Central Idea

• On June 12, a series of events unfolded, revealing a stark disparity between the promises made by Digital India and the ground reality. From a data breach on the CoWIN platform to the absence of a comprehensive National Cyber Security Strategy and inadequate legal protection for citizens’ data, these incidents raise serious concerns about the efficacy and integrity of India’s digital transformation.

CoWIN Data Breach and Government Denials

• Data Breach: On June 12, a data breach on the CoWIN platform was reported by the Malayala Manorama and online portal “The Fourth.” Personal details, including vaccination information and identification numbers, were found circulating on the messaging platform Telegram.
• Government Denials: Despite the mounting evidence of the data breach, the Ministry of Health and Family Welfare and Minister of State, Ministry of Electronics and IT (MEITY), responded with denials. The Ministry of Health and Family Welfare labeled the reports as “mischievous,” while the Minister of State, MEITY, claimed that the sensitive information had emerged from previously stolen data.
• Press Information Bureau Statement: Later in the day, the PIB issued a statement asserting the complete safety of the Co-WIN portal and its adequate safeguards for data privacy. However, the credibility of this statement was questionable, given the initial denials and the substantial evidence of the breach.
• Lack of Transparency: The government’s response to the CoWIN data breach exemplifies a recurring pattern of denial and opacity in addressing data breaches in the public sector. Previous incidents, such as the Employees’ Provident Fund Organisation breach and the ransomware attack on AIIMS, have been met with similar denials and lack of transparency.
• Erosion of Trust: The consistent lack of transparency, coupled with the absence of a National Cyber Security Strategy and data protection laws requiring breach notifications to affected users, has eroded citizens’ trust in the government’s ability to secure their personal information. T

Lack of Cybersecurity Strategy and Data Protection Laws

• Absence of National Cybersecurity Strategy: India lacks a comprehensive National Cybersecurity Strategy, which is crucial for effectively addressing the evolving cyber threats and ensuring the security of digital infrastructure.
• Limited Legislative Framework: India does not have robust data protection laws that adequately safeguard citizens’ personal information. While the proposed Draft Digital Personal Data Protection Bill, 2022, is under consideration, there are concerns that it may exempt government entities from compliance.
• Inadequate Breach Notification Requirements: The absence of data protection laws also means that there are no specific requirements for organizations to notify individuals in the event of a data breach.
• Limited Accountability and Transparency: The Computer Emergency Response Team (CERT-In), responsible for investigating and responding to cyber incidents, often maintains silence and does not make its technical findings public. This lack of transparency undermines public trust and leaves citizens unaware of the actions taken to address cybersecurity incidents and protect their data.

Digital Public Infrastructure (DPI) and Lack of Legislative Mandate

• Lack of Legislative Mandate: The Digital Public Infrastructure (DPI) framework, encompassing various platforms like Aadhaar, Aarogya Setu, CoWIN, Government E-Marketplace (GEM), and the Open Network for Digital Commerce (ONDC), operates without a clear legislative mandate. These platforms have been created without specific functions, roles, and responsibilities defined by an Act of Parliament.
• Joint Ventures and Special Purpose Vehicles: Many of these DPI platforms are developed as joint ventures or special purpose vehicles, which allows them to circumvent accountability mechanisms such as audits by the Computer Auditor General (CAG) or transparency mandates under the Right to Information Act.
• Inconsistencies in Expertise: The claim of expertise in creating DPI platforms to provide citizen services is inconsistent with the evidence. Glitches, failures, and exclusion errors have been observed in systems like Aadhaar, Aarogya Setu, and GEM, undermining the credibility of their expertise.
• Data Gathering: A common aspect of DPI platforms is their tendency to collect extensive personal information from Indian citizens that goes beyond the technical requirements. This data collection can result in multiple individual and social harms, including the risk of data breaches and privacy infringements.
• Constitutional Frameworks and Accountability: The absence of a constitutional framework for DPI platforms hampers the establishment of robust regulatory and institutional frameworks. This lack of accountability leaves individual harms unaddressed and undermines the creation of effective governance mechanisms.

Coercion and Censorship of Social Media Platforms

• Coercion of Twitter: Jack Dorsey, the former CEO of Twitter, revealed that the Indian government coerced Twitter into complying with censorship directions regarding the farmers’ protest. The government threatened the platform’s continued operations and the safety of its staff in India to enforce compliance with their demands.
• Secret Censorship Directions: Twitter’s resistance to comply with a secret direction to remove 250 accounts and tweets related to the farmers’ protest sparked ministerial statements and controversies. The secrecy surrounding these censorship directions raises concerns about transparency and due process in the decision-making process.
• Office Raids: As a consequence of Twitter’s resistance and its placement of a “manipulated media” tag on a tweet by a BJP spokesperson, the platform’s offices were raided by the Delhi Police in May 2021. This coercive action against Twitter’s offices further emphasizes the government’s efforts to control and suppress dissenting voices on social media.
• Legal Battles: Twitter filed a writ petition in the Karnataka High Court, challenging the secretive and disproportionate nature of the censorship demands. The platform argued that the demands violated principles of natural justice and lacked proper notice to account holders, who are ordinary individuals using the platform.
• Denial by the Government: Despite public records and statements made by Twitter and its executives, the Ministry of Electronics and IT (MeitY) denied the allegations of coercion and censorship. This denial reflects a pattern of dismissing concerns and evading accountability for actions taken against social media platforms.

Way ahead

• Strengthen Cybersecurity Measures: Develop and implement a comprehensive National Cybersecurity Strategy to address the evolving cyber threats and ensure the security of digital infrastructure. This should include robust encryption standards, regular security audits, and incident response plans.
• Enact Comprehensive Data Protection Laws: Introduce and pass robust data protection legislation that provides clear guidelines for the collection, storage, and usage of personal data. The legislation should also include provisions for breach notifications to affected individuals, ensuring transparency and accountability.
• Establish Legislative Mandates for DPI Platforms: Define the functions, roles, and responsibilities of Digital Public Infrastructure (DPI) platforms through legislative mandates. This will ensure transparency, accountability, and adherence to constitutional frameworks in the development and operation of these platforms.
• Enhance Transparency and Accountability: Foster a culture of transparency and accountability by making the technical findings of investigations into data breaches and cyber incidents public. This will build trust among citizens and stakeholders and help identify areas for improvement in cybersecurity practices.
• Promote Public Consultation and Stakeholder Engagement: Involve the public, industry experts, and civil society organizations in the formulation of policies related to digital infrastructure, data protection, and cybersecurity. Conduct regular public consultations to gather feedback, suggestions, and concerns, ensuring a more inclusive and holistic approach.
• Protect Digital Freedoms and Right to Privacy: Safeguard individuals’ digital freedoms and right to privacy by ensuring that government actions and regulations do not infringe upon these fundamental rights. Uphold the principles of free expression and the right to dissent on social media platforms, avoiding undue coercion and censorship.
• Develop Cybersecurity Capacity and Expertise: Invest in building cybersecurity capacity and expertise within the government and private sector. Promote research and development in cybersecurity technologies and encourage collaboration between industry, academia, and government agencies.
• International Cooperation: Foster international cooperation and information sharing on cybersecurity best practices, threat intelligence, and incident response. Collaborate with other nations and international organizations to address cross-border cyber threats effectively.

Conclusion

• While India’s digital transformation holds great potential, the recent events on June 12 expose the glaring gaps between rhetoric and reality. To realize the true potential of Digital India, it is imperative to prioritize transparency, accountability, and the creation of robust regulatory frameworks.

Also read:

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now