CoWIN leaks: Where’s government’s due diligence?

Source- The post is based on the article “CoWIN leaks: Where’s government’s due diligence?” published in “The Indian Express” on 19th June 2023.

Syllabus: GS3- Awareness in the field of IT, computers. GS2- E-governance

Relevance- Issues related to privacy and security in digitalisation

News- The recent media reports about the CoWin data leak are no doubt disconcerting.

What is the general response of authorities to data-related privacy and security concerns?

They dismiss it by saying that our phone or Aadhaar numbers may already be there with hundreds of entities anyway.

Keepers of these systems argue that the security and privacy safeguards deployed are foolproof because they use “state-of-the-art best practices”.

What should be standard discourse on security and privacy related concerns?

Security specifications should start with a well-articulated threat model. It should tell about security risks and the capabilities of a hypothetical adversary.

For large public service applications, it is assumed that the adversary can corrupt all insiders including system administrators, all custody chains, and all hardware and software.

The system designers are required to either argue for security in some well-established and standard framework against such a threat model.

Trusting the integrity of software or hardware is usually avoided because such correctness is often difficult to establish.

Why does the policy response on privacy require even more due diligence?

Leakage of sensitive personal information from phones, and Aadhaar makes one vulnerable to direct harms like fraud, identity theft, or illegal surveillance. There can be indirect harm resulting from unknown entities using personal data in unknown ways.

For example, such data may be used illegally for profiling voters and influencing them. This is problematic because individuals are often less careful about these indirect harms.

What is the way forward to prevent the privacy breach in digitalisation?

It requires standards to ensure that data is only collected for specific purposes. Its security, particularly against insider attacks, is a necessary condition.

There is a need for legal standards to ensure collection of data for specific purposes and access control regulation to prevent building parallel copies of sensitive databases.

Any digitalisation involves some privacy risks at the interface of the digital and the human. It needs to be precisely modelled.

The interface is a crucial component of the digitalisation use cases. It defines how various users, including administrators and operators, interact with digital systems.

What is the harm associated with failure to do the required due diligence of privacy risk assessment?

It results in violations of data collection for specific purposes. It is evident from the imprecise definition in the Aadhaar Act and the indiscriminate use of the “Aadhaar card” in all services. Some of these are backed by laws and some are not.

The other harms that often arise due to inadequate modelling are in digitalisation of welfare delivery such as sale of PDS ration or MNREGA payments.

It may result in exclusions and denial of services, hardships, and increased transactional costs for the beneficiaries.