Data Auditor General: A regulator to protect a Digital India
A little less than a month ago, the identity of every single adult in the US was stolen. On 7 September, the credit bureau Equifax admitted to the fact that their servers were compromised. Think about that for a second. Anonymous hackers now have access to the names, addresses, birth dates, and Social Security numbers—essentially the digital identity—of every American.
Bloomberg released a feature story on the Equifax breach on 29 September that I read with an almost perverse fascination. It details how a Chinese cybersecurity researcher exposed a flaw in popular back-end software for web applications called Apache Struts. This information published on 6 March, showed how the flaw could be used to steal data from any firm using the software.
Within 24 hours, the information was posted to FreeBuf.com, a Chinese security website, and showed up the same day in Metasploit, a popular free hacking tool. From then on, over the course of several months, hackers systematically looted data from the servers undetected until 29 July, when Equifax finally detected the breach.
The breach occurred even though Equifax had invested millions of dollars in sophisticated security measures, ran a dedicated operations centre and deployed a suite of expensive anti-intrusion software. To make matters worse, the fact that users’ data hasn’t shown up on online black markets seems to indicate that it was a state-sponsored hack. In other words, the hack probably isn’t about stealing credit card information, but probably an act of cyber warfare.
While this is without a doubt the worst data breach that’s occurred so far, it’s far from the only one. From Yahoo to Zomato, and even domestic banks, multiple entities that serve Indians have also been victims of such attacks in the recent past.
And so, while this does not seem like a “Bharat” problem today, chances are it will be tomorrow.
If sophisticated players such as Equifax, which spend millions of dollars every year on data security, can fall prey to such attacks, then what are the chances that our government and companies will not suffer the same fate?
The short answer is that if we don’t take proactive, systemic, and ongoing measures to continuously protect user data stored on government and private company servers, it is as good as gone. Because given the current state of security of most of these databases, we might as well download it on a hard drive, gift-wrap it and hand it over to China and Pakistan.
As the nation plunges headlong into Digital India, information on every citizen is steadily being digitized. This information includes financial records, medical data, employment history and demographic details around name, address, religion, etc. The government’s insistence on linking each of these previously disparate databases to a unique identifier, namely one’s Aadhaar number, presents the possibility of aggregating multiple data-points about an individual by indexing across databases.
Let me be clear—I’m not among those that believe that the state is out to get us. I have worked as a volunteer on several government projects, including Aadhaar, and have tremendous respect for the work most government departments undertake, often thanklessly and in the face of severe criticism, to serve citizens.
At the same time, I’m also a firm believer in Hanlon’s Razor, which states—“Never attribute to malice that which is adequately explained by incompetence”.
Hanlon’s Razor was on proud display when details of over 100 million Indians including bank account details with Aadhaar numbers and other personal identifying information were published publicly across a number of government portals a few months ago. While this was done in the interest of transparency around government beneficiary details, these departments failed to balance it with privacy concerns.
This incident is a symptom of a systemic lack of awareness of good information security practices. In order to protect citizen data, we need a holistic systems-driven approach. The first step should be the drafting of a comprehensive law on data protection and privacy, which follows a rights-based approach fundamentally limiting data collection, storage and sharing. The law should ideally specify granular use-based regulations, definitions of offences, procedures of audit and penalties for violations, along with grievance redressal mechanisms.
But a law alone is not enough. We need an independent regulatory authority which will audit both state and private entities and enforce compliance. Data is the currency of the digital age. Therefore, just like the Comptroller and Auditor General, or CAG, audited and enforced compliance for accounts, I posit that we need a Data Auditor General, or DAG, to ensure the same is done for citizen data.
An independent regulator is only as good as the people that staff it. And the founding head of these authorities tends to set the tone for the organization and its future successes. From Homi Bhabha and India’s atomic aspirations to Vijay Bhatkar and PARAM 8000 (India’s first supercomputer) at CDAC to Nandan Nilekani and a billion Aadhaars, India’s history is replete with examples of seemingly impossible goals being achieved by government bodies when helmed by visionaries.
And so it must be with the DAG. I imagine a lean regulatory entity staffed almost entirely by an elite engineering corps. White-hat hackers tasked with the unenviable and never-ending objective of securing the digital histories of India. Imagine a regulatory regime that is almost fully automated and standards-driven. The DAG would prescribe data security standards for every type of entity and audit them through a crawler. No human intervention, no licence-raj era babu handing out certificates of compliance. Our future could be one where data governance is delivered through algorithms.
Such a system could enable the kind of accountability we all yearn for. In case of a data breach, citizens would have the ability to lodge a grievance with the DAG. And since audit trails would be automated and digital, a complete resolution along with a penalty in case of an offence, could be delivered in a specified and limited turn-around time.
As much as technology has enabled privacy breaches, it can and must be enlisted to enforce compliance. At the same time, we cannot understate the importance of building a citizen-centric, truly independent and technically savvy team at the DAG. This is and will remain the most crucial part of ensuring that our data is secured in a future where it is increasingly becoming our most valuable asset.
Sahil Kini is a principal with Aspada Investment Advisors. The Bharat Rough Book is a weekly column on building businesses for the middle of India’s income pyramid.