Editorial: A winning proposition
The agency has not alerted the public on whether their Aadhaar or passport numbers, along with other personal details could have been hacked.
The Indian Computer Emergency Team (CERT-in), a nodal cybersecurity agency that tackles breaches and vulnerabilities in cyberspace has not issued any statement or security alert regarding the leak of personal data of citizens who received COVID-19 vaccinations, and were registered on the CoWin platform. The agency has not alerted the public on whether their Aadhaar or passport numbers, along with other personal details could have been hacked. The only update that has come is from the IT Minister Rajeev Chandrasekhar who said the cybersecurity agency had found that data being accessed by the Telegram messaging app seems to have been populated with previously stolen data.
Experts have surmised that the information might not have been sourced from CoWin directly, but from a healthcare worker who might not have adequately safeguarded data pertaining to the vaccination beneficiaries. The particulars include precise dates of birth, which seems baffling as the CoWin platform had only collected the year of birth. Other bits of data that had been compromised include mobile numbers, number and type of identity document (Aadhaar, PAN, passport and voter ID). While the bot is now inactive and the government has said that data within CoWin is secured, the episode has laid bare the chinks in the armour of the Digital India mission.
The CoWin portal has been utilised by a major chunk of the 110 cr beneficiaries of our national vaccination drive. The question of the safety of large volumes of public data provided to the government, either through CoWin, or through an offshoot of the health ministry, or even through a third party with access to data hosted on CoWin, looms large. CoWin did not have a functional privacy policy to fall back on, until the Delhi High Court instructed it to fall in line. When the platform was launched, many digital rights activists had highlighted the perils of launching an API for CoWin that could determine the vaccination status of a citizen on the fly. Vaccine inequity was also a point of concern when several third party developers began accessing data from the CoWin API. They had an unfair advantage of booking vaccination slots before anyone else.
Back in January 2022, data meant to be uploaded on the CoWin platform was leaked, which compromised particulars of 20,000 citizens. While the government denied this leak, there has been no update on remedial measures undertaken by authorities. This does not sync with India’s ongoing initiatives to build digital public infrastructure focussed on the healthcare space, such as the Ayushman Bharat Digital Mission or the Unified Healthcare Interface. These platforms are aimed at facilitating interoperability of health data, and interactions between healthcare service providers.
The success of any such platform depends on trust and dependability that the public associate with government agencies. Transparency and accountability must be non-negotiable when it comes to government collecting public data. The draft of the yet to be introduced Digital Data Protection Bill includes a provision for the breached entity to notify the affected users, but without the clause for compensation. We need effective implementation of a cybersecurity strategy, aided by the National Data Governance Framework Policy and the draft Digital Data Protection Bill. Collecting, retaining and sharing of public data must happen within the realm of legislative safeguards. In the absence of this, citizens are rendered vulnerable and exposed to operators with vested interests.