India Has a Rotten Information Security Culture – A Privacy Law Will Not Fix Everything

The sad fact is that there are severe institutional capacity challenges within government departments that handle systems with sensitive data.

The Aadhaar identification initiative has been controversial since its inception due to the secrecy surrounding the project. The details of the project were kept secret until Wikileaks leaked documents surrounding it in 2009. The recent issue of Aadhaar numbers and other personal data being publicly available through a simple Google search do not come as a surprise to Indian stakeholders who have been involved with national cyber security issues.

Aadhaar has information security problems, which are primarily due to the non-enforcement of responsible technology practices by government officials who use, build, maintain and secure systems with sensitive data. Even if India gets a strong privacy law, it will almost certainly face institutional capacity challenges within government departments in implementing the rule of law.

The issue of Aadhaar numbers and associated personal information being in the public domain is not an issue that holds true only for the biometric identification system. It is an information security flaw which can, and does, happen with all major databases and websites. Cyber security and information security have been long-pending debates which are coming to light due to the fast and forced digitisation by the government.

With Aadhaar, the issue becomes much more complex due to the sheer number of databases that will store sensitive data. Every government official will be collecting or handling Aadhaar information from now, making it important for them to understand the consequences of data leaks, handling information in a responsible and secured fashion. A privacy law can only do so much, when the awareness around it is sparse in a society which doesn’t recognize privacy in the first place.

During the recent debate around Aadhaar in Rajya Sabha, finance minister Arun Jaitley was right in saying that any centralised database is vulnerable. Jaitley’s implication was that personal information could be leaked even without the existence of Aadhaar and that security needs to be improved in general. India cannot push forward with its current massive digitisation plans unless it improves the human resources that govern, power and secure India’s digital infrastructure. Not every bureaucrat understands the need to use only government email accounts, certified and approved hardware devices to carry out sensitive official work.

The lack of capacity within the IT (information technology) wings of various government departments is appalling due to lack of awareness with national policies around data sharing and cyber security. It needs to be remembered that the Aadhaar project was not built by government officials but by volunteers from India’s software industry who don’t maintain it anymore. The need for improving skillsets of officials across the country is of the utmost importance to make sure the technology we built is not abused against us by bad state actors.

Aadhaar’s potential for damage in case of a cyber security disaster is huge and cannot be sidelined saying everything can hacked. Aadhaar is no more an identity number, it is also your login and password which can’t be changed and is being forced to be used for identification, authentication and authorization. The linking of Aadhaar to every information system in the country makes the threat of hacking sound serious enough for any individual familiar with using social media.

Owning up

The point Jaitley further fails to acknowledge is who assumes responsibility when the personal data of a billion people is jeopardised?  Is it the private players who amass this information, the government that allows them to or the architects of the Aadhaar project who set all of this into motion?

Large corporates are no different. As someone who was affected by the McDonald’s data leak, which in turn was caused by irresponsible security, I cannot claim compensation as I haven’t incurred any financial loss yet. To the best of my knowledge, no agency in India has taken any suo moto action in investigating it further to estimate the scale of impact. Ditto with the Narendra Modi app. Security flaws with the application were only documented by researchers, who sought to understand what transpired.

As a researcher, I report cybersecurity issues to government officials but I rarely get acknowledgements or further information about when the issues will be fixed. Who should India’s cyber security community go to to report vulnerabilities? CERT-In? The ministry in question? The National Critical Information Infrastructure Protection Centre? Why isn’t there one single point of contact?

In cases where the security flaws have not been disclosed in public, government agencies and private entities never publish or update technical reports of security breaches. This is one of the many reasons why mandatory security breach disclosure needs to be brought under the Information Technology act.

Government officials rarely take the burden of responsibility in enforcing the rule of law. In matters related to information technology and cyber security it is comically worse. With rapid digitisation and the march of the app-based economy through startups, the number of complaints related to cybersecurity and online fraud has been increasing. The human capital around cybersecurity is not high in government. Even though we produce and export software engineers in large numbers, most police departments in the country simply do not possess the capabilities to deal with cyber crime.  

Denial and false reassurances will get us nowhere. Instead of assessing Aadhaar’s weaknesses, our Information Technology Minister, Ravi Shankar Prasad, has declared that Aadhaar is “safe, robust and secure” in the Rajya Sabha. This tendency to not own up to a problem exists in our government from the top of command to the last man in the chain. If the goal of everyone in the Opposition or in government is to fix the problem, they are doing a bad job of even defining and acknowledging it.

Before India gets privacy laws protecting citizens, which may end up taking years at this point, it is important we improve the rule of law in the sector. The government could take Aadhaar data leaks as a wake up call to improve and strengthen its commitment towards responsible data practices. While violation of individual privacy hurts, what is more important is the need for transparency. After all, when no one knows there has been a security breach then nobody knows their privacy has been impacted until it hurts them. If the recent leaks regarding Aadhaar numbers and personal data hadn’t surfaced, many would not have noticed the sad state of affairs or woken up to India’s rotten information security culture.

Srinivas Kodali is an interdisciplinary researcher working on issues of cities, data and internet. He volunteers with internet movements and communities.