With digitisation at the forefront, government departments need to be cautious about digital security

ALSO READ TECH NEWSLETTER OF THE DAY The seventh edition of ET Startup Awards—the most prestigious recognition for Indian entrepreneurs—kicked off earlier this week to capture the best of the never-seen-before exuberance in the Indian startup ecosystem. Read Now In April this year, a government department uploaded the details of direct funds transferred to more than 100,000 beneficiaries on the internet. ET cannot name the department to protect the direct source of this information. The officials had shared the data of a welfare scheme disbursement, in compliance with transparency norms mandated by the Right to Information Act, 2005.But the department had shared too much data about the beneficiaries, including the mobile number, address, bank account number, and the Aadhaar number of each citizen concerned. When the matter came up for discussion internally, a bureaucrat said it had been shared for transparency because it is public money.However, in the interests of citizen confidentiality, only attributes like name, address and amount should have been shared. And all the remaining information (like 'date of transfer') of each beneficiary could have been shared with the beneficiary alone. This would have been possible through a text message to the citizen concerned. The source cites this to illustrate a predicament: "Government officials have to balance transparency and citizen confidentiality. It is a thin line. (But) the gap in understanding what is 'private information' and what is 'public information' is huge."All the information had been published online, which has been taken down since. But not for the first time, the issue of data security has reared its head. "We need to get to a point where we respect personal information, and make sure it's not out there. There are conflicting requirements," says a former employee of UIDAI (Unique Identification Authority of India).Currently, most of the public discourse on 'data security' centres on Aadhaar, a unique identification number for which more than one billion Indians have shared their personal information and biometrics (fingerprints and iris scans).Rahul Matthan, partner at Trilegal, and a lawyer who has been involved in digital policy initiatives, shed light on the risks at the 50p Digital Payments Conference in Bangalore earlier this year: "Before Aadhaar, citizen protection came from the fact that their information is in silos that don't talk to each other. But with a unifying number, those silos can talk to each other. That is why there is a significant threat from data."A ubiquitous number, which an increasing number of services are relying on, can become a factor to unify multiple databases, especially when Aadhaar numbers are published online. But the issue of data security in India spans beyond Aadhaar, as founder of YouRTI.in Sushil Kambampati in Gurgaon, National Capital Region, found out in January this year.Kambampati, 46, wrote to the Ministry of Corporate Affairs (MCA) on 31 January 2017, pointing out that its web page for verifying Director Identification Number ( DIN ) and Permanent Account Number (PAN) details contained the PAN number embedded in the HTML code (though it was not visible on the page). "Is this by design or was it an accident, and if by accident why wasn't it caught? … Is this revealing too much information and is it a data privacy concern for the MCA?" he asked. ET has screen shots of the web pages, and a copy of his email. The MCA did not respond to him, but rectified the HTML code.So digital security is not only about Aadhaar, though many agree that using it as an authentication factor in welfare programmes lubricates the process for private agents and government departments to find out a beneficiary's Aadhaar number. (This is a punishable offence, according to the Aadhaar Act, 2016.)But the issue is 'data security', and it now entails increasing digital literacy in India's private sector—for example, agents who use Aadhaar for eKYC (electronic Know Your Customer)— and certainly the bureaucracy. And this needs to be done at a rampant pace because India’s digital footprint has accelerated after Prime Minister Narendra Modi's demonetisation move on 8 November 2016.Calendar year 2016 was the second year in a row that smartphone shipments crossed 100 million units in India. But for long, private companies in banking and financial services companies had not been seeing customers throng websites. This impacts companies’ decision to spend on cyber-security, says Saket Modi, chief executive of Lucideus, a digital security services provider which counts the National Payments Corporation of India among its clients."When the number of people using technology was small, the service-spend on technology and security correspondingly was very little," he explains.Everything changed after 8 November, which is reflected in the representative data published by the Reserve Bank of India. The number of instant electronic transactions through the Unified Payments Interface (UPI) rose to nearly 17 million transactions between November 2016 and March 2017. The size of average transaction was Rs 3,855 in March 2017, up from Rs 3,000 in November 2016. With USSD (Unstructured Supplementary Service Data), a technology used to send text between a mobile phone and an application program, the average size of transactions went up from Rs 1,043 to Rs 1,600 in the same period.Saket Modi says the customer surge has led to banking clients increasing their budgets—and cyber-security investments. But it can't possibly lead to a sudden improvement in data security practices like segregating confidential data for public consumption.Nitin Pai, director at think-tank Takshashila Institution, should know as he has worked in government too—albeit the Singapore government in the '90s when the island-city