'Why does a State that sees a national security issue at every turn not recognise the seriousness of the data from sensitive databases being breached?'
A few days ago, Indians were shocked to know that their passport information, Aadhaar and other personal details were out in the open for everyone to see.
The data breach had happened on the CoWin app where citizens had registered for COVID-19 vaccination.
Rajeev Chandrasekhar, minister of state for electronics and technology, claimed that the CoWIN app or database which was shared by a Telegram bot does not appear to have been 'directly breached', but that it has been 'populated with previously stolen data stolen in the past'.
Does that mean data was breached before earlier?
Dr Usha Ramanathan, an independent legal researcher has been warning, since 2010, about the security threat that Aadhaar poses to individuals, and to the nation as a whole.
"It is dangerous to create links between all these data bases, and this is especially so when there is proven incapacity to protect the data, and when just about anyone or any country could get their hands on it, and we wouldn't even know," DrRamanathan tells Rediff.com's Shobha Warrier.
In 2017 when we spoke, you had said that Aadhar was going to be a national security threat. What you have been talking about has happened.
After the huge CoWin data breach, personal information of lakhs of people are out in the open.
Were you expecting something of this sort to happen sooner or later? Or, was it shocking?
No, we were not shocked, as we expected this all along. It is just distressing, and inexplicable, that the government continues to be in denial.
You know we have been raising concerns about these possibilities from the time we heard the contours of the project in 2009.
In 2010, it was a hypothesis. We were saying this could happen. By now, everything we said could happen, has happened. In fact, it is even worse than we had feared.
Why does a State that sees a national security issue at every turn not recognise the seriousness of the data from sensitive databases being breached?
The UID database was just the beginning of gathering data about every individual, and of creating digital databases.
Since then a spate of digital databases have erupted -- both legacy records like the PDS and NREGA, in banks and in income tax; and also more recent additions such as records concerning land, agriculture, health, disability, unorganised labour, gig workers and the list keeps growing. And, during Covid, Arogya Setu, and CoWIN.
Amazingly, it is not just databases; it is also IDs. Every time there is digital collection of data, there seems to be a temptation to create one more 'unique' ID.
Scour the news and there are unique numbers for all manner of things: A unique property ID number, the unique health ID (UHID), a unique ID to keep track of students, a farmers' ID, a unique property identification number, even unique numbers for cattle and tigers and elephants.
And in all of these, the UID number, PAN number, mobile number and, often, the bank account number are imbedded. And these databases are proving to be so porous!
You had said when we spoke earlier that the Aadhar project was for corporate interests and not for government....
It is now being openly admitted that the project was intended to serve business interests, and so it must be opened up for use of the private sector. In November 2021, there was a conference to talk about 'Aadhaar 2.0'.
Let me quote to you what Mr A P Singh and Mr R S Sharma -- both of them belong to the founding team of the UID project -- said there. The session was titled 'Expanding use of Aadhaar to boost digital economy'.
Mr A P Singh: 'The UIDAI itself created a gated community; and unless and until it opens it up, the question of boosting the digital economy does not arise.'
Mr R S Sharma: 'Ultimately, a road is not built by the government only for government vehicles. It is built out of public money for everyone to use...We have not allowed the exploration of what can be done with Aadhaar in the private sector...'
'Let us not be cowed done by some people who keep saying "privacy, privacy, privacy".'
'Privacy is a fundamental right, and we should respect it, but in the name of privacy we should not kill the purpose of the Aadhaar.'
Also, you may remember that Mr Bill Gates had tried to push through the idea of a global vaccination database.
There was a not-so-hazy threat head out that, for people who were not on the digital database that said they had been vaccinated, where, how many doses, when, by whom and which vaccine, then they would find their freedom of movement severely restricted.
The corporate interest in having everyone on the radar, in this case globally, was much in evidence.
Fortunately, despite the coercion involved in vaccination and CoWIN, that petered out, though we have no idea what has been done with the data collected so far.
Is there a need to link Aadhar to everything from income tax to a vaccination certificate?
