Data everywhere, little left to steal
There is probably no truth to rumours that Chinese and Pakistani cybercriminals have hacked India’s government servers. Why would they bother? All the data is available, more or less for the asking.
The Aadhaar database has been not only compromised; it has been commoditised to the point where the entire billionplus set is available for paltry sums. People mould fake rubber fingerprints when they want to impersonate somebody.
The Employees Provident Fund database of some 80 million-odd accounts, complete with PAN, date of birth and individual EPF contributions, has also been made freely available with the apparent blessings of the NITI Aayog and the PMO. This was in order to enable an “independent study” of employment patterns. The EPFO data was put out on a free URL on the Internet, where it could be accessed by anybody. In addition, there have been multiple breaches of banks and credit card providers. The individuals affected run into hundreds of millions.
This is more than enough data for an unscrupulous person to clone the digital identity of somebody else. It is enough data to open bank accounts in some random name, or to pick up new mobile connections, new credit cards, receive cooking gas subsidies, etc. New digital ID scams are surfacing on a daily basis.
There is also enough data in the wild to build up a complete profile of any individual, ranging from where they are 24x7, to employment patterns, financial dealings, connections on social media, entertainments and hobbies, etc. That data could be used for everything from recommending new restaurants, to lynching people who choose to marry out of caste, or across religions.
There are no remedies in practice for this egregious violation of privacy. There isn’t even much protection in theory either. India still doesn’t have a data privacy law and it’s evident that this government has no real intention of legislating any such law.
By the time the Supreme Court finishes the ongoing Aadhaar hearing and issues a judgment whatsoever, there will be little point to that judgment, whatever it might be. Every Indian citizen is already exposed to massive digital surveillance and most are already vulnerable to data theft and cyber-impersonation as well. What is more, if the current administrative attitude is anything to go by, privacy violations will be ignored. Quite possibly, going by the EPFO incident, the authorities will actively enable new, creative violations.
All of this was predictable and indeed, it was predicted by many people, ranging from cyber-savvy lawyers to computer scientists. Long before Aadhaar was a twinkle in Nandan Nilekani’s eye, computer scientists were debating the pros and cons of a single ID that tied together all the disparate bits and pieces of an individual’s digital presence.
Identity theory, as it’s called, sounds very elegant if you don’t think about the consequences of bad design. The concept goes like this: Any individual’s digital identity consists of multiple personal attributes like bank accounts, credit cards, email ids, and social media accounts. It is difficult to keep track of all the disparate passwords required to operate these different attributes. What’s more, this data may change multiple times for every individual.
It is much more convenient to chuck all these things into one “bucket” and create a database of personal attributes, which can be operated through one unique identifier with a single sign-in and password. Then the individual just needs to keep track of one master password. The trouble arises if that one bucket leaks, or it crashes. Then everything is exposed, or disrupted. Given time and technological advances, such leaks and crashes are bound to happen at some time or the other.
The Aadhaar concept ignored the potential consequences and played up the supposed convenience. And of course, this government added the element of coercion to force everybody to put their data into one incredibly leaky bucket. Many thinkers have conceptualised surveillance states. India breaks the mould because of the sheer scale and also because everybody will be in a position to know everything about each other.