'Maybe the State wants to be watching people all the time. But when they are watching, others too may be watching!'
'The State is becoming more and more secretive while throwing people to the wolves.'
A few days ago, Indians were shocked to know that their passport information, Aadhaar and other personal details were out in the open for everyone to see.
The data breach had happened on the CoWin app where citizens had registered for COVID-19 vaccination.
Rajeev Chandrasekhar, minister of state for electronics and technology, claimed that the CoWIN app or database which was shared by a Telegram bot does not appear to have been 'directly breached', but that it has been 'populated with previously stolen data stolen in the past'.
Does that mean data was breached before earlier?
Dr Usha Ramanathan, an independent legal researcher has been warning, since 2010, about the security threat that Aadhaar poses to individuals, and to the nation as a whole.
"By forcing people on to so many databases, and linking them up, and creating more and more IDs (including family IDs) from pre-birth to beyond death, the State has made every person, and the State itself, vulnerable," Dr Ramanathan tells Rediff.com's Shobha Warrier in the concluding segment of a two-part interview.
- PART 1 of the Interview: Data Breach: 'Government is always in denial'
Personal information of lakhs of people are out in the open. What kind of implications will this have?
The past few years have witnessed scam upon scam since the IDs have become common knowledge.
The CAG, in 2021, had raised concerns about the scant respect UID has shown for the security of data. The UIDAI had mandated that all UID data held by any entity must be secured in an 'Aadhaar Vault'. Then they had all but forgotten about it.
No verifying if this was being done by the multitudinous entities that have collected and kept the UID number, no check if it has been misused, no feedback system, nothing.
'Unauthorised access to aadhaar number can be misused in many ways', the CAG politely pointed out.
It is not only the UID data that causes insecurity. It is the multiple databases, and the convergence of data across these data bases that it facilitates.
It is no longer just the UID number, but the many unique numbers that this imagination has spawned. That the end goal is a digital economy is no consolation.
Commodore Lokesh Batra has been raising the question of enhanced risk when the health, injury and pension records of members of the armed forces is linked to such numbers that makes them visible and vulnerable.
Imagine hostile forces getting their hands on such data. Why would we gather and keep ready such databases to be hacked?
Cambridge Analytica gave us a clue to what manipulation can be attempted, and achieved, when data about individuals, and peoples, is at hand.
It is not only voting behaviour, but the treatment of prejudice, belief, loyalty, vulnerability, for instance.
A whole ecosystem is being nurtured where data flows freely, and policies are made to share and transfer this data in which the government claims complete control.
It is as though once the data goes to the government, it belongs to them and not to the person.
Can any government say that? What about the rights of an individual?
It has demonstrated again and again that there is no patience with the right to privacy, the judgment be damned.
There is no interest in making a law on privacy, or even on data protection. Every time it comes up, it is diluted more and more.
There is simply no acknowledgment about surveillance, and none about a theme that has been repeated in other circumstances where, for instance, dissent is criminalised -- viz. national security.
As the citizen is forced to become more and more transparent, the government becomes more and more opaque, and agencies within the State find crevices in which to hide. The RTI has become one such.
Now, there is an application pending to exempt CERT-in, the agency that is supposed to monitor such breaches and intrusionS, from RTI. This is not new.
In 2011, the Natgrid too was exempted from the RTI, even as information was sought, not about what Natgrid had done, but about what Natgrid was.
So, the State is becoming more and more secretive while throwing people to the wolves.
The government compares Aadhar to the identity cards of other countries. Do they also have such encompassing ID cards?
One country that has gone completely digital is Estonia. It is a small country, and yet it records a regularity of data breaches.
Sometimes it is data about children including behavioural data, sometimes photographs of hundreds of thousands of people, and sometimes it is cyber-aggression.
In 2017, the ID system got compromised, but it is a small country and the numbers if IDs they had secure again were small.
The EU works on ID cards, but it has tight rules about who accesses the system, what the data can be used for, and the GDPR to demand respect for privacy.
In 2017, Equifax lost millions of credit card records to a hacker which exposed information about 40% of the US population. The data did not surface on the dark net, possibly because it was an act of espionage, believed widely to be Chinese-sponsored, and not profit.
And on it goes. So it is not as if technology for putting people on databases has been secure anywhere.
What makes it worse here is the denial, and the refusal to learn from experience.
Every time a vulnerability is pointed out, the persons who found the vulnerability are subjected to the threat of criminal action. This fear of being shown up seems to be greater than the threat of data exposure and theft!
If cases against those who found the weakness in the system are not withdrawn, it is bound to have chilling effect.
You feel they have created a Frankenstein's monster?
Without doubt. By forcing people on to so many databases, and linking them up, and creating more and more IDs (including family IDs) from pre-birth to beyond death, the State has made every person, and the State itself, vulnerable.
In addition, these databases are also full of errors -- which may, in a perverse way, provide a screen from surveillance and profiling. But, in the immediate moment, data errors excludes.
The problem is also that the various uses of technology are marketed by the State.
DigitYatra is promoted with nary a word about its downsides of privacy invasion, and no information on who will handle the data, how long it will be retained, when it will be destroyed, what uses is it limited to, nothing.
Maybe the State wants to be watching people all the time. But when they are watching, others too may be watching!
All this database creation is about datafication of people. Personal information becomes the new resource on which the economy is going to be built. And the government doesn't seem to see the problem with this.
IMAGE: Dr Usha Ramanathan. Photograph: Kind courtesy Dr Usha RamanathanWhere will this lead to?
It is hard to tell. So long as the government is advised by industry, the interest will be to experiment freely, without law posing a hurdle, and with profit and power as ambition.
So long as there is no recognition of what these webs of data is doing to personal safety, as also to national security, mistake is bound to compounded by mistake.
Every breach is an opportunity to see the perils, and not only the possibilities.
Denial, punishing the messenger, discouraging feedback, turning a blind eye to exclusion and wrongful loss, these have to go before we can have a rational conversation.
I think they have set up all these systems without knowing how they will pan out.
Feature Presentation: Ashish Narsale/Rediff.com
