India Loves Data but Fails to Protect It

A woman had her irises scanned for inclusion in India's national biometric database, at a village in Rajasthan, in 2013. Credit Mansi Thapliyal/Reuters
A woman had her irises scanned for inclusion in India's national biometric database, at a village in Rajasthan, in 2013. Credit Mansi Thapliyal/Reuters

The Indian government is in thrall of the dazzle and promise of technology, seeing in it a vehicle to overcome the inefficiencies of its humongous bureaucratic apparatus. Shortly before coming to power in 2014, Prime Minister Narendra Modi positioned himself as a digital governance evangelist.

A few months into his tenure, the Indian government began using biometric devices to tell on government employees who didn’t turn up for work. The state of Gujarat, which Mr. Modi had ruled for more than a decade, took to using biometrics to red-pen students who skipped school. Mr. Modi has argued that digital payments will check “black money” — the Indian term for unaccounted, often illegally acquired wealth — and other forms of corruption.

Under Mr. Modi’s government, Aadhaar, India’s enormous biometric identification system, which was initially promoted as a voluntary program to refine the delivery of public services and curb corruption, is increasingly seen as necessary for public and private services — giving birth in a hospital, enrolling a child in preschool, collecting your college degree, maintaining a telephone connection or a bank account, and collecting a death certificate. The government seems to be in a war of attrition with itscitizens, breaking down their resistance to the biometric identification program.

Mr. Modi, who has spoken relentlessly of his dream of a digital India and flaunted the miracle of technology by appearing in public as a three-dimensional hologram in numerous places at the same time, has described data as “real wealth” that would confer “hegemony” on “whoever acquires and controls” it.

But alarming gaps in India’s information security infrastructure, government departments and the Unique Identification Authority of India — the federal agency running the Aadhaar project — have exposed the private data of several million Indians on numerous occasions over the last two years.

The chasm between India’s digital governance aspirations and its ability to protect that data is visible at the very top of the governance pyramid. In 2015, Mr. Modi offered his millions of followers the “unique opportunity to receive messages and emails directly from the prime minister” by downloading the Narendra Modi mobile app. “No intermediaries, no media, no officials, no red tape,” it promised. The Android app alone was downloaded over five million times.

The trust those millions of citizens invested in Mr. Modi’s personal app seems to have been violated. In late March, a French security researcher discovered that the Narendra Modi app shared user data with an American company without the consent of its users. An investigation by The Indian Express newspaper revealed the invasiveness of the Modi app: it asked permission from its users to access their photographs, contacts, location data, cameras and microphones. A day after the revelation, the app’s privacy policy was changed.

Around the same time, ZDNet, a technology website, reported that a webpage hosted by Indane, a liquefied petroleum gas company owned by the Indian government, inadvertently exposed the names, bank details and Aadhaar numbers of over half a billion Indians to anyone with the right technical skills.

Karan Saini, a New Delhi-based security researcher who found the vulnerability on a late-night bug hunt, realized that he could make thousands of requests with random Aadhaar numbers every minute through the program and extract information each time the database responded with a match.

The Unique Identification Authority of India, which runs the Aadhaar project, insisted that its own database had not been breached and said that it was “contemplating legal action” against the publication. The response was in keeping with the agency’s practice of filing court cases and sending legal notices to reporters and security researchers who shine a torch on the ease with which unauthorized people can access the data it collects.

Nandan Nilekani, the technology entrepreneur who oversaw the creation of Aadhaar in 2009 under the Congress Party-led government, recently raised the possibility of Indians selling their data for easier credit and better health care. Such idealism lives beside the reality of a society that’s largely digitally illiterate, where consent is not fully understood.

Every week brings new revelations about the considerable gaps in India’s digital infrastructure. Compounding the anxieties is the failure of the Indian government agencies to act on these findings when alerted by researchers.

ZDNet informed the National Informatics Center, which builds information technology infrastructure for the government. The agency didn’t reply. The publication informed Indane executives as well as the officials overseeing Aadhaar, but they did nothing. According to Mr. Saini, ZDNet also informed the Indian Consulate in New York, but the data remained exposed.

Aadhaar officials insist that their primary database is safe and that it hasn’t been breached. They are willfully missing the point. India’s federal Ministry of Rural Development exposed details of nearly 16 million Aadhaar numbers. A database of unorganized workers in the southern state of Andhra Pradesh exposed the details of over 20 million workers.

Aadhaar’s database might be secure, but everything else it touches leaks like a sieve. Technology has ended up strengthening a dysfunctional bureaucracy that desires efficiency through data it cannot seem to protect. Worries about data being misused have been met with official denial and fury, but no investigations have been ordered.

Technologists describe these issues as teething troubles, bugs that will disappear as systems improve and uncertainty is gradually removed. But these instances raise concerns that the initiatives on technology and governance by the Indian government are removed from the concerns of the citizens and implemented with almost no explanation.

Last year, a journalist trying to demonstrate weaknesses within the biometric identification program enrolled once with his real name and then with a fictitious one. His real name was rejected. Ajay Bhushan Pandey, the chief executive officer of the agency overseeing the program, told a gathering that the journalist would have to live “with the fake name forever. You go to your child’s school and say your papa’s name has changed.”

India’s government is pushing hard to digitalize the lives of Indian citizens, but it also needs to bear the responsibility for the violations of citizens’ data and trust. Indians are hostage to a government behaving like a tech company, and there is no customer service in sight.

Rahul Bhatia is writing a book about technology in the developing world.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *