CoWIN Data Leak Is a Sign India Needs to Rethink its Digital Public Infrastructure Strategy

As India positions itself as a staunch advocate of Digital Public Infrastructures at the international level, developments such as this data leak are a stark reminder of the gap between the rhetoric and reality associated with DPIs.

On Thursday, June 22, the Delhi police arrested multiple individuals suspected to be connected to the recent CoWIN data leak on June 12 – where sensitive personal data such as full name, Aadhar number, mobile number and vaccination status of innumerable citizens stored on the CoWIN platform was leaked through a Telegram bot. Such developments have occurred in the backdrop of  the Indian Ministry of Electronics and Information Technology’s (MeitY’s) ‘Global DPI Summit’ in Pune on June 12 and 13. The event, part of India’s ambit of initiatives as the G20 president-nation, showcased ‘Digital Public Infrastructures’ such as CoWIN, UPI and Aadhaar, underscoring ways in which they had revolutionised service delivery.

As India positions itself as a staunch advocate of DPIs at the international level, developments such as this data leak are a stark reminder of the gap between the rhetoric and reality associated with DPIs. Unfortunately, the very suitability of these technologies has gone unchallenged, with DPI being deployed indiscriminately for multiple use-cases ranging from payments to vaccination drives in India. A closer look at the country’s DPI trajectory reveals three issues that remain unaddressed – a lack of empirical evidence, an absence of suitability and opportunity cost assessments, and finally, issues of diluted accountability and transparency in instances of rights violations.

Both internationally and closer to home, conversations around DPI remain overwhelmingly techno-optimistic. Most sources of information on DPI have nothing but praise for the approach – often using words such as ‘innovation’, ‘efficiency’, ‘inclusivity’ to define it. While that itself does not make for a significant gripe, it is the lack of empirical evidence to back these claims that does. Admittedly, the lack of empirical data and independent impact assessments are commonplace features of an emerging space such as DPI, but that does not seem to have affected the rapidity with which these digital technologies are being implemented. An example of such immunity can be seen in the case of Aadhaar, wherein despite evidence of exclusion and less-than-estimated benefits of leakage prevention, the digital ID has come to dominate most channels of G2C service delivery. Similarly, while evidence of scams and privacy violations surrounding UPI and digital payments continues to emerge, they have done little to soften the government’s rhetoric around them. This signals a dangerous trend in policy making, one that treats a digital-based solution as a foregone conclusion rather than a policy option that requires deeper deliberation.

Also read: CoWin Fiasco Should Alert Us to Hidden Agendas Behind Digital Identity-Based Governance

There is a lot of enthusiasm around adopting DPIs for different sectors in India – health, education, agriculture, and judiciary. As of 2023, multiple proposals, pilots and early-phase interventions that include DPI have been introduced, such as Ayushman Bharat Digital Mission, National Digital Education Architecture, India Digital Ecosystem for Agriculture, and Digital Ecosystem for Skilling and Livelihood. All these sectoral proposals claim (without much evidence) that DPI will help address wicked policy problems of access, service quality, accountability, etc.

While such proposals may hold merit, fundamental questions around whether such an approach is suitable for a sector, given its context, have been sidestepped. Questions such as whether a digital solution is the most pressing need for a sector, and if it is, whether such a digital solution should take the form of a DPI, remain painfully absent from proposals and plans. Even discussions around whether a sector has appropriate institutional structures to support such an intervention are conspicuously omitted in the current paradigm. Factors such as digital readiness of the sector, the demographics of the proposed user base, and the existence of clear legislation and regulatory enforcement mechanisms also determine the efficacy of deploying DPI in a given sector.

For example, with the case of vaccination, the targeted user base included a significant portion of individuals for whom digital technologies remain inaccessible currently. The introduction of a digital platform such as COWIN in an emergency situation, given its unsuitability for these people and communities, created a scenario wherein vaccine availability and stocks were disproportionately distributed to those who knew how to best operate the platform – i.e., digitally literate, wealthy, upper caste individuals.

Another key concern with the current DPI approach is the potential for it to redirect funds from other competing priorities in a given sector. At present, creation of DPIs has swiftly climbed up the list of priorities for sectoral policies. Significant resources are being diverted towards building digital infrastructures even in sectors such as health and education, where physical infrastructure is far from perfect. The scale of DPI initiatives raises serious questions around public finance, especially in low-resource environments.

Finally, given the vast amounts of data collection, processing, and exchange associated with DPIs, citizens are at considerable risk of their data being leaked and their privacy rights being compromised, as seen with the recent leak. Early reports of arrests made by the Delhi police in connection with the data breach have suggested that the leakers obtained information on the CoWIN platform from healthcare workers that they were associated with, and used this information to facilitate the leak. This underscores a nuance associated with DPI use in critical sectors: the security of the system is not solely a function of technological advancement but also dependent on human capacity. . Such beaches demonstrate a lack of adequate oversight over the various actors of the ecosystem that collected/handled private information of citizens. With no institutional frameworks, and clear limitations around government’s accountability when processing data under the upcoming Digital Personal Data Protection Bill 2022, citizens are left in the dark, with no recourse to seek damages.

This recent data leak highlights the need for a serious overhaul of our current approach to DPI – governments, philanthropic organisations and other stakeholders need to acknowledge the limitations of techno-solutionist approaches in policy making. Ex-ante assessments that help understand the conduciveness of a use-case/sector to DPI application need to be conducted. It needs to be ascertained whether the possible risks of deploying a DPI-like approach outweigh its supposed benefits, especially in countries where governments have historically faced performance monitoring constraints.

Aarushi Gupta is a London-based policy researcher with expertise in social protection and digital governance and Aman Nair is a project coordinator at Digital Futures Lab with expertise on digital governance, digital capitalism and fintech.