India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.On Monday morning, we woke up to the news of the CoWin portal’s data breach, leaving us to wonder what its implications can be. People have so many questions, and there is no one from the government who will provide us with the answers. If you ask any bureaucrat whether there has been a data breach with the CoWin portal, they will deny it. But, is there a breach? Yes, there is, and one can say with full confidence that the data from the CoWin portal has been breached. The only question that needs to be asked is what now? And, how to mitigate this and reduce its impact. The scale of this data breach is much higher than any other data breach so far given that almost every adult Indian citizen who took the COVID vaccine was forced to do it through CO-WIN. It was mandatory to share phone numbers and an identity card for vaccination. Often this ID card was an Aadhaar number, which ideally should not be stored under the Aadhaar Act. Yet, we see all of this data has been stored in un-encrypted databases and has clearly been breached. The screenshots of the data breach show us that the extent of this breach is so wide that mitigating this can be so challenging. As repeatedly mentioned in these columns, whenever there is a breach the basic requirement is to do a forensic analysis and address the security issue at hand. This is the job of India’s Computer Emergency Response Team, which has been failing at this so much that failure is no more an exception, but a norm. Cybersecurity audits, forensic analysis, and basic security measures have been missing from Digital India’s master plans. The Indian government wants to maximise data collection but does not have any interest to protect this data. Worse, it considers incidents as such the latest one as mere accidents. At the time of the COVID vaccination, many had questioned the government’s insistence on citizens submitting Aadhar Cards and other health IDs. Many had raised questions as to whether the government can assure them of privacy after submitting their data on the CoWin portal. When it was flagged by some that CoWin, AarogyaSetu, and the health data ecosystem lack basic security architecture to protect data, the government called them mere ‘scaremongers’. In fact, the CoWin website had no privacy policy, to begin with, and it was the common public and Internet Freedom foundation which forced the National Health Authority to get one two years ago. The data security section of the CoWIN privacy policy pretty much puts the responsibility of protecting data on citizens themselves who were forced in the first place to submit their data. This is what the policy says,“Co-WIN Platform has reasonable security measures and safeguards in place to protect Your privacy and Personal Information from loss, misuse, unauthorized access, disclosure, destruction, and alteration of the information in compliance with applicable laws. Further, whenever You change or access your account on the Platform or any information relating to it, We offer the use of a secure server. It is further clarified that You have and so long as You access and/or use the Platform (directly or indirectly) the obligation to ensure that You shall at all times, take adequate physical, managerial, and technical safeguards, at your end, to preserve the integrity and security of your data which shall include and not be limited to your Personal Information.”The purpose for which CoWIN was created is over, and there is no need for the government to maintain this health data anymore. Ideally, under the Right to Privacy judgement, we should be allowed to demand data deletions. But secondary interests in creating a data economy forces the government to store this data and potentially even sell it to anyone who will be willing to pay for it. A future data protection law may allow data deletions, but again only with the private sector and not from government databases. The rights section of the privacy policy says one can delete a CoWIN account, but only when one did not take a vaccine. “You cannot manage the communications that you receive from us or how you receive them. If you no longer wish to use CoWIN you are free to delete your registration details till such time as you have not taken any vaccine doses.” When it comes to cybersecurity and privacy, no one in the government is serious about it. There are mere statements issued to say the security is all in place, and everything is fine. There have been no clear procedures that have been put in place to safeguard Indians in Digital India. The Minister of State for Information Technology Rajeev Chandrashekar has put out information, acknowledging there was some form of a data breach, but there is no information of where the breach was or how a past breach has taken place. With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers✅The data being accessed by bot from a threat actor database, which seems to…— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023It is clear that the government can’t protect our data, and expecting it to protect us is probably a futile demand. Even though the executive is required to protect our fundamental rights, it is very clear its interest is more in commodifying our data instead of protecting us. The only option we, as citizens, have in this scenario is to not share our data and demand data deletions. But even this is not being allowed with the demands to share our Aadhaar, phone numbers, and all of our personal data to help build a data economy. Srinivas Kodali is a researcher on digitisation and hacktivist.
