{"id":1648,"date":"2023-06-14T00:00:00","date_gmt":"2023-06-14T00:00:00","guid":{"rendered":"https:\/\/www.nextias.com\/current_affairs\/uncategorized\/14-06-2023\/holes-in-the-digital-net\/"},"modified":"2023-06-14T00:00:00","modified_gmt":"2023-06-14T00:00:00","slug":"holes-in-the-digital-net","status":"publish","type":"post","link":"https:\/\/www.nextias.com\/ca\/editorial-analysis\/14-06-2023\/holes-in-the-digital-net","title":{"rendered":"Holes in the Digital Net"},"content":{"rendered":"

\n<\/p>\n

In Context<\/u><\/strong><\/span><\/span><\/span><\/p>\n

\n
The CoWIN portal, which is used by most Indians to register for COVID-19 vaccination, has recently been in the news for a possible data breach.<\/span><\/span><\/span><\/li>\n<\/ul>\n
About the CoWIN Portal\u00a0<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\n
About:<\/strong><\/span><\/span><\/span>\n
\n
CoWIN Portal is the <\/span><\/span><\/span>digital platform <\/strong><\/span><\/span><\/span>to <\/span><\/span><\/span>capture covid-19 vaccination program <\/strong><\/span><\/span><\/span>details.\u00a0<\/span><\/span><\/span><\/li>\n
CoWIN<\/span><\/span><\/span> connects to various stakeholders<\/strong><\/span><\/span><\/span>, including vaccine manufacturers, administrators, and verifiers, public and private vaccination facilities, and vaccine recipients etc.<\/span><\/span><\/span><\/li>\n
The CoWIN platform was <\/span><\/span><\/span>developed at a record speed<\/strong><\/span><\/span><\/span> with ample consideration to its scalability, modularity and interoperability.\u00a0\u00a0<\/span><\/span><\/span>\n
\n
The only way to access CoWIN\u2019s system is<\/span><\/span><\/span> either through an OTP<\/strong><\/span><\/span><\/span> or <\/span><\/span><\/span>through a vaccinator<\/strong><\/span><\/span><\/span> whose access is logged.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
Integration with other government mobile applications:<\/strong><\/span><\/span><\/span>\n
\n
CoWIN has been <\/span><\/span><\/span>integrated with other government mobile applications<\/strong><\/span><\/span><\/span> such as <\/span><\/span><\/span>Aarogya Setu<\/strong><\/span><\/span><\/span> and <\/span><\/span><\/span>UMANG<\/strong><\/span><\/span><\/span>.\u00a0<\/span><\/span><\/span>\n
\n
UMANG (Unified Mobile Application for New-age Governance)<\/strong><\/span><\/span><\/span> is developed by the Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India.\u00a0<\/span><\/span><\/span><\/li>\n
UMANG provides a <\/span><\/span><\/span>single platform for all Indian citizens to access pan India e-Gov services<\/strong><\/span><\/span><\/span> ranging from Central to local government bodies.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
Access to third-party applications:<\/strong><\/span><\/span><\/span>\n
\n
CoWIN provides access to third-party applications that have been authorised by the government to use its APIs (application programming interfaces).\u00a0<\/span><\/span><\/span>\n
\n
APIs are a set of rules that allow two applications to communicate and share data.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
About the data breach on the CoWIN platform<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\n
About:<\/strong><\/span><\/span><\/span>\n
\n
There are reports that CoWIN data has been <\/span><\/span><\/span>accessed by a Telegram bot<\/strong><\/span><\/span><\/span>.<\/span><\/span><\/span>\n
\n
Telegram supports<\/span><\/span><\/span> third-party bots <\/strong><\/span><\/span><\/span>that offer additional functionality.\u00a0<\/span><\/span><\/span><\/li>\n
These bots can be used to perform various tasks like<\/span><\/span><\/span> converting files, checking emails and even letting users play games<\/strong><\/span><\/span><\/span> with others.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Sensitive personal details<\/strong><\/span><\/span><\/span> including date and place of vaccination, with Aadhaar, PAN, Passport, Voter ID, & Mobile numbers were<\/span><\/span><\/span> circulating on the internet-based messaging platform Telegram<\/strong><\/span><\/span><\/span>.\u00a0<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Government\u2019s response:<\/strong><\/span><\/span><\/span>\n
