By K Raveendran
The heavy impact of the disclosures made by former Twitter CEO Jack Dorsey about alleged armtwisting by the Modi government to force the microblogging giant to block criticism of the government in connection with the farmers agitation has overshadowed the disastrous data leak relating to Covid vaccination. The latest controversy has taken the spotlight away from the CoWin breach, which nevertheless would have continued implications for the people of India.
The stolen data includes name, gender and birth details, as well as Aadhaar numbers, PAN cards, passport numbers, voter IDs, and details of the vaccination centre in which a person was immunised. The information was made available through a Telegram channel, which only highlights the extend of danger.
The information technology ministry and the agencies of the government are desperate to minimise the threat, but every attempt to defend only further exposes the vulnerability. They have even tried to take cover behind chronology, saying the breaches relate to the past, little realising that once stolen the credentials are lost forever for fraudsters to act upon and there is no remediation left for those whose identities have been stolen. The breach of data from sources such as Aadhaar is not like the compromise of a password or similar credentials, which the victims have the power to change. But data from Aadhaar or the CoWin portal once stolen remain so permanently.
Of course, the government likes to believe that privacy is a matter of concern only to the activists or those who are more aware of the potential for misuse and that for the vast majority of population it makes no difference. But the fact is that the silent majority may not be aware of this sacred right of theirs, but they remain potential victims of fraud like anybody else. The manner in which minister of state for electronics and information technology Rajeev Chandrasekhar has sought to defend the government, saying the Telegram bot seemed to have been populated with previously stolen data betrays a certain disdain for the rights of the victims. It does not matter when the breach took place, the breach itself is the worry.
Given how the various portals have performed in the past, including the so-called fortified Aadhaar data, the CoWin portal breach is hardly surprising. When the platform itself was launched in 2021, Bengaluru-based technology activist Anivar Aravind had cautioned against the dangers. He had in fact approached the Karnataka High Court against the Modi government’s decision to make Arogya Setu app mandatory for vaccination and other services by pointing out the risks of collecting such personal information. Arogya Setu itself fizzled out, but his prophecy has come true.
Every data breach is followed by a spike in fraud, with scammers using the data to send out phishing messages on all kinds of devices and across channels, with unsuspecting victims playing into the hands of fraudsters who use the information for all kinds of nefarious activities including financial fraud. As far as the victims are concerned, it matters little how their information was compromised; nor are they impressed with the kind of technicalities cited by Rajeev Chandrasekhar and other functionaries.
For instance, the leak of the PM-Kisan Aadhaar database, which exposed personal information of over 8.5 crore farmers, including their names, addresses, bank account numbers, and Aadhaar numbers, was on account of the fact that the data was stored on an unsecured server, which was accessible to anyone with an internet connection. This means that anyone with malicious intent could have accessed the data and used it to commit identity theft. The scheme required farmers to provide their Aadhaar numbers and other personal information in order to receive the benefits. This data was stored in a government database, which was breached, resulting in the leak of the personal information of these farmers.
The breach had raised serious questions about the security of government databases and highlighted the need for stronger security measures to protect the personal data of citizens. The government has to ensure that its databases are secure and that the data is not vulnerable to unauthorized access. Furthermore, the government must also ensure that the data is not shared with third parties without the consent of the individuals. But such guarantees have not worked. (IPA Service)