Somewhere in a faraway B-school, marketing students are taking furious notes and nodding appreciatively while Ram Sewak Sharma’s public Aadhaar-number-sharing drama plays out. In times when tactless rhetoric and factless perception management has become the norm, the current Chairman of Telecom Regulatory Authority of India and ex-CEO of UIDAI, seems to have managed to divert and obfusticate the Aadhaar debate successfully.

Big time.

Big props to him for that, I guess? But this is where praise for him and his actions should end.

RS Sharma shared his Aadhaar number on July 28 and asked people to prove what harm can be caused to him. After three days, he wrote a piece in The Indian Express, explaining “Why I gave out my number”.

Between these two events, Twitter folks found out details about his multiple bank accounts, managed to get hold of his AI frequent flier number using his basic Aadhaar details, used it to answer a security question on his email, tried to send him Rs 1 through Aadhaar based UPI, found out that he allegedly bought a three-year subscription to a Right-wing website, found a photo of him with his daughter (presumably) and created a fake Aadhaar with his details. Some used that fake ID to order products to be paid for via Cash On Delivery (including a One Plus 6). In another shady development, an anonymous email was sent to him, his daughter straight up threatening both of them to respond otherwise face dire consequences of their actions. The email was CCed to two journalists with The Wire.

At the end of it all, he went ahead and declared that no real harm has been caused to him, so it’s all good. The question of whether Aadhaar is safe and remains an effective tool for service delivery remains unanswered while the whole debate is reduced to a hilarious meme-worthy joke.

You’d think that someone who has headed the all-powerful UIDAI in the past would have some solid fact-based answers to questions raised by security researchers, web developers, critics, lawyers and privacy experts. But RS Sharma is having none of that. He’d rather wax eloquently about how “hackers” targeted him, for an unnecessary stunt he himself pulled, and failed miserably.

Let’s get one thing straight: RS Sharma broke the law when he shared his Aadhaar number publicly. The Aadhaar Act 2016, in Section 29 (4), clearly states that Aadhaar numbers should not be shared.

Section 34 further imposes a penalty of three years in jail and a Rs 10,000-fine for people who disclose identity information in contravention with the Act.

Will any action be taken against him for breaking the law or is this Act just in existence for us plebeians and journalists who expose the Aadhaar programme for the ugly thing that it really is?

Even if you keep the law aside, the official UIDAI twitter handle has continuously and constantly reminded people not to share their Aadhaar number publicly.

Whenever you share your Aadhaar or related information, ensure that you know the purpose for which it is being collected by the service provider. pic.twitter.com/stu9pmOq73

— Aadhaar (@UIDAI) April 21, 2018

Unless the Act makers and UIDAI were just saying all of this for some epic lulz, there has got to be a reason why they are constantly giving this advisory, right? RS Sharma’s little stunt encouraged other people to go ahead and share their numbers too. What’s worse, he started retweeting them excitedly, not caring about the law or the consequences of his actions.

And then he writes in his The Indian Express piece:

While I did reveal my own number, I am not suggesting for a moment that any of you could also publicly share your Aadhaar number. Far from it. Replicating the same challenge doesn’t prove anything more.

All of this…is just so….

via GIPHY

Questions RS Sharma should really answer

Let’s keep the tech challenges aside for a moment, shall we?

Not saying this to skirt the issues away. There are many of those. In fact, there is a whole dedicated medium page called “karana”, maintained by security researchers, which you can check out and educate yourself.

Here I wish to get down to some fundamental realities. The reality of the situation is that Aadhaar, as a basic ID dependent on the biometrics of a person, is just the base of the problematic structure, which is piling up on top. So let’s just ask five direct questions to Mr Sharma today and hope we get some answers:

1. Unscrupulous elements can get access to the Aadhaar database by using a cracked software which can be bought for Rs 500. Isn’t this a vulnerability which can cause harm, Mr Sharma? Is Aadhaar-enabled identity theft not a concern for you?
2. Bank accounts of hapless people can be opened, without their consent, using e-KYC function based on Aadhaar. Isn’t that something which can cause harm, Mr Sharma? Or should we all just overlook this while thousands of fake bank accounts are created for nefarious purposes and dismiss it saying, “oh this has always been happening”?
3. A recent report suggested that biometric mix-ups during enrollment, wrong entries done by casual agencies tasked with this job, are now surfacing and causing difficulties to close to 2 crore people. These errors are detected only when people trying to get services using Aadhaar face issues. UIDAI, on their part, seems to be holding secret camps to correct these errors once alerted, while you put up a brave face and deal with “hackers”. What gives Mr Sharma? Talk about this and ask your ex-organisation, UIDAI, how they propose to solve this gigantic problem, will you? Why not tell us openly (or give an estimate) how many of these Aadhaar numbers are just plain wrongly enrolled
4. LPG subsidies were being transferred to accounts, which have been opened without the knowledge of people who went to get new SIM cards. UIDAI temporarily cancelled the licences of telecom companies in this case. You’re the TRAI chairman, surely you were aware of this vulnerability which was causing harm to the government and people, Mr Sharma? Any response to this vulnerability?
5. In Gujarat, two people were found using fake biometrics to divert subsidised foodgrains. Doesn’t the existence of parallel biometric databases — which have leaked — a vulnerability that causes harm, Mr Sharma? Isn’t faking biometrics a thing which has been done in the past as well?

The truth in this whole fiasco is that RS Sharma has created a nice little diversion from real issues — which UIDAI seems to have no answers for and scrambles to fix by literally holding secret camps. He has created a circus on Twitter — a bucketful of popcorn munching worthy spectacle — where he is at the centre stage.

All of those who are messing around with his personal details, trying to educate people about privacy risks, have now been conveniently painted as “hackers”. Every hero needs his mangy villains, right? Just notice the number of times he uses the word “hackers” in his Indian Express piece when he knows very well that a lot of people questioning him are well-intentioned security researchers, journalists and web developers.

You have my complete sympathies, Mr Sharma, for the mental and virtual trauma you (and your family) are being subjected to. But if you’re using this stunt to normalise leaking personal data and reducing the concerns regarding privacy violations into a joke, you are doing everyone a great disservice. Right now, even your well-wishers should be telling you why you should not have given out your number.