congratulating an apology are enabling future abuse & intimidation. This will happen again.

— Apar (@aparatbar) May 23, 2017

That this has gone on so long points to a serious lapse in governance at iSpirt. An apology is not enough. Actual change is needed. 6/6

— Kiran Jonnalagadda (@jackerhack) May 23, 2017

iSPIRT is an initiative which finds far-reaching support from several IT industry leaders in India. What is worrying is that there is still no clarification from iSPIRT on the identities of the other anonymous trolls and their position on trolling against genuine concerns raised by citizens.

Query for those who support #Aadhaar:
2. Is using trolls and anonymous accounts the best way to make a case for #Aadhaar?

— Saikat Datta (@saikatd) May 19, 2017

More than a week after the trolling revelations, iSPIRT announced on its website, the results of an investigation carried out by an Internal Guidelines and Compliance Committee over the allegations against Sharma of operating the anonymous handles, ‘@Confident_India’ and ‘@Indiaforward2′. Jonnalgadda was one of the trolling victims who testified in the internal meeting. A summary of the investigation was posted bafflingly by the accused himself in which he says that project Sudham has been dissolved and that he has been told to not make public appearances on behalf of iSPIRT for four months while he remains Director and the face of the organisation. FactorDaily reported that iSPIRT members on the condition of anonymity said that Pallav Nadhani (Founder, Chief Executive, FusionCharts) and Naveen Tewari (Co-founder, InMobi) who quit iSPIRT were upset with their excessive focus on India Stack.

One wonders whether this kind of behaviour would be treated differently if it took place offline. Is intimidating those who appear to be ‘detractors’ the most effective way of dealing with criticism? Why is a software lobby taking it upon themselves to defend the idea of Aadhaar and India Stack through such means?

Many are hoping that experts on both sides of the issue can find a way to debate questions around the privacy and security of Aadhaar's technology — that affect some 1.3 billion people — in a more democratic way.