New Delhi: The Congress on Monday demanded a high-level judicial probe into the entire data management apparatus of the government to identify the extent of the danger posed to the privacy of all Indians, following claims of a data breach on the CoWIN platform.
The government has asserted that the CoWIN portal is completely safe with adequate safeguards for data privacy, dismissing as "mischievous" the claims of a data breach on the platform, and said the matter has been reviewed by the country's nodal cyber security agency CERT-In.
Congress general secretary (Organisation) KC Venugopal said the duty of any entity, especially the government, is to protect individual privacy above everything else. This responsibility also extends to destroying data which is no longer required so that it is not vulnerable to such breaches, he said.
"If not, the entity must have watertight mechanisms to protect data in its custody. No step taken by the government, be it in managing health data through COWIN or Aarogya Setu, or in implementing any data protection framework, inspires confidence," he said.
"It is clear that no citizen can trust this government with its private information. Only an impartial, high-level judicial probe into the government’s entire data management apparatus can identify the extent of danger that is posed to our privacy as a result of this government’s carelessness," Venugopal said on Twitter.
He also hit out at Union Minister of State for Electronics and Technology Rajeev Chandrasekhar, saying, "I am appalled at your casual response to the breach of privacy of 1.4 billion Indians." The Congress leader claimed if a Telegram bot can throw up COWIN details simply by inputting mobile numbers, it will not take too long for automated software to harvest all COWIN data within a matter of hours.
"This breach clearly shows that COWIN data was not encrypted. If it were, only those with the necessary authorisation will be able to access such data, and random Telegram bots will not be able to decrypt such personal data.
"Since you mention ‘previously breached/stolen data,’ you’re clearly admitting that COWIN data has already been breached. It is then baseless for you to say that it ‘does not appear’ that the COWIN app has been breached," he said.
Venugopal said until June 2021, nearly six months after the vaccination process began, the COWIN app had no privacy policy and the government even refused to put one in place.
In 2017, the Supreme Court declared the Right to Privacy as a fundamental right, he said, noting that the government also gave an assurance that a data protection law was in the making.
From the time of the constitution of the Srikrishna Committee on Data Protection in 2017 until today, "we have seen multiple versions of the Data Protection Bill, countless rounds of consultation, and a Joint Parliamentary Committee", he said.
"Except, in its last move, the government decided to completely start afresh, instead of rectifying the lacunae in the draft legislations," the Congress leader said.
Earlier, Union Minister Chandrasekhar said, "With reference to some alleged Cowin data breaches reported on social media, @IndianCERT has immediately responded and reviewed this." "A Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data stolen in the past.
"It does not appear that the CoWIN app or database has been directly breached. National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of government," the minister said.
Congress spokesperson Shama Mohamed alleged, "The personal information of all Indian citizens, who registered themselves on the CoWIN portal, has been leaked on Telegram. This includes their phone numbers, Aadhar & PAN card details".
"The Modi government has compromised the security and privacy of Indians! This is criminal negligence!," she said in a tweet.
Congress MP Karti Chidambaram also tweeted, "In its Digital India frenzy, GoI has woefully ignored citizen privacy. Personal data of every single Indian who got COVID-19 vaccination is publicly available. Including my own data. Who let this happen? Why is GoI sitting on a data protection law? Ashwini Vaishnaw must answer." In its statement, the health ministry said there was no basis for the reports alleging the breach of data from the CoWIN portal, which is the repository of all data of beneficiaries who have been vaccinated against COVID-19.
"It is clarified that all such reports are without any basis and mischievous. The Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy," it said.
Furthermore, security measures are in place on the CoWIN portal with a web application firewall, regular vulnerability assessment, and Identity and Access Management, it said.