\n
The government has not explicitly clarified whether or not the CoWIN database was breached recently or in the past.<\/span><\/span><\/span><\/li>\n
The <\/span><\/span><\/span>Indian Computer Emergency Response Team (CERT-In)<\/strong><\/span><\/span><\/span>, the nodal cyber security agency, had reviewed the alleged breach and has <\/span><\/span><\/span>found that<\/strong><\/span><\/span><\/span> the <\/span><\/span><\/span>CoWIN portal was not \u201cdirectly breached\u201d<\/strong><\/span><\/span><\/span>.\u00a0<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Issues with the Data Leak<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\n
Display of weakness in digital public infrastructure:<\/strong><\/span><\/span><\/span>\n
\n
A leak of personal information from the CoWin platform would mean <\/span><\/span><\/span>weakness in this digital public infrastructure<\/strong><\/span><\/span><\/span>, which has been a pillar for both government\u2019s delivery of public goods and for the private sector to innovate and offer services like payment facilities.\u00a0<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Misuse of data and loss of public trust:<\/strong><\/span><\/span><\/span>\n
\n
The data can be used for fraud, phishing, spamming, or harassment.\u00a0<\/span><\/span><\/span><\/li>\n
It can also expose users to targeted attacks based on their vaccination status or location.<\/span><\/span><\/span><\/li>\n
The data breach will undermine the public trust in government portals like CoWIN and which led people to lose confidence in giving data to the government platforms.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Setback to the digitisation:<\/strong><\/span><\/span><\/span>\n
\n
The data breach claim has come as a<\/span><\/span><\/span> major jolt to the government<\/strong><\/span><\/span><\/span>, which has been taking<\/span><\/span><\/span> steps to digitize the economy <\/strong><\/span><\/span><\/span>and has built d<\/span><\/span><\/span>igital public infrastructure (DPI)<\/strong><\/span><\/span><\/span> based on the biometric identification number Aadhaar, individuals\u2019 mobile numbers, and bank accounts as the backbone for the transfer of benefits and innovation in the private sector.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Challenges & criticisms<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\n
Erosion of citizens\u2019 trust:<\/strong><\/span><\/span><\/span>\n
\n
Similar such events in the recent past include the <\/span><\/span><\/span>Employees\u2019 Provident Fund Organisation (EPFO) breach in August 2022 <\/strong><\/span><\/span><\/span>and the <\/span><\/span><\/span>ransomware attack on the All-India Institute of Medical Sciences (AIIMS)<\/strong><\/span><\/span><\/span> in November <\/span><\/span><\/span>2022<\/strong><\/span><\/span><\/span>.<\/span><\/span><\/span><\/li>\n
The <\/span><\/span><\/span>Computer Emergency Response Team (CERT-In)<\/strong><\/span><\/span><\/span>, which is tasked with such investigations, has often maintained silence and not made any of its technical findings public. This, according to critics, has eroded citizens\u2019 trust.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Lack of adequate legal framework and accountability:<\/strong><\/span><\/span><\/span>\n
\n
There is a lack of a<\/span><\/span><\/span> National Cyber Security Strategy<\/strong><\/span><\/span><\/span>\u00a0<\/span><\/span><\/span>\n
\n
A draft put to public consultation in December 2019 awaits finalisation.\u00a0<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Also, India <\/span><\/span><\/span>does not have any data protection law <\/strong><\/span><\/span><\/span>requiring breach notifications to impacted users.\u00a0<\/span><\/span><\/span><\/li>\n
Even the proposed <\/span><\/span><\/span>Draft Digital Personal Data Protection Bill, 2022<\/strong><\/span><\/span><\/span>, being mooted by MeitY would by notification<\/span><\/span><\/span> exempt government entities<\/strong><\/span><\/span><\/span> from compliance.\u00a0<\/span><\/span><\/span>\n
\n
