The official twitter accounts of the Congress party and Rahul Gandhi were hacked recently. Obscenities were posted on the public forum from both accounts, along with boasts that the private e-mail correspondence of the Congress party would soon be dumped into the public domain. Then, the Narendra Modi voting app was hacked by an activist, who claimed (with screenshots) he could harvest the private data of some seven million registered users, including phone numbers, e-mail addresses, names, addresses, interests and locations. Another activist from Australia revealed that he had found the medical records of 43,000 persons who had undergone tests at a pathology laboratory in Maharashtra. Those details are freely available in search engine caches. In October, four million debit cards were hacked, affecting account holders at several different banks. These incidents are not aberrations. More episodes of hacking are possible as more sensitive data is placed online.
These security concerns are coming up at a time when public policy in India is relentlessly pushing for digitisation of all manner of records, linking personal details to Aadhaar as well as moving towards the goal of a cashless economy. But, India has poor data security and data security infrastructure. The rewards for harvesting digital data have increased exponentially. What is more, it is not even certain that individuals whose data were exposed have much by way of legal recourse. Under the circumstances, policymakers appear to be guilty of being careless and glossing over the potential threats that lie ahead for digital India.
While many people have hailed the concept of going digital in theory and rightly pointed out the conveniences of such a system, it could be terribly vulnerable to external threats as well as fraud on a massive scale. A malware attack might paralyse normal activity. Every individual within that system is perpetually exposed to the dangers of identity theft and financial fraud. To take a simple example, it is easy to directly transfer cooking gas subsidies and MGNREGA payments into bank accounts; it is equally easy to transfer cash out of those accounts. That is because India has no clear benchmarks defining data that needs protection. There are no specific norms to be followed on securing sensitive data, let alone demand checks and inspections to see that such protection is implemented. There are no penalties imposed for careless guardianship of data and there are no systems for restitution.
In contrast to expectations, the government has argued in a court case pertaining to Aadhaar that the right to privacy is not a fundamental right and that such data can, therefore, be shared without the individual’s consent. Not surprising then that the sharing of data is endemic in practice. The Indian Railways, for example, intends to share personal data. There are many apps being built by stringing together bits of data and metadata. A frighteningly complete picture of any individual’s life, including one’s real-time location, phone interactions, website visits, financial transactions, reading interests, musical tastes and medical history can be built quite easily, without either the knowledge or consent of the individual and without transgressing any Indian law. The government must urgently focus on a comprehensive strategy, otherwise the entire digital India edifice will be threatened.