200 px

by Robin Chatterjee 22nd July, 2013 in Security

       

In April 2013 when Maharashtra government admitted to the loss of personal data of around 3 lakh applicants for Aadhaar card, it served to highlight just the tip of the potentially disastrous, catastrophic iceberg we are sitting on. The possible misuse of citizen data, containing Permanent Account Number (PAN) and biometric information, has raised question marks around trusting UIDAI’S IT infrastructure with the data of a billion. And more importantly, around the government’s empathy and understanding on the issue of data privacy. Three months down the line, we take a peek into the measures undertaken by the government machinery to avoid such incidents in the future, and bring to the table some suggestions from an expert.

The Facts

As per media reports, the data was lost while being uploaded from Mumbai to UIDAI server in Bengaluru. “While the transmission was in progress, the hard disk containing data crashed. When the data was downloaded in Bangalore, it could not be decrypted,” the newspaper report said quoting an official from Maharashtra Information Technology (IT) department, which is overseeing the enrolment of citizens. According to Rajesh Aggarwal, Secretary, Information Technology, Government of Maharashtra, the number of individuals affected is expected to be less than 1 percent of total enrolment done.

Measures Undertaken

Many analysts term this incident a case of extreme irresponsibility. From the very first phase of enrolments, several flaws were detected. But, the question is has the government learnt from its past mistakes and what is it doing to ensure that history doesn’t repeat itself? According to Aggarwal, in Phase II some fundamental changes have been made to eliminate most of the irregular practices. For instance, now the operator has to authenticate himself/herself before starting the enrolment; hence, no unauthorised person can do the enrolment.

On the question of delayed sync with the national server, Aggarwal explains that the enrolment agency is supposed to sync the machine within 10 days of enrolment; else no further enrolment is possible on the machine. The packets need to be uploaded within 20 days; else there is a huge penalty. The agency is now pro-actively uploading the data packets quickly and within time, which significantly reduces the chances of hard disk failure, data loss, etc.

What More Can Be Done

With applicants getting added to the system by the thousands and lakhs on a continuous basis, scale is going to be critical. “Irrespective of what the agency believes, it seems that most of the IT infrastructure that UIDAI has was not meant for this scale. The agency should think of scaling up the existing infrastructure so that trivial things like a hard disk crash can be averted,” says HP Kincha, Former Secretary IT, Government of Karnataka and Chairman, Karnataka Innovation Council.

He further adds that dependency on IT is critical to effectively manage a process of such scale as the Aadhar project. Hence, IT awareness among operators needs to be given due importance. The government also needs to figure out how to backup the data and re-use the same in cases of urgency.

There isn’t an iota of doubt about the criticality of the data that is at potential risk in the entire Aadhar operation. But data loss due to trivial failures such as a hard disk crash only raises serious questions about the effectiveness of the government machinery. In the end, we expect our government to be pro-active in matters of data security and privacy.  But, we also recognise the fact that continuing to criticise the government alone is not the answer. Let the government take up this particular incident as a wake-up call to rectify existing flaws within the system and avoid such mishaps in the time to come.

Enhanced by Zemanta