Holes in the Digital net
Recent Context:
- Recently three digital events are observed which compromise the reality of digital sovereignty, secrecy and free flow of information. It demonstrates a gulf between the rhetoric and reality of Digital India
- The Information related to data breach on the CoWIN platform. Sensitive personal details including date and place of vaccination, with Aadhaar, PAN, Passport, Voter ID, & Mobile numbers were circulating on the internet-based messaging platform Telegram. Though details of the breach were established by many, the Union Government responded with denials.)
- Central government responded that “Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy.
Past incident of data breach:
- The past incidents of data breach include the Employees’ Provident Fund Organisation (EPFO) breach in August 2022 and the ransomware attack on the All-India Institute of Medical Sciences (AIIMS) in November 2022.
- The Computer Emergency Response Team (CERT-In), which is tasked with such investigations, has often maintained silence and not made any of its technical findings public.
Issues with current digital policy:
- All this incident of data breach are compounded by the lack of a National Cyber Security Strategy as a draft put to public consultation in December 2019 awaits finalisation.
- Also, India does not have data protection law requiring breach notifications to impacted users.
- Even the proposed Draft Digital Personal Data Protection Bill, 2022, being mooted by MeitY would by notification exempt government entities from compliance.
- Therefore, Without any legal accountability, repeated data breaches now occur within the same entity or platform such as the RailYatri portal that has reportedly been breached in 2020, 2022 and 2023.
Initiatives of government related to digital infrastructure:
- Recently, MeitY organised two-day “Global DPI Summit”. DPI is an acronym for Digital Public Infrastructure, which has become a tool of geo-political advocacy for the Union government to coincide with the G20 Summit.
- The Unified Payments Interface (UPI) has expanded economic and livelihood opportunities by facilitating the ease of commercial transactions for millions of Indians.
- DPI framework is much more than UPI as is clear from the public pronouncements by Union ministers and the composition of what is termed as the “IndiaStack”.
- It includes, for identification, the coercive biometric system Aadhaar, the contact tracing application Aarogya Setu, our vaccination process implemented through the CoWIN platform
- Open Network for Digital Commerce (ONDC): An Amazon-style marketplace for government procurement through Government E-Marketplace (GEM) and an attempt to break market concentration in digital markets by the Open Network for Digital Commerce.
Three concern features of these platforms which require further reforms:
Lack of statutory status:
- Due to absence of statutory status of these platforms it leads to weak governance processes. Except for Aadhaar (prompted by litigation), none of these platforms has a legal definition of their functions, roles and responsibilities from an Act of Parliament.
- Many are developed as joint ventures, or special purpose vehicles, that avoid accountability mechanisms such as audits by the Computer Auditor General (CAG) or transparency mandates under the Right to Information Act.
Lack of efficiency in technical development:
- The concern of glitches and exclusion errors of Aadhaar, the complete failure of the Aarogya Setu to prevent Covid infections or the recent tender to overhaul the GEM platform after complaints from suppliers
- The third common aspect of all such platforms is them being data guzzlers where personal information is gathered from Indians that goes beyond the technical requirements. This only results in multiple individual and social harms, including data breaches.
Way forward:
- These three events occurring over a few hours is not a mere coincidence. All three emerge from an unfortunate pattern in which digital systems have been divorced from constitutional frameworks.
- There is need of hour to provide statutory status to these platforms so that data can be secured with more efficiency and security in the direction of digital India.