Aadhaar & GST glitches should trigger IT Infrastructure Protection Review
JANUARY 20, 2018
By TIOL Edit Team
INFORMATION Technology (IT) backbone runs the risk of transforming into Achille's heel of governance. It is already a major constraint in efficient management of financial flows and delivery of services across the socio-economic spectrum.
A state-of-the-art, secure backbone, with no slow-down or 99.99% uptime, can serve magic wand. It can help the Government collect revenue efficiently, detect revenue leakages including tax avoidance, deploy funds efficiently and improve the implementation of projects and schemes.
We are, however, a long way off from ideal situation. Periodic news about glitches of varied types, system outages, data leaks and slow pace of servers are normally taken in stride by the authorities.
Be it Aadhaar, be it Goods and Service s Tax (GST), be it digital payments, be it direct transfer of benefits (DTB), the common link in all such networks is the word 'glitch' in IT infrastructure. Recurrence of different flaws is giving bad name to well-intended schemes and projects.
The information about flaws is spread over different reports, many of which have never been made public. For the sake of simplicity, we would here focus on Aadhaar network, which should be operated and protected as one of the top critical IT infrastructures in the country.
In May 2017, Bengaluru-based Centre for Internet and Society reported that that data of over 130 million Aadhaar card holders has been leaked from four government websites.
A right to information (RTI) query in November 2017 showed that 210 government websites publicly displayed details of Aadhaar users. This mistake was corrected later by Aadhaar provider,Unique Identification Authority of India (UIDAI).
A study on 'Privacy and Security of Aadhaar' conducted last year by three experts from IIT Delhi concluded: "In an Aadhaar like setup, the biggest threat to privacy comes from potential insider leaks".
The Study noted: "The Aadhaar technology architecture does not seem to have been explicitly designed to have strong protections against such insider leaks. We believe that effective protection against insider leaks necessarily requires a third party auditor under independent administrative control".
All such red alerts didn't jolt Modi Government to improve security of UIDAI network. It required another report that Aadhaar data was available for sale that led the Government into introducing the concept of Virtual ID, a mask of sorts for Aadhaar.
The Government did not even detect the case of Bharti Airtel and its subsidiary Airtel Payments Bank (APB) misusing Aadhaar-based SIM verification of mobile customers to open APB accounts for its subscribers. The scam surfaced only after a few LPG customers complained that LPG subsidy has not been deposited in their accounts but in their APB accounts that they did not apply for.
No one knows the magnitude of data breach that has already occurred and how it would be misused. What we know is that cyber criminals are always two steps ahead of authorities.
Aaadhar number is emerging as nucleus of surveillance to which are hooked PAN, bank accounts number s , mobile number and other personal information of Aadhaar holder. Would loss of mobile phone make one vulnerable to loss of sensitive data via phone-Aadhaar link, which has been mandated by the Supreme Court? What is the risk of a Chinese phone vendor remote-installing a software in the handset used by a Government official to regularly access data including e-mails?
What if the entire data including biometric thumb impression is stolen and used by criminals to sell assets, say, a plot of land owned by an Aadhaar holder. Imagine the plight of a citizen learning one fine morning that the residence in which he lives has been sold to someone! What about the risk of identity theft due to Aadhaar-woven access to all private data that would be accessed by criminals as one data package?
We hope such risks would be debated at different forums including in the Supreme Court, which is hearing a clutch of public interest litigations against Aadhaar-based surveillance infrastructure.
Meanwhile, the Government must guarantee citizens that it would compensate fully victims of all Aadhaar-based frauds. Aadhaar can prove to both the foundation for good governance and the foundation for digital robberies. The ultimate test of good governance would be stonewalling all attempts of digital goons.
In fact, all authorities and all service providers should unveil policies to compensate victims of frauds happening under their nose. They should also set timelines for provision of services. Any delay beyond defined timeline should trigger automatic compensation to the victims of delay.
Time has come for all authorities and service providers to value time of citizens, apart from ensuring their privacy.
The Government also ought to review its undefined IT infrastructure policy, which puts all eggs in one basket - the private sector. Right from planning and design of IT infrastructure to its operation and maintenance (O&M), the authorities are picking vendors through tendering process.
UIDAI, for instance, last month invited tenders for providing Data Centre Space & specified critical services to co-host UIDAI Services at two sites for 7 years.
Counter-terror organization, National Intelligence Grid (NATGRID) is in the process of hiring 13 top-notch IT experts including Head, Enterprise Architect, and Head, 'Enterprise Architect-Security as consultants for 2 years. It had earlier invited tenders for system integration of its Entity Extraction, Visualization & Analytics (EVA) System.
Finance Ministry recently invited tenders for supply of 120 IT professionals for its upcoming Public Finance Management System (PFMS). Its central processing cell for income tax returns is already operated by a private company.
It has also promoted GST Network as a joint venture for provision of GST services.
This outsourcing approach towards IT infrastructure requires an independent audit. The Government should ponder whether outsourcing of IT infrastructure and IT experts would land it in big trouble in future.
The Government should first disclose to public which IT infrastructure it treats as critical/strategic ones. According to Guidelines for the Protection of National Critical Information Infrastructure (NCII) notified by National Critical Information Infrastructure Protection Centre in 2015, every organization must plan and have a strong and independent Information Security Department.
Each organization should have an Information Security policy to protect its IT infrastructure from unauthorized access, use, disclosure,disruption, modification, recording or destruction, including incident management.
How many Government-promoted IT networks are complying with NCII protection guidelines?
