“Show me what harm you can do” appears to be the new version of “what do they have to hide?” The latter question was used as a standard argument against all those who criticised Aadhaar, the government’s legally dubious effort to provide a biometric 12-digit identity to every Indian resident, and attempted to frame the question with a presumption that the government should have access to everyone’s data.
It was questions like “what do they have to hide?” that empowered the Bharatiya Janata Party-run government to argue in the Supreme Court that Indians do not have a right to privacy, a line of thought that was promptly swatted down unanimously by a nine-judge bench. Now RS Sharma, the chief of India’s telecom regulator, wants to use personal bravado to change the terms of the Aadhaar debate again.
Sharma is a former director of the Unique Identification Authority of India, the body that oversees Aadhaar, and is rumoured to be the top pick for India’s very first Data Protection Authority, a body that has been proposed in the draft data protection law. On Saturday, Sharma issued a challenge: Here is my Aadhaar number, he wrote on Twitter listing out the 12-digit figure, “Now I give this challenge to you: Show me one concrete example where you can do any harm to me!”
Public disclosure
The Aadhaar Act is clear that publication or dissemination of the Unique Identity is prohibited and criminal. The UIDAI itself has called on people not to publicly share their Aadhaar numbers. Earlier this year, the authority announced that it would be building an entirely new system called Virtual ID, with the specific aim of making sure people did not have to disclose their Aadhaar numbers. The government has taken down state websites that have been leaking people’s Aadhaar numbers, in connection with their demographic details, and UIDAI has filed First Information Reports against journalists who have sought to collect people’s Aadhaar numbers to expose the system’s weaknesses.
All of this makes it clear that it is the view of the government, and not just privacy activists, that the publication of your Aadhaar number is a dangerous thing. To see a senior public official issue an open challenge, in a manner that will likely encourage others to be lax about the sharing of their own UIDs, is problematic.
In response, a number of people have unearthed information about RS Sharma, from mobile numbers to email addresses to bank account details and more. Sharma insisted on Twitter that none of this had caused him harm. But remember, this is not a white-hat hacking experiment where those who he has challenged have been offered immunity for pointing to vulnerabilities. Those who might be able to go further might not disclose that they have done so, not least because UIDAI has filed police cases against journalists revealing Aadhaar vulnerabilities in the past.
Personal privilege
Still, the entire challenge is flawed, at several levels. At the most basic level, RS Sharma is a public official with a good understanding of technological dangers. He is unlikely to fall for the most obvious of Aadhaar fraud operations, which have caused money to be taken out of people’s bank accounts. One could argue that fraud is always a possibility, but when you force an entire citizenry to give up their data and then link it across databases, the likelihood is increased enormously.
Sharma is also not vulnerable to personal information being revealed, since much of it is likely to already be in a public directory: most of the rest of us would not want to have our Aadhaar-linked phone numbers, emails, home addresses, bank account numbers and more exposed to strangers.
To have a public official like Sharma declare Aadhaar is safe because no harm has been done to him is like a man saying Delhi is safe because he was able to walk the streets at night unharmed. It is a function of personal privilege, not a cogent argument that applies to 1.2 billion people. Policies, especially one that was first made with the aim of delivering welfare, must be built with the most vulnerable in mind.
Built on lies
That is the real trouble with the “what harm can you do” question. It begins with the premise that the government has a right to collect this information, to link it across databases, and to allow companies and potentially even security agencies to use it. Then it puts the responsibility of proving that it is secure on those who are raising warning flags about this untested, legally dubious project, instead of on the government that built it.
Aadhaar was forced on Indian residents without being backed by a law, was expanded through coercion while maintaining the lie that it is voluntary, was introduced as something that makes welfare delivery more efficient without any proof to show that it has, was supposed to plug exclusion but has only exacerbated it, was supposed to be secure but has been misused to see people’s money be taken out of bank accounts and has successfully been turned into a repository of Indian citizens’ data that the government is happy to let commercial companies use for profiling.
The question then, is not “what harm can it do to me” so much as “what harm can it do and has done to the country”. Sharma’s challenge might be a good audition for the government to appoint him to yet another role – this time as the very first head of the body meant to regulate the protection of data in the country as has been rumoured. But that might drive us to the follow-up question: is this behaviour appropriate for someone who might run India’s Data Protection Authority? What harm has Sharma, as public official in encouraging the public disclosure of sensitive personal information, done to all of us?
UPDATE: The Unique Identification Authority of India, on Sunday, put out a statement claiming that none of the information that people had managed to unearth about RS Sharma was data that was not already in the public domain. “Aadhaar database is fully safe and secure and no such information about Mr Sharma has been fetched from UIDAI’s severs or Aadhaar database. This is merely cheap publicity by these unscrupulous elements who try to attract attention by creating such fake news,” the statement said.
Significantly, UIDAI’s statement did not once address the question of a public official, or indeed any one revealing their Aadhaar number on social media. The body’s twitter handle will regularly ask people not to share their Aadhaar numbers publicly, and the Aadhaar Act itself actually considers dissemination of numbers a crime, yet UIDAI’s entire press statement focused on attacking those who were responding to Sharma’s challenge.