Holes in the Digital Net

On June 12, three events occurred that demonstrate a gulf between the rhetoric and reality of Digital India. In the morning readers of the Malayala Manorama were greeted with the front page news of a data breach on the CoWIN platform (first reported on the online portal, “The Fourth”). Sensitive personal details including date and place of vaccination, with Aadhaar, PAN, Passport, Voter ID, & Mobile numbers were circulating on the internet-based messaging platform Telegram. Though details of the breach were established by many, the Union Government responded with denials. This was first done by the Ministry of Health and Family Welfare which termed the reports, “mischievous”, while Rajeev Chandrasekhar, Minister of State, Ministry of Electronics and IT (MEITY) tweeted that sensitive information had emerged from, “previously stolen data”. Towards the evening an extensive statement was made through the Press Information Bureau (PIB) which claimed that, “Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy.”

Such self-serving statements are by now a template for public officials that rely on bluster to overcome a media maelstrom. After all, there have been denials and opacity in the investigations of previous data breaches in the public sector – these include the Employees’ Provident Fund Organisation (EPFO) breach in August 2022 and the ransomware attack on the All-India Institute of Medical Sciences (AIIMS) in November 2022. The Computer Emergency Response Team (CERT-In), which is tasked with such investigations, has often maintained silence and not made any of its technical findings public. This has eroded citizens’ trust. All this is compounded by the lack of a National Cyber Security Strategy — a draft put to public consultation in December 2019 awaits finalisation. Also, India does not have any data protection law requiring breach notifications to impacted users. Even the proposed Draft Digital Personal Data Protection Bill, 2022, being mooted by MeitY would by notification exempt government entities from compliance. Without any legal accountability, repeated data breaches now occur within the same entity or platform such as the RailYatri portal that has reportedly been breached in 2020, 2022 and 2023.

The day had just started. As news media and Twitter trended the CoWIN data breach, MeitY was organising a two-day “Global DPI Summit”. DPI is an acronym for Digital Public Infrastructure, which has become a tool of geo-political advocacy for the Union government to coincide with the G20 Summit. There is little doubt that the Unified Payments Interface (UPI) has expanded economic and livelihood opportunities by facilitating the ease of commercial transactions for millions of Indians. However, the DPI framework is much more than UPI as is clear from the public pronouncements by Union ministers and the composition of what is termed as the “IndiaStack”. It includes, for identification, the coercive biometric system Aadhaar, the contact tracing application Aarogya Setu, our vaccination process implemented through the CoWIN platform, an Amazon-style marketplace for government procurement through Government E-Marketplace (GEM) and an attempt to break market concentration in digital markets by the Open Network for Digital Commerce (ONDC).

Three common features of these platforms merit deeper examination – they emerge from their claim of being “public”. The first is the weak governance processes, which put into question whether they have been created with a legislative mandate. Except for Aadhaar (prompted by litigation), none of these platforms has a legal definition of their functions, roles and responsibilities from an Act of Parliament. Many are developed as joint ventures, or special purpose vehicles, that avoid accountability mechanisms such as audits by the Computer Auditor General (CAG) or transparency mandates under the Right to Information Act. Quite often, it has been reasoned that this is with the intention to ensure efficiency in technical development. But what has been our experience? We all know about the glitches and exclusion errors of Aadhaar, the complete failure of the Aarogya Setu to prevent Covid infections or the recent tender to overhaul the GEM platform after complaints from suppliers. Hence, the claim of expertise in the creation of DPI to provide citizen services is inconsistent as per evidence. The third common aspect of all such platforms is them being data guzzlers where personal information is gathered from Indians that goes beyond the technical requirements. This only results in multiple individual and social harms, including data breaches.

The day was not yet over. As the DPI conference ended, an interview with Jack Dorsey, the former CEO of Twitter, trended online. He stated that the Indian government coerced Twitter with censorship directions regarding the farmers’ protest with threats to the platform’s continued operations and staff safety in India. Some of this is already in the public domain. In February 2021, Twitter resisted compliance with a secret direction to scrub 250 accounts and tweets which led to several ministerial statements. Subsequently, its offices were raided by the Delhi Police in May 2021 after it placed a “manipulated media” tag on a tweet by a BJP spokesperson. Finally, Twitter filed a writ petition in the Karnataka High Court arguing that the censorship demands were secretive, disproportionate and in violation of natural justice vis-a-vis Twitter users. The Additional Solicitor General in this case has argued that a failure to give notice to account holders (who are people like you or me) won’t vitiate blocking orders. Even here, contrary to the public record, the response by MeitY has been denial.

These three events occurring over a few hours is not a mere coincidence. All three emerge from an unfortunate pattern in which digital systems have been divorced from constitutional frameworks. Hence, individual harms are left unaddressed and the creation of regulatory and institutional frameworks is rejected to favour the mirage of innovation.

Here, it merits mention that every Indian aspires for the country to succeed in our digital transformation, for it to serve as a model for the world. However, if IndiaStack is not built on the Constitution of India, then just like on June 12, our expectations will continue to be breached.

This article was originally published in The Indian Express on June 14, 2023.

Comments are closed.