If it is just meant to be an identity to authenticate you, this should certainly not be necessary.
My belief is that a digital ID itself is hugely problematic.
UIDAI has betted on two things when creating the digital database: Biometrics, and, when that proved unreliable, the mobile phone.
Both these reveal too much about a person and, when it is an entire population on the database, if it is not truly secure, the danger should hardly need explaining.
The dramatic drop in interest in conducting a Census is directly proportionate to the numerous databases through which the State is able to see every individual.
This is a destruction of the very idea of privacy. But then, Mr R S Sharma would stomp his feet in frustration that we keep saying privacy, privacy, privacy.
Yet, it is unhealthy to have the State have such detailed information about every individual.
Then, it is dangerous to create links between all these databases, and this is especially so when there is proven incapacity to protect the data, and when just about anyone or any country could get their hands on it, and we wouldn't even know.
Even this time, it wasn't the health authority, not CERT-IN, not any agency of government; someone saw it on Telegram.
What about personal security?
Let's be clear about this. I don't think they care about our personal security at all.
You go back and see what happened in 2015. The attorney general stood up in court and told the court that the people of this country do not have a right to privacy.
In 2017, when the issue of privacy was being argued before the court, and it became clear that the court was going to put its seal on the right to privacy, they said, don't do it, we are setting up a data protection committee under Justice (B N) Srikrishna.
The report of the committee was titled 'A free and fair digital economy' and then, as an afterthought 'Protecting privacy and empowering Indians'.
There is a lot to be said about what those urging the project mean when they say 'empowering Indians', but that is for another time.
Since then, Justice Srikrishna has been screaming himself hoarse saying, the kind of laws and regulations that are being proposed are riddled with clauses that destroy privacy and promote surveillance.
Despite Mr R S Sharma and Mr A P Singh lamenting that UIDAI has not opened its doors to the business interest, in fact, in 2018 when the court said the UID cannot be used by private companies, the Aadhaar Act 2016 was amended to undermine the judgment of the court on this issue.
There is a concerted effort to sell the UID to governments around the world. That could also be a reason why any questioning of the UID system is met immediately with denial. But this denial is at the cost of the security of the people.
And of national security, I find it incomprehensible that even the national security risk does not have the government worried.
Mr R S Sharma, who held the reins of CoWIN till he moved to the become CEO of the newly constituted National Health Authority, and is therefore in charge of the unique ID which will be linked to all our health data, had said, when there were reports of a leak at an earlier time, that such reports were 'baseless', and such a breach could never happen. He has been proved wrong yet again.
According to Minister Rajeev Chandrasekhar, the talk about a data breach was mischievous as it was nothing more than what had happened before...
His message admits that the data had been stolen some time earlier, and so this time it was not from the CoWIN data base. This is a story that has gone stale.
Every time the UID data would be leaked, UIDAI would say, oh, it's not from us, it is from some other site that has our data.
The minister owes us an explanation. If it was stolen before, when did the government find out? What did they do about it? Why did they not tell us? Who, if anyone, have they shared the data with?
CoWIN, it is reported, is integrated with the Aarogya Setu and UMANG apps. What risks does this pose, and what has been done about it?
Interestingly, Mr Rajeev Chandrasekhar was a petitioner in the UID case in the Supreme Court, challenging aspects of the project.
We have created a CoWin data base while many other countries did not. I think CoWin is a product the government has created and they want to sell it to various countries saying, see what a great thing we have done.
But we are also making it easy for people to breach.
Here, the government punishes those who point out the breach. Every time, a breach has been pointed out, the government is in denial. They send show cause notices and lodge cases against those who pointed out the vulnerability.
In every other country where they have digital data base, they encourage people to tell them what the vulnerabilities are.
Here, we punish those who point out the vulnerabilities because we go by the notion that no one should know the problem.
The government is always in denial.
- PART 2 of the Interview: 'Imagine hostile forces getting their hands on data'
Feature Presentation: Ashish Narsale/Rediff.com