Without any legal accountability, repeated data breaches now occur within the same entity or platform such as the RailYatri portal that has reportedly been breached in 2020, 2022 and 2023.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
Lack of legislative mandate:<\/strong><\/span><\/span><\/span>\n
\n
The weak governance processes, which put into question whether they have been created with a legislative mandate.\u00a0<\/span><\/span><\/span><\/li>\n
Except for Aadhaar (prompted by litigation), <\/span><\/span><\/span>none of these platforms <\/strong><\/span><\/span><\/span>[like Aarogya Setu, CoWIN or even Government E-Marketplace (GEM)] <\/span><\/span><\/span>has a legal definition of their functions<\/strong><\/span><\/span><\/span>, <\/span><\/span><\/span>roles and responsibilities<\/strong><\/span><\/span><\/span> from an Act of Parliament.\u00a0<\/span><\/span><\/span><\/li>\n
Many are developed as joint ventures, or special purpose vehicles, that <\/span><\/span><\/span>avoid accountability mechanisms<\/strong><\/span><\/span><\/span> such as audits by the Computer Auditor General (CAG) or transparency mandates under the Right to Information Act.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n
Data collection & breach:<\/strong><\/span><\/span><\/span>\n
\n
One of the common aspect of all such platforms is them being data guzzlers where personal information is gathered from Indians that goes beyond the technical requirements.\u00a0<\/span><\/span><\/span><\/li>\n
This only results in multiple individual and social harms, including data breaches.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Way ahead<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\n
India\u2019s journey toward having strong data protection legislation has been chaotic with multiple rounds of deliberations.<\/span><\/span><\/span><\/li>\n
There is a need to invest in cutting-edge defence mechanisms, enact stringent legislation, and foster cross-sector collaboration to counter evolving threats.<\/span><\/span><\/span>\n
\n
Requirement is also to increase awareness among the software community on producing safer software and push organizations to invest in better practices.<\/span><\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n\u00a0<\/p>\n
\n\n\n\n
\n
Daily Mains Question<\/u><\/strong><\/span><\/span><\/span><\/p>\n
\t\t\t\u00a0<\/p>\n
[Q] <\/strong><\/span><\/span><\/span>Analyse the issues regarding frequent data breach of government\u2019s digital platforms. What are the issues & challenges? What are the possible ways for better data protection legislation in the country?<\/span><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
<\/body><\/html><\/p>\n","protected":false},"excerpt":{"rendered":"
In Context The CoWIN portal, which is used by most Indians to register for COVID-19 vaccination, has recently been in the news for a possible data breach. About the CoWIN Portal\u00a0 About: CoWIN Portal is the digital platform to capture covid-19 vaccination program details.\u00a0 CoWIN connects to various stakeholders, including vaccine manufacturers, administrators, and verifiers, […]<\/p>\n","protected":false},"author":1,"featured_media":1649,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[22],"tags":[31,30],"class_list":["post-1648","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-editorial-analysis","tag-government-policies-interventions","tag-gs-2"],"acf":[],"jetpack_featured_media_url":"https:\/\/wp-images.nextias.com\/cdn-cgi\/image\/format=auto\/ca\/uploads\/2023\/07\/5843609Screenshot_2.png","_links":{"self":[{"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/posts\/1648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/comments?post=1648"}],"version-history":[{"count":0,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/posts\/1648\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/media\/1649"}],"wp:attachment":[{"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/media?parent=1648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/categories?post=1648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextias.com\/ca\/wp-json\/wp\/v2\/tags?post=1648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}