Amid CoWin tangle, expedite data protection policy
Amid shocking allegations of piracy from the CoWin database that captured Covid vaccination information of an estimated 110 crore Indians, the government put out a vigorous defence of the platform’s integrity. However, it claimed the leaked content appeared pre-populated on a rogue Telegram bot. In other words, it sought to change the timeline of data piracy to a different point in time while claiming CoWin was not directly breached. The platform’s data-sharing protocol is OTP-protected, so bots cannot have direct access. But individuals and trusted third-party applications can gain access through the OTP gateway. However, one of its application programming interfaces shared restricted data using just a mobile number but interacted only with trusted partners, the Union government claimed.
The bottom line remained that data was on the loose on the darknet, and it happened within the present government’s tenure at the Centre. No amount of spinning can take away that impression. CoWin captured individual information of beneficiaries like name, mobile number, Aadhaar, vaccination dates and centres. Only a transparent investigation can unravel the leak’s modus, volume, source and time span. The government has since tasked its emergency response unit, CERT-In, to study and file a report. This is not the first data haemorrhage CERT-In is probing, nor will it be the last. Multiple claims of CoWin data breaches were made in the past, but there is no clarity yet on the outcome of the probes. Last year, the personal data of an estimated 40 million patients were stolen from the prestigious AIIMS, Delhi, in a ransomware attack. The hacked dataset included information from some of the toniest addresses in the land. The problem with CERT-In’s reports is they are rarely released in full to the public.
Sharing valuable data to frame policies that take welfare initiatives to people’s doorsteps without fund leakage is admirable, but it needs an impregnable security network. Had the draft data protection bill been enacted, it would have made it mandatory for the entity that slipped up to inform those whose data stood compromised individually. We are still far away from it. Sadly, a proposal to compensate the victims was pencilled out of the revised draft. The need of the hour is a functional data protection policy that provides legislative safeguards for personal information besides an updated cyber security policy. Repositories of public data should be tasked with raising their levels of accountability as the country enhances its digital footprint.