India needs better defences to be a digital superpower after data breach

I suspect the government is right and CoWIN is not currently being accessed by hackers. Even so, it seems likely that outsiders have penetrated some aspect of India's digital public infrastructure

Indians, Indian citizens

Photo: Bloomberg

By Mihir Sharma
If India’s leaders are proud of one big governance idea, it’s “digital public infrastructure.” Over the past few years, as every Indian received a unique numeric ID attached to their biometric data, the government released a series of relatively simple apps to interact with the state and private companies. In theory, users can determine how much of their data held on these publicly provided platforms is made available to privately run apps, thereby putting the individual, and not the state or corporations, in control.
So, it’s little surprise Indian officials responded sharply to claims this week that one of these platforms — the vaccination database CoWIN — had been hacked. Apparently, a Telegram bot, when queried with any Indian’s phone number, would respond with various personal details including their date of birth, their unique ID number, and the location where they were vaccinated. A senior minister called these reports “mischievous” but only added to the confusion when he said that the data had been “previously stolen.”

I suspect the government is right and CoWIN is not currently being accessed by hackers. Even so, it seems likely that outsiders have penetrated some aspect of India’s digital public infrastructure.  

Most Indians got tediously familiar with CoWIN in the first months of our vaccine rollout in 2021, when we had to keep refreshing its slightly buggy interface in hopes that an appointment would open up somewhere. In the end, it became a crucial part of the nation’s vaccination effort, producing uniform, machine-readable certificates, reminding us about booster shots, and so on. The government was rightly proud of this — sufficiently so that all Indian CoWIN certificates had Prime Minister Narendra Modi’s face on them.

Indians have long bemoaned the fact that, despite having internationally known software companies and a vast stock of enthusiastic and skilled software engineers, we have always been rule-takers, rather than shaping the international regulatory environment to our advantage. CoWIN and similar digital public platforms seemed a good way to fix that. As recently as last week, Modi was tweeting that CoWIN was a “game-changer” and promoting efforts to put the global expansion of these services on the G-20’s agenda.

A real data breach would therefore be a setback to India’s efforts to create a “third way” for technology governance that would privilege neither the state, as in China, nor Big Tech, as in the US. It will be hard to convince other countries to adopt our systems if they leak user data.

India shouldn’t give up on digital public infrastructure; it’s a workable idea and one that can do a lot of good. But we need to make sure it lives up to its promise to be efficient, transparent and safe.

Currently, it’s falling short. For example, we don’t even know for certain how and by whom CoWIN was developed. In response to past freedom of information requests, the federal ministry in charge claimed it had no idea. That’s not exactly reassuring.

Most importantly, we need to privilege data security and privacy. We can’t promote a new technology governance framework without having a proper data-security architecture in place. Unfortunately, the law that was supposed to provide that architecture was poorly drafted, gave too much power to bureaucrats, and was eventually withdrawn. Another attempt last year was criticized for the “restrictiveness of [its] data transfer provisions and the potential misuse of the law” to restrict speech online.

A proper data-protection law, combined with more transparent processes for the development and maintenance of digital public infrastructure, would help India meet its potential as an IT superpower. Cross-border trade in digital services, for example, would take off if the law was citizen-centric enough to be interchangeable with regulations in the European Union and the UK.

Wise regulation would also bolster India’s quest to become a leader in digital diplomacy. And, crucially, studies suggest that it would cause digital value-added to grow 14 times to over $500 billion — 10% of Modi’s $5 trillion target for India’s GDP.

First, though, regulatory reform requires that we acknowledge where we are currently failing. In India, such an admission would be viewed as a humiliating defeat, not a natural first step to excellence.

Rather than dismissing reports of data leaks as “mischievous” or as evidence that “many interests in the world want to undermine” our digital public infrastructure, we should treat them as a spur to improvement. Only then might India begin to take its rightful place at the forefront of the world’s digital transformation.

Disclaimer: This is a Bloomberg Opinion piece, and these are the personal opinions of the writer. They do not reflect the views of or the Business Standard newspaper

First Published: Jun 15 2023 | 08:17 AM IST

Explore News