India achieved significant success with its Digital Public Goods (DPG) and is now sharing these open-source technologies with the rest of the world, particularly nations in the global south. While addressing the G20 digital economy ministers’ meeting in Bengaluru earlier this year, Indian Prime Minister Narendra Modi said that India is ready to share its experiences with the world. 

“We offered our CoWIN (Covid Vaccine Intelligence Work) platform for global good during the COVID pandemic. We have now created an online global public digital goods repository — the India Stack. This is to ensure that no one is left behind,” he said.

India Stack is a set of open APIs (Application Programming Interfaces) and DPG that includes Aadhaar, Unified Payment Interface (UPI) and DigiLocker, among others.  Several countries, including Antigua and Barbuda in the Caribbean, Trinidad and Tobago, Sierra Leone in Africa, Suriname in South America, Armenia in Eastern Europe, and Papua New Guinea in Southeast Asia, have expressed interest in India Stack.

Frequent data breaches are a great concern 

The India Stack has had a significant impact on financial inclusion, economic development, and innovation in India. However, recently, there has been a big controversy around it related to data leaks.

Last month, a hacker put on sale a massive database of Personal Identifiable Information (PII) of 815 million Indians on the dark web, which includes information like Aadhaar and passport details, as well as individuals’ names, phone numbers, and addresses.

When Resecurity, a US-based cybersecurity firm that reported the breach, reached out to this hacker, they were willing to sell the complete dataset for Aadhaar and Indian passports for USD 80,000. The alleged data breach, which is being seen as the biggest data breach in India’s history, raises serious questions about the security and reliability of India’s digital public infrastructure. 

Interestingly in 2018, a Chandigarh-based newspaper reported that around a billion Indian’s PII were sold online for a few dollars. They also claimed that there is a software available for purchase on the internet that can create counterfeit Aadhaar cards.

In June of this year, Malayala Manorama reported that a bot operating on the Telegram messaging platform was responsible for disclosing the personal information of Indian citizens who had registered on the CoWIN portal for vaccination purposes. 

The bot allegedly exposed sensitive details such as individuals’ names, Aadhaar numbers, and passport numbers when provided with their phone numbers. 

Similarly, in 2020, a flaw in DigiLocker allowed hackers to access over 3.8 crore accounts without passwords. The same was reported by security researcher Ashish Ghalot, who found the flaw while analysing the authentication mechanism.

The frequent data breaches and the government’s indifferent attitude toward them have raised significant concerns. From civil rights activists, and technology lawyers to opposition leaders, many have expressed concerns about the recurrent data breaches and have questioned the government’s efforts to address the issue. 

With alleged breaches occurring every few months, the Indian government should prioritise strengthening these technologies before promoting them to the global south, ensuring their robustness before sharing them with the world.

Apar Gupta, advocate and founding director of the Internet Freedom Foundation, in a LinkedIn post also raised similar concerns. “Seriously, what Digital Public Infrastructure is being built in India? How can we possibly offer a model for the democratic world?” he asked while sharing his thoughts on the recent data leak.

Should not lose public trust 

According to the latest findings revealed by cybersecurity firm Surfshark, India has been ranked as the 7th most breached country in the world in the second quarter of 2023. These data breaches can potentially be extremely harmful and may lead to identity theft and banking fraud.

The frequent data breaches are already creating a sense of distrust among Indian citizens. This will lead to identity theft and other costs amounting to billions, according to Mishi Choudhary, technology lawyer, online civil rights activist and the founder of  SFLC.in.

“With the apparent digital divide and exclusion from certain services due to these digital public infrastructures, there is already a sense of certain public distrust. Such breaches further lead to security and privacy concerns,” Vaishnavi Sharma, research associate at the Dialogue, a public-policy think tank, told AIM.

Moreover, the current situation highlights potential vulnerabilities within various government establishments, particularly in the realm of faster cyber threat detection and response, according to Mr. Kiran Vangaveti, founder & CEO at BluSapphire.

“Relying on the speculation that the breach originated from the government entity Indian Council of Medical Research (ICMR) raises crucial questions about accountability within government institutions, an aspect that was not adequately addressed in the Digital Personal Data Protection (DPDP) Act,” Vangaveti told AIM.

Better safeguarding of citizen’s data

Hence, before promoting these technologies to the democratic world, the Ministry of Electronics & IT (MeitY), Indian Computer Emergency Response Team (CERT-In) and the other parties involved should ensure that these platforms are more secure and that the data of its citizens are better protected.

“The benefits that India’s digital public infrastructure brings can barely be matched anywhere else in the world. Deployments have been fast-moving. However, focus towards ensuring robust and secure data protection practices is the need of the hour,” Choudhary told AIM.

Furthermore, data of millions of Indian citizens have been collected by the government in the absence of a concrete data protection law in the country. Alongside the relevant data protection laws, it would be important to establish institutional policies and technological protections to make systems more secure and privacy-friendly.

“While efforts are made to curtail data breaches ex post facto, it would be necessary to establish clear and transparent ex-ante protocols for data transfers between systems and methods of transfers, and delineate clear roles and responsibilities of stakeholders engaged not only in the sense of different governments (national, state, and district) but also horizontally between different departments who have access to these data,” Sharma said.

There must be a clear and transparent identification and assessment of risks and harms that apply across the processes, systems, and stakeholders including third-party players, Sharma adds. “This further includes capacity-building, conducting security training for employees, and emphasising the potential harm that data breaches could pose.”

If they cannot guarantee data security, the government should stop collecting PII for every interaction, according to Choudhary. Vangaveti also points out that a majority of Indians are not well-versed in privacy matters. Hence it is even more imperative that the government takes significant steps towards data protection of its citizens. 

“Their interactions with government, quasi-government entities, financial institutions, and service providers often involve sharing physical copies of Aadhaar/passport without clear accountability for the storage, use, and protection of this sensitive data,” Vangaveti said.

He hopes this incident sparks a meaningful discourse on the government’s and its institutions’ responsibility in safeguarding the personal data of its citizens.