India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.
Amit Shah recently said that the Ministry of Home Affairs (MHA) has set up a modern cybersecurity system to protect the fast-growing economy of ‘Digital India’. His claim comes even as the Delhi police wrote to the Unique Identification Authority of India (UIDAI) about serious security issues in the Aadhaar project that are being exploited by ‘crooks’. As cybercrime increases in India’s highly digitised society, the police are catching up to the criminals and are busting gangs across the country.
The vulnerabilities and attacks that the Delhi police have flagged are pretty basic and have been exploited by criminals for over a decade. It was long known that UIDAI’s systems are prone to attacks and that their cybersecurity is not great. Data leaks, breaches, fingerprint cloning, lost hard drives, direct benefit transfer fraud and Aadhaar Enabled Payment System (AePS) fraud are just some of the issues that have been found in the Aadhaar ecosystem. But the UIDAI has always ignored the severity of the issue and has underplayed it.
Over the years, the MHA and UIDAI were on opposing sides when it came to security threats to the Aadhaar project. The MHA wanted control of the project because it was concerned with issues of citizenship and verification, while the UIDAI wanted it to be an economic project. For the home ministry, the concern was regarding fraudsters and non-citizens getting an Aadhaar and subsequently, a passport. It was also interested in getting access to all the fingerprint data from UIDAI, which was prevented by the Supreme Court’s judgment on Aadhaar.
But the MHA-UIDAI rivalry on the issue of the National Population Register and the use of biometrics on a host of issues have been bridged over time and they are now cooperating. This is clearly visible from the home minister talking about the $5 trillion economy and digital infrastructures. The MHA has been building its own digital infrastructure similar to UIDAI like the Crime and Criminal Tracking Network and Systems, Integrated Criminal Justice System, National Automated Fingerprint Identification System (NAFIS) and Investigation Tracking System For Sexual Offenders for the purpose of addressing crime.
Yet, none of these systems have a strong cybersecurity design nor will they offer cybersecurity to an end user. The design of these digital infrastructures is leaky. At least one of the MHA’s digital infrastructures has been breached and a hacker is trying to sell 900 million records and documents of Indian police totalling over 600 GB over the dark web. The MHA is experiencing the same kind of cybersecurity issues that the UIDAI went through earlier and ignored.
Also Read: India Saw Over 1,700 Cyber Attacks a Week in Last 6 Months, Double the Global Average
The minister’s opinion that these systems will usher in “Amrit Kaal” for everyone and exaggerated claims that India is a “cyber-safe society” are misplaced. These infrastructures create new kinds of threats that the MHA has not entirely understood. Their experimentation with some of these systems has also created new challenges for society. Creating 360-degree criminal profiles, which every constable in the country can access, is causing privacy-related harms which the MHA doesn’t intend to address.
The so-called modernisation of policing with the creation of these digital infrastructures is now sending the police on a witch hunt to find criminals in an effort to establish a “zero-crime society”. Surely, the MHA knows that crime cannot be completely eradicated in any society with high inequalities. These digital systems have not eradicated crime in Hyderabad, where they have been implemented since 2014. For years, the constabulary in Telangana harassed the public, treating everyone like a criminal unless they are certified by their newly acquired fingerprint recognition gadgets as a “safe citizen”. Just a few weeks ago, a labourer in Medak district of the state died because of alleged custodial torture – which was meted out to him after the police claimed to have CCTV footage of him committing a crime, but it was a case of mistaken identity.
Vijayawada police collecting IRIS and Identification Details of slum residents. Photo: By arrangement
I do not know what kind of “Amrit Kaal” these new systems will bring, but the MHA does have the intention of addressing digital fraud. The minister’s concern emerges from multiple loan app frauds that have affected the normal public, leading to harassment by new-age loan sharks and resulting in some dying by suicide. The social harms that are witnessed due to the rise of digitisation are real and there is some interest to address them when there is financial and social harm. But that is where that interest stops – the MHA does not want to look at the structural inequalities of Digital India.
If the government truly had the intention of protecting citizens from cyberattacks and security lapses in digital infrastructure, then their designs and architecture would have been fixed. Take instances of fraud in the Aadhaar Enabled Payment System (AePS), where criminals are using silicone clones of stolen fingerprints to withdraw money from peoples’ accounts. The UIDAI knows that your Aadhaar and biometric data can be used by someone else to withdraw money from your bank account. This is a design flaw of the setup, which can only be addressed if the entire micro-ATM and AePS undergo a design change.
The UIDAI instead offers us a mechanism to lock our biometrics and the police issue warnings to follow those instructions, while the RBI remains silent and forces us to link Aadhaar to bank accounts – a violation of the Supreme Court’s judgment on Aadhaar. This is not cybersecurity, this is a case of regulators who don’t want to do their job by addressing social harms that the MHA is now forced to address.
While the home minister promises Amrit Kaal for everyone, I am led to the conclusion that it is a mere illusion of safety that is being offered. If any arm of the executive wants to provide safety, then it should stop imposing broken software on the population. The concerns of surveillance and power that the MHA acquires by building these systems is a separate issue that I hope to address some other day.
Srinivas Kodali is a researcher on digitisation and hacktivist.