Introduction: India’s Data Security Crisis
In a significant breach of data security, the private information of lakhs of Indians who registered on the CoWIN app for Covid-19 vaccination has allegedly been leaked. According to reports, a Telegram bot was responsible for divulging the details provided during registration on the CoWIN app. Journalists and opposition politicians shared screenshots on social media that seemingly displayed unauthorised access to a government database. The leaked information includes personal details such as phone numbers, gender, ID card information, date of birth, the last four digits of the Aadhaar, and even the name of the vaccination centre where the individual received their vaccine.
The Ministry of Health, in response to the aforementioned reports, issued a statement dismissing the data breach claims related to COVID vaccination beneficiaries as unfounded and mischievous. They emphasised that the Indian Computer Emergency Response Team (CERT-In) has been tasked with investigating the alleged data leak and providing a detailed report. The Ministry reiterated that the CoWIN portal maintains a high level of safety and security, with robust defence mechanisms in place to safeguard data privacy. Rajeev Chandrasekhar, the Union Minister of State for Electronics and Information Technology, took to Twitter and stated that there is no direct evidence of the CoWIN app or database being breached. He further suggested that the data seems to have been accessed from previously breached databases. However, no further details were provided on these past data breaches.
The recent incident is not the first reported data leak concerning the CoWIN platform. In June 2021, there were allegations of the CoWIN portal being hacked, resulting in the sale of data belonging to around 15 crore Indians. The news surfaced when a hacker group known as ‘Dark Leak Market’ claimed that a database containing information on individuals vaccinated against COVID-19 in India was available for purchase at a price of $800. The alleged leaked data included the names, Aadhaar numbers, locations, and phone numbers of individuals who had registered for the vaccine. However, the Indian government denied these claims, stating that no such breach had occurred.
Apart from the data breaches associated with the CoWIN platform, there have been numerous reports of other data security incidents in India in recent years. For instance, in 2019, the State Bank of India, the country’s largest bank, left one of its servers unprotected, exposing sensitive data belonging to its 422 million customers. During the same year, Air India notified its passengers of a data breach that leaked information belonging to 45 lakh passengers. These instances, amongst others, raise serious concerns regarding India’s data security infrastructure.
Privacy and Security Concerns in India’s Rapid Digitisation Drive
India is experiencing a rapid digitisation process as both the Central and State governments actively pursue the goal of achieving a ‘Digital India‘. Various schemes and policies have been announced and implemented in recent years to digitise sectors such as health, education, banking, etc. By doing so, the government aims to provide on-demand services and promote digital empowerment for the citizens. These schemes require the collection of personal information from individuals and several concerns have been raised due to the lack of adequate security infrastructure. There is a noticeable lack of privacy policies and security measures in most schemes, indicating poor standards in handling large volumes of personal data. Additionally, the absence of legislation creates a gap in terms of redressal mechanisms for privacy breaches.
Data protection regulations play a vital role in ensuring the security and confidentiality of individuals’ personal data. These regulations also grant individuals access to their own data and establish mechanisms of accountability for organisations involved in processing personal data. By maintaining control over their personal data, individuals can effectively mitigate the risks associated with identity theft, fraud, and other malicious activities. Data privacy empowers individuals by providing them with the authority to determine how their data is collected, used, and shared. Moreover, data protection measures aim to protect individuals from unfair discrimination and profiling based on personal characteristics, preferences, or behaviour.
India’s digital infrastructure development model suffers from a fundamental flaw, as the government tends to disregard safety protocols and regulations. This issue becomes evident in instances such as the CoWin website, which was initially launched without an independent privacy policy. Concerns regarding the protection of citizens’ personal data submitted to CoWIN prompted the Internet Freedom Foundation (IFF) to file an RTI in March 2021. In response, the the Ministry of Health and Family Welfare stated that it cannot provide the app’s privacy policy because “the CoWIN app is accessible only by national, state and district-level administrators. The general public can only register themselves for vaccination.” It was only after IFF raised concerns and several months after the portal’s launch, that the Delhi High Court finally directed the government to upload a privacy policy to the platform’s official website within a four-week timeframe.
In 2013, the government introduced a National Cyber Security Policy, acknowledging the intricate and evolving landscape of cyberspace. However, despite this recognition, the finalisation of the draft strategy document is still pending, leaving the implementation of comprehensive cyber security measures in a state of uncertainty.
Moreover, the country continues to lack a comprehensive data protection law, leaving the privacy and digital rights of its citizens vulnerable. Since its initial proposal in 2017, the data protection bill has undergone numerous revisions. Although it was scheduled to be introduced during the last monsoon session of Parliament, it was ultimately discarded, and a new draft was presented in December 2022. The revised draft eliminates the special category of sensitive personal data, including crucial health information, which would have been subject to increased protection. Furthermore, the concept of “deemed consent” has been introduced, allowing data processing without explicit consent in specific circumstances. Another concerning aspect is the provision that grants the central government the power to issue notifications exempting its agencies from adhering to certain provisions of the draft law under certain circumstances.
Conclusion
While the Central government denies the media reports of data breaches from the CoWIN portal, it is evident that regulations to safeguard digital data are crucial. The absence of robust privacy policies, security measures, and legislation creates a void in protecting citizens’ personal information and providing effective mechanisms for addressing privacy breaches. It is imperative for the government to take proactive steps in developing a strong data protection framework that ensures responsible and secure handling of citizens’ data. By striking a careful balance between technological advancement and safeguarding individual rights, India can fully harness the potential of digitisation for the benefit of all its citizens.