was going digital. Pai's two stints for the Singapore government in telecom sandwiched a stint at SingTel (Singapore Telecommunications)—all between 1997 and 2010. "When you substitute an existing public-service process with a technological system run by a different set of people, the capacity of government officials cannot increase," Pai says."The crucial issue is to increase the capacity of people in government to do their job, whether it is an inspector or lowerlevel bureaucrats," he says. "If technology is deployed in a way that doesn't increase the capacity of government, you’re making government outcomes much worse."This is the public predicament as India goes digital every day in every realm. According to a government official, who spoke on the condition of anonymity, "Data in government departments is available from manual registers all the way to digitised data." The attention to security has been perpetually low. It hasn't been a priority.One part of the solution is legislation— the data privacy, protection and security legislation, which UIDAI's former chairman Nandan Nilekani told ET last week is the need of the hour. The Bill is expected to be ready before October. But as it takes shape, the private sector and government have to start imbibing security practices on a war footing.For example, copies of the Aadhaar card have to be discontinued. The 12-digit number is an authentication factor, like the PIN of a debit card. This is a source of data leakage from online databases like the instance of the uploaded data cited at the beginning of this article. Last week, a report by the Centre for Internet & Society estimated the number of leaked Aadhaar numbers to be between 130 million and 135 million.According to a security consultant who has worked with both sides, heads of government departments have far higher authority than in the private sector, where CEOs can influence decisions. "In contrast, the department heads have full authority. A secretary is the most powerful person; the levels of responsibility are pre-defined for officers below him."This is of concern to tax consultants and advisors in particular, as the Goods and Sales Tax regime begins from 1 July 2017 on a platform called the GST Network. One such consultant spoke to ET off record: "Information related to a citizen's economic activity is of interest to government because of black money generated, and the inability to collect adequate taxes in relation to real GDP. Yes, people hide information or understate it. But with the pressure (on tax authorities) to comply with GST to make everything transparent, can the power be misused?"The administrative concerns included search and seizure cases, which don’t require approval of the commissioner. "A larger government presence in everyday life through digitisation makes it easier to initiate a search and survey. It's also more powers to lowerlevel authorities. … If an officer misuses that, there should be strict punishment. Right now, power has been given without accountability," he says.Be it GSTN or UPI, the data deluge is picking pace, calling for awarness and judgement in bureaucracy on how to use, secure and protect data. "The level of technology advancement varies from state to state," says Srivatsa Krishna, secretary of Coffee Board of India under the Department of Commerce, who was previously secretary, Department of Information Technology and e-Governance, Karnataka. "So there is no cookie-cutter answer because some states or departments will need more training and skilling."Organisations like the NPCI in banking, GSTN in tax, and UIDAI in the identification and authentication numbers have built a strong breed of technology and security talent. GSTN, for example, is headed by Prakash Kumar who has been a bureaucrat until 2008 before working with Microsoft and Cisco. Since 2012, another Microsoft veteran Sanjay Bahl joined CERT-In (Indian Computer Emergency Response Team), under the Ministry of Electronics and IT, to secure Indian cyberspace. He is its director-general with an administrative coordinator above him of bureaucratic pedigree.Apart from infusing more leadership talent from the private sector, there is also a case for building a government service that specialises in information and data security, "which you get into like you enter the civil services via the IAS exam — through an independent authority with officers and a law," according to a source in the private sector who is working on government projects. "That is a systems solution."Currently, civil servants are laterally hired after the IAS cadre and allied services. "The unwritten rule is first preference for IAS, then allied services, then only private sector," another consultant says. "There are rare instances of people hired from the private sector."It is not a bad idea when the global IT services industry is laying off employees in India by the thousands. But experienced techies—especially with a data security background—are unlikely to consider government service in its current form, the consultant adds."In the private sector, when wrong decisions happen, there is closure on lapses. But in the government sector, the issue can linger on. They are biased to inaction," he says. "Lateral hiring will be effective when the government system has the ability to take faster decisions. Currently, decisions are perpetually left open or even retired bureaucrats can get questioned for decisions taken in a different context. In the current services rule, an official is perpetually liable."But Krishna is optimistic: "It is about leadership at a departmental level." Across age and professions, there are obstacles of learning. "With the right vision, once officials see tangible benefits in any matter—including security— they come on board. Electronic trust is important for any kind of transaction— be it government to government (G2G) or government to citizen (G2C)."