We want a Digital India. Just not the one we are living in

This included personally identifiable information like name, phone number, Aadhaar number, passport number and address. All for a paltry sum of $80,000. On December 18, we learnt that Delhi police had arrested four individuals in this matter.

This is obviously not the first time that Indians’ sensitive information has been leaked. Earlier in the summer, multiple reports surfaced about a leak that exposed the personal information of individuals registered on the CoWin website. Last year, in November, Delhi’s prestigious AIIMS had to work with pen and paper to register a sea of patients after a ransomware attack. Why does this keep happening? Data breaches are at an all-time high in the world. Yet, some countries are more vulnerable than others.

It is easy to dismiss these leaks as they happen every day, but the leaking of sensitive information makes the breach reported in October different.

Thieves who have stolen names, Aadhaar numbers and passport information can use that information not only to sign up for new accounts in the victim’s name, but also to commit tax identity theft, online-banking theft and other financially motivated scams. We are already seeing a rise in cyber frauds, with people losing their life savings, taking on debt and suffering shame and stigma for having been scammed. As per the World Bank, “India is one of the fastest growing economies of the world and is poised to continue on this path, with aspirations to reach high middle income status by 2047”. Our mobile phone usage, enhanced banking access and the ever-growing market size that generates enormous amounts of data not only makes us attractive to companies but also to bad actors.

No country is safe from data breaches. In fact, the Biden administration has issued multiple Executive Orders to modernise and implement stronger cybersecurity standards in the federal government. When such instances happen, the Computer Emergency Response teams spring into action and impacted users are informed and educated about what steps they can take to reduce the chance that their information will be misused. Basically, a near-term and a long-term plan is devised and executed. This is “Incident Response”. These strategies and tactics have been instrumental in reducing the impact of data breaches. In India, all we see are denials, semantic hand waving and some incomprehensible word salads from ministers, rinse and repeat.

Citizens are never informed about the leak of their personally identifiable information or educated about any recourse. They are left to their own devices until the next breach happens.

If the government of India were a business, it would have seen a sharp decline in its stock value, coupled with a mean market cap loss of billions of dollars resulting in a credit rating downgrade. But because market forces don’t apply to governments, the Indian government continues to operate without a long term cyber security strategy.

Some might ask: How can Aadhaar be a problem, it’s so great? Despite a crystal-clear prohibition issued by the Supreme Court against making Aadhaar registration mandatory, the central government and enthusiastic parties in both state governments and industry proceeded to adopt Aadhaar-based technology and impose requirements for Aadhaar registration for social services and benefits — from educational scholarships to booking railway tickets to marrying voter ID databases to Aadhaar. By making Aadhaar registration mandatory, the government imposed on every Indian citizen an unmanaged risk of digital environment catastrophe.

When we went to the Supreme Court, some judges recognised that the Aadhaar number is the “bridge” linking all the silos of information and behavioural data collected through the vehicle of the “smartphone” in contemporary networked society. The Court also recognised that UIDAI’s “Verification Log” contains enough data about the activities of citizens that a “leak” would involve an unconstitutional violation of privacy. But it did not do much, saying that UIDAI’s computer security will eventually become “foolproof”. That was in 2018.

The constant flow of news about data breaches, whether at Comcast or UIDAI, is normalising massive losses of personal data. Despite all the puffery and all the claims about how Aadhaar makes India a world leader, no one has so far intimated how we are managing the obvious harms that are plaguing our society. From Brookings to Moody’s to the CAG, everyone has called out UIDAI on its failure to properly regulate its client vendors and address security, lack of transparency and accountability.

The plan cannot be for perfect security, operating flawlessly forever, for Aadhaar. No government can, at present, promise perfect security for even its most critical personnel data. No “platform” company, with all the immense profits can claim to guarantee perfect security of customer data. No Indian citizen can, or should, trust a story in which Aadhaar data security is never breached because breaches do occur regularly.

India’s recently introduced Data Protection Act does nothing to address sensitive health information. Under Clause 17(4), in fact, the government is exempt from provisions of data retention and erasure of personal data. Unless that data can make a difference in making a decision about a data principal, right to correction, completion and updation is also not available. Here is some basic advice on what the Government of India should do: Make the prevention, detection, assessment, and remediation of cyber incidents a top priority. Recognise the importance of digital infrastructure as essential to national and economic security of the population. Make the state digital infrastructure trustworthy by increasing transparency and accountability. A cyber security board should be established with government and private sector participants that has the authority to convene, following a significant cyber incident, to analyse what happened and make concrete recommendations for improving cybersecurity. Adopt a zero-trust architecture, and mandate a standardised playbook for responding to cybersecurity vulnerabilities and incidents. Urgently execute a plan for defending and modernising state networks and updating its incident response policy.

Finally, put people at the centre of all policies. Informing them immediately, helping them protect themselves and remediate fallout from cyber incidents should be the government’s responsibility. We want a Digital India. Just not the Digital India we are living in at the moment.

The writer is the founder of Software Freedom Law Centre, India