It all started innocently enough. Ram Sewak Sharma, the Chairman of the Telecom Regulatory Authority of India (TRAI) in all his RSS(Ram Sewak Sharma)-ness, said in an interview to The Print that “Aadhaar does not violate privacy and the government has a right to create such a database of residents since it gives subsidies.” Sharma, slated to retire from his current role as TRAI Chairman on August 9, is widely tipped to be the head of the new data protection authority. During his chat, Sharma went a step further. “Tell me what harm can you do to me if you have my Aadhaar details? I will give you my Aadhaar number if you like.”
The internet’s ears pricked up and all its senses were heightened. Challenge accepted.
Kingsly John, a technology developer, took to Twitter for a simple follow up: “Walk your talk, RS Sharma. Publish your Aadhaar details to the public if you have so much trust in this 13ft wall secured system.” Sharma – an IAS officer and prior to his tenure as Chairman of TRAI, the first Director General of the Unique Identification Authority of India (UIDAI) which issues Aadhaar numbers – complied. Publishing his Aadhaar ID on Twitter, he posed a gauntlet. “Now I give this challenge to you: Show me one concrete example where you can do any harm to me!” This is our story of the day and you are listening to Moneycontrol.
Soon after RS Sharma’s Aadhaar number was out on Twitter, began the “Doxing,” essentially dumping of personal details of a person in the public domain. Twitter users posted his demat account details, the IFSC and MICR codes of his six bank account numbers, voter ID, his debit card usage and use of his Aadhaar card for sale of organic goods by Lella Dhar Organics of Hari Sevak Sharma. Others were more generous. They deposited Re 1 in Sharma’s bank accounts to prove their point. His PAN details were revealed; his frequent flyer number, which is apparently a security question for his Gmail password, was out; and of course his date of birth, address, mobile number, etc. Someone even ordered him a OnePlus 6 via Amazon. Cash on delivery.
Sharma wouldn’t budge. He doubled down, saying, “Let the challenge run for some time. Data privacy is a big and very important issue in a digital world. I am one of the most vociferous supporters of that. However, the only thing I am saying is that Aadhaar does not violate privacy.” He went on to insist that much of these pieces of information could be gleaned from a simple Google search, and Aadhaar could not have provided people with these details (which... isn’t entirely true.) If it’s the matter of Aadhaar, could French security researcher and hacker hero Elliot Alderson be far behind? He was among the hackers who built the Sharma dossier, if you will. He tweeted, “If your phone numbers, address, dob, bank accounts and others personal details are easily found on the Internet you have no #privacy. End of the story.” And as a bonus, tweeted PM Modi and wondered if Mr Modi could share his Aadhaar number too.
While Sharma fielded most of the tweet responses directed at him, continuing to ask people to cause him "real harm," on Monday, his daughter Kavita Sharma was sent an email that was marked to a few journalists as well. The email said that his bank information and all email accounts were compromised. The sender asked Kavita to pay a ransom, failing which all "sensitive files" would be released to the media if her father does not delete his accounts "immediately".
As if Sharma was Pied Piper, a procession of people following him started to reveal their own Aadhaar numbers soon after.
Aside from the harm that could be done, the disclosure of one’s Aadhaar number in a tweet could be in violation of Regulation 6 of the Aadhaar (Sharing of Information) Regulations, 2016, which states that the number of an individual shall not be published, displayed, or posted publicly by any person or entity or agency.
UIDAI has advised people to refrain from making their Aadhaar number public on the internet and on social media and posing challenges to others. In a series of tweets, UIDAI issued an advisory to people warning them that "such activities are uncalled for and should be refrained as these are not in accordance with the law."
"In our regular media campaigns, we have been consistently making people aware not to display or publish or share their Aadhaar number in public domain. We emphasise that people should not display or publish their Aadhaar number in public," the UIDAI said. Citing the Aadhaar Act, 2016, IT (Reasonable Security Practices and Procedures and sensitive Personal Data or Information) Rules, 2011 and Justice BN Srikrishna's proposed Data Protection Bill, the UIDAI said that "personally sensitive information should not be published or shared publicly." It said that unwanted publication of the sensitive information may render the concerned person vulnerable and hence, must be avoided.
Authenticating Aadhaar "through somebody else's Aadhaar number or using someone else's Aadhaar number for any purpose may amount to impersonation and thereby a criminal offence under the Aadhaar Act and the Indian Penal Code (IPC)," the UIDAI warned. It further warned that people "indulging in such acts or abetting or inciting others to do so" are liable for prosecution.
THE BIGGER PICTURE: WHAT’S THE HARM?
“Harm” is a relative experience. As Nikhil Pahwa, founder of Medianama and co-founder of Save the Internet, wrote in a piece for Medianama, “being a civil servant and technocrat, Sharma is unlikely to ever face the kind of harm a citizen might face if their Aadhaar number is made public.” In that enlightening piece, Pahwa details the many dangers of Aadhaar numbers being made public. It is recommended reading.
