Holes in the Digital Net

In Context

• The CoWIN portal, which is used by most Indians to register for COVID-19 vaccination, has recently been in the news for a possible data breach.

About the CoWIN Portal 

• About:
  • CoWIN Portal is the digital platform to capture covid-19 vaccination program details. 
  • CoWIN connects to various stakeholders, including vaccine manufacturers, administrators, and verifiers, public and private vaccination facilities, and vaccine recipients etc.
  • The CoWIN platform was developed at a record speed with ample consideration to its scalability, modularity and interoperability.  
    • The only way to access CoWIN’s system is either through an OTP or through a vaccinator whose access is logged.
• Integration with other government mobile applications:
  • CoWIN has been integrated with other government mobile applications such as Aarogya Setu and UMANG. 
    • UMANG (Unified Mobile Application for New-age Governance) is developed by the Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India. 
    • UMANG provides a single platform for all Indian citizens to access pan India e-Gov services ranging from Central to local government bodies.
• Access to third-party applications:
  • CoWIN provides access to third-party applications that have been authorised by the government to use its APIs (application programming interfaces). 
    • APIs are a set of rules that allow two applications to communicate and share data.

About the data breach on the CoWIN platform

• About:
  • There are reports that CoWIN data has been accessed by a Telegram bot.
    • Telegram supports third-party bots that offer additional functionality. 
    • These bots can be used to perform various tasks like converting files, checking emails and even letting users play games with others.
  • Sensitive personal details including date and place of vaccination, with Aadhaar, PAN, Passport, Voter ID, & Mobile numbers were circulating on the internet-based messaging platform Telegram. 
• Government’s response:
  • The government has not explicitly clarified whether or not the CoWIN database was breached recently or in the past.
  • The Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency, had reviewed the alleged breach and has found that the CoWIN portal was not “directly breached”. 

Issues with the Data Leak

• Display of weakness in digital public infrastructure:
  • A leak of personal information from the CoWin platform would mean weakness in this digital public infrastructure, which has been a pillar for both government’s delivery of public goods and for the private sector to innovate and offer services like payment facilities. 
• Misuse of data and loss of public trust:
  • The data can be used for fraud, phishing, spamming, or harassment. 
  • It can also expose users to targeted attacks based on their vaccination status or location.
  • The data breach will undermine the public trust in government portals like CoWIN and which led people to lose confidence in giving data to the government platforms.
• Setback to the digitisation:
  • The data breach claim has come as a major jolt to the government, which has been taking steps to digitize the economy and has built digital public infrastructure (DPI) based on the biometric identification number Aadhaar, individuals’ mobile numbers, and bank accounts as the backbone for the transfer of benefits and innovation in the private sector.

Challenges & criticisms

• Erosion of citizens’ trust:
  • Similar such events in the recent past include the Employees’ Provident Fund Organisation (EPFO) breach in August 2022 and the ransomware attack on the All-India Institute of Medical Sciences (AIIMS) in November 2022.
  • The Computer Emergency Response Team (CERT-In), which is tasked with such investigations, has often maintained silence and not made any of its technical findings public. This, according to critics, has eroded citizens’ trust.
• Lack of adequate legal framework and accountability:
  • There is a lack of a National Cyber Security Strategy 
    • A draft put to public consultation in December 2019 awaits finalisation. 
  • Also, India does not have any data protection law requiring breach notifications to impacted users. 
  • Even the proposed Draft Digital Personal Data Protection Bill, 2022, being mooted by MeitY would by notification exempt government entities from compliance. 
    • Without any legal accountability, repeated data breaches now occur within the same entity or platform such as the RailYatri portal that has reportedly been breached in 2020, 2022 and 2023.
• Lack of legislative mandate:
  • The weak governance processes, which put into question whether they have been created with a legislative mandate. 
  • Except for Aadhaar (prompted by litigation), none of these platforms [like Aarogya Setu, CoWIN or even Government E-Marketplace (GEM)] has a legal definition of their functions, roles and responsibilities from an Act of Parliament. 
  • Many are developed as joint ventures, or special purpose vehicles, that avoid accountability mechanisms such as audits by the Computer Auditor General (CAG) or transparency mandates under the Right to Information Act.
• Data collection & breach:
  • One of the common aspect of all such platforms is them being data guzzlers where personal information is gathered from Indians that goes beyond the technical requirements. 
  • This only results in multiple individual and social harms, including data breaches.

Way ahead

• India’s journey toward having strong data protection legislation has been chaotic with multiple rounds of deliberations.
• There is a need to invest in cutting-edge defence mechanisms, enact stringent legislation, and foster cross-sector collaboration to counter evolving threats.
  • Requirement is also to increase awareness among the software community on producing safer software and push organizations to invest in better practices.