CoWIN Breach Shows Us the Structural Problem With Digital India’s Infrastructure

On the day news broke that vaccination portal CoWIN suffered a data breach, Indian policymakers were meeting to promote India’s digital solutions at G20 meetings.

India has been promoting its digital systems like Aadhaar, UPI, DigiLocker, and CoWIN to other countries, marketing it as digital public infrastructures. The building of these infrastructures have been highly political in India because of the constant disregard for citizens' privacy while promoting them as new-age economic investments.

The main question is the scale of it. The disagreements primarily stem from whether the entire data of every Indian who got vaccinated was breached or only an unsecure API end point was compromised, allowing hackers to search for some personal records.

The Indian Computer Emergency Response Team (CERT-In) has a poor track record of actually carrying out forensic analysis of breaches and even if this analysis does take place, the records will likely never be shared with the public. The incident response efforts from this Indian nodal agency has primarily been non-existent because of the lack of budget and capacity within the organisation.

The regulatory capacity for Digital India is so weak that even if there is a giant hole in the "13-foot walls" guarding our personal data, we will be pointed to a gate with a lock. In an ideal world, regulations for privacy protecting this sensitive medical health information would have been thought out within several democratic bodies.

As India wants a health data economy, the COVID-19 crisis proved to be an opportunity to build this economy. The challenge with allowing the private sector and many other actors like healthcare providers, insurance agencies, and even apps like WhatsApp is that the attack surface area of the CoWIN network is increasing.

A centralised database with a series of application ecosystem partners eventually allows proliferation of information or leads to data breaches. It is impossible to protect a centralised set-up with so many actors accessing this information.

Both are contrary goals, thus making the government ignore privacy and focus on the economic goals. The bureaucrats in-charge of these systems like RS Sharma, deeply understand the stakes at hand.

Privacy issues similarly existed with Aadhaar and were always ignored while he was CEO of UIDAI and then later, as the head of National Health Authority in-charge of CoWIN.

Bureaucracy consistently refuses to acknowledge these challenges and problems, as they want to maximise data collection from citizens. This model of data-based economic development without addressing challenges of privacy is harming the liberties of citizens.

The demands for ensuring CoWIN security and privacy have been very clearly communicated to the people responsible with constant push back from citizenry too. The lack of a data protection law and mandatory demand to share personal information through a centralised database was always criticised.

Most important of all, CoWIN was being experimented for the first time during the COVID-19 crisis with not enough regulation and safeguards being built for protecting citizens.

The responses forced them to take these issues to court. The privacy policy for CoWIN did not even exist when the vaccination drive was initiated and only happened after the Delhi High Court directed the Ministry of Health to have a privacy policy.

After this breach, the Minister of State for Electronics and Information Technology, Rajeev Chandrashekar informed that the ministry is working on a National Data Governance Policy to address these issues.

But these policies are often ignored and never implemented, as is the case with CoWIN.

Policies are mere statements, while laws can force them to act. There is a structural problem with this model of digital infrastructure development where the government ignores safety procedures and regulations.

It is often argued that these regulations become a hindrance for the private sector to emerge and even when laws are required, the safety aspects are always watered down to help the economy. As long as this is the government policy, there will be similar issues with data breaches across the Digital India ecosystem.

Even the upcoming data protection law is too late and will not help us when all these problems are to be addressed at the design stage, instead of after building the solutions. If there had been a data protection law already in place when CoWIN was being built with an independent data protection authority, they would have demanded these protections at the start of the project instead of its end.

The architecture of these systems is primarily designed to promote a data economy, instead of addressing healthcare problems. The focus has moved from healthcare to investments in technology.

As long as healthcare practitioners and various other public interest technology actors are not allowed to participate in this development model, these challenges will remain. A top-down forceful push of software is bad for the citizenry, and this needs to be understood.

(Srinivas Kodali is an independent researcher working on data, governance and the internet. He tweets @digitaldutta. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)