This kind of Doxing might not really touch Sharma because of the privilege he already possesses. Sharma is an IIT Graduate, an IAS officer, a technocrat. If Sharma did come in harm’s way, he has easier access to law enforcement; due to his privilege and resources, recourse and recompense may be swifter. The kind of technical knowhow he possesses, including what you and I might think basic, like two-factor authentication for email passwords etc, might not be possessed by the vast swathes of the general public who may now be misled into thinking that revealing their Aadhaar numbers does not do them harm. “After all, he did it! And he was the Director General of Aadhaar yaar!” But harm it can. And Aadhaar details so obtained by criminal elements (or corporations) can still be used to build a profile of you. We are all only too aware of over a hundred cases – as reported by major national publications – of fake or forged Aadhaar cards which have been used in activities ranging from illegal migration to sex rackets to phishing scams. Aadhaar-enabled banking frauds have been widely reported, as in one case in Andhra Pradesh (as reported by The New Indian Express), where Aadhaar cards of 300 people were stolen and 40 lakh rupees of pension money was swindled.
Personal information being made available in the public domain need not result in just financial frauds. People exposed through doxing may also become victims of harassment, blackmail, pranks like fake signups for delivery services, and most dangerous of all, especially for the women of the country, stalking. One’s movements may be tracked, house robbed, personal communications exposed, confidential medical information revealed, and the list goes on, one terrifying incident separated by a comma after another. Pahwa goes on to note, “The Aadhaar number being made public can be a very useful starting point because of the information it can lead to, as has been demonstrated from the disclosures related to RS Sharma.”
What Sharma did was not merely reckless and harmless to himself but perhaps also illegal. And most importantly, in having many unsuspecting Twitter followers emulate him, egregiously irresponsible.
Writing for The Indian Express yesterday, Sharma said that the sustained campaign against Aadhaar amounted to nothing but scaremongering. Reiterating that sharing Aadhaar numbers could cause no harm, he said his decision to tweet his own Aadhaar number was a demonstration of the courage to act on his belief. In his bid to clear the notions about Aadhaar, he made a series of claims about it.
He wrote, “The truth is that people are proving their identity today through the Aadhaar online platform. This is empowering millions of people who get subsidies into their account or obtain other benefits. (People are also providing a copy of their Aadhaar cards to various service providers, though this is neither required nor desirable.)”
Furthermore, and apparently without proof: “Widespread adoption of Aadhaar has started affecting those who want to game the system for tax evasion, benami properties and other such activities.”
Arvind Datar, a senior advocate at the Supreme Court who appeared for some of the petitioners in the recent litigation on Aadhaar, wrote a rebuttal on The Indian Express, suggesting that Sharma had made a defence of Aadhaar without aadhaar (basis). Commenting that Sharma’s piece sidestepped the manner in which Aadhaar has been steamrolled and made applicable to every walk of life, Datar said this was in violation of the Supreme Court’s orders.
He asked, “If Aadhaar is indeed voluntary, and is made mandatory only for those residents who wish to avail of subsidies, benefits and services paid from the Consolidated Fund of India, then why is it being made mandatory for 48 per cent of Indians who do not avail of any subsidy or service? Is there a hidden agenda to collect and process huge amounts of data?”
Replying to Sharma’s claim that providing Aadhaar details to various service providers was neither required nor desirable, Datar recounted all our lived experiences – “No Indian can get a telephone connection, an admission for his/her child even in a private school, or cremate his deceased relative without the Aadhaar card.” If you thought Aadhaar had not entered sacred spaces, well, you are wrong. Apparently you need an Aadhaar card to enter the Dakshineshwar temple in Vadodara. To queue up in the privileged darshan set in Tirupati, a. you need privilege, and b. you need Aadhaar.
On Sharma’s claims that the “finest minds” had built the Aadhaar system to deliver, Datar wondered if these brilliant minds could explain as to why every bank account, provident fund account, insurance policy, mutual fund be linked to the Aadhaar number. He added, “Sharma talks of digital vulnerabilities but is unconcerned about the enormous vulnerabilities many Indians have faced in the recent past. In fact, a large number of Aadhaar holders are unable to get their subsidies simply because their thumb impressions do not match.”
Calling Sharma’s assertion that the adoption of Aadhaar was denting the activities of those involved in tax evasion, black money, and benami properties a “ridiculous claim,” Datar reminded him of the deep-rootedness of these evils and just how ill-equipped Aadhaar is to weed them out. “Black money is the oxygen of Indian politicians and it is significant to note that the only financial instrument given without an Aadhaar number is the electoral bond,” he wrote.
So far, no major “harm” has come Ram Sewak Sharma’s way. And we hope it wouldn’t either. But pointing out that it might happen to him, and to scores of others whose Aadhaar details might be out there, is essential. The harm, if any, need not come today or tomorrow. Like an insidious cancer, it knows how to wait.