If you are a cyber criminal
trying to commit identity theft or digitally impersonate a citizen, you have
help from the unlikeliest of sources — the Government of India. Various
government agencies have put vast amount of personal information online, often
with little barrier to access and with hardly any provision to prevent their
misuse.
Combine a few of these databases and you have a gold mine of information on India's citizens, including some of its wealthiest residents, whose bank accounts are of special interest to thieves. "If I want to target someone, I now have access to so much detail that shouldn't have been in public. Hackers with good social engineering skills will be able to call a call centre and impersonate a person. And from a stalking perspective, it has implications for not just celebrities, but anybody with a jilted lover, a political rival, and so on," said Binoo Thomas, a digital security expert at McAfee Labs.
For example, if somebody wants to get
personal details of some of India's richest people, he would simply need to
click on the LPG transparency links on Indane, Bharat Gas and HP portals and
narrow the search to the South Mumbai region. Many gas agencies have their area
of service in their names, such as Bandra Gas Agency or Colaba Gas Agency.
Select one of these gas agencies and you have a list of all the customers, with their consumer number, address and, in many cases, a mobile number, address and, in many cases, a mobile number. This database is also searchable by name. You can quickly search for any famous surname and be rewarded with a consumer number, residence address and in many cases, a mobile phone number.
A cursory search gave ET the mobile number and full residential address of the well-known matriarch of a famous business family. A search under the Bandra Gas Agency promptly showed the full residential address of a famous Bollywood actress. Your next stop could be the website of the Election Commission of India, which has asked all state Election Commissions to place the entire voter rolls online.
Select one of these gas agencies and you have a list of all the customers, with their consumer number, address and, in many cases, a mobile number, address and, in many cases, a mobile number. This database is also searchable by name. You can quickly search for any famous surname and be rewarded with a consumer number, residence address and in many cases, a mobile phone number.
A cursory search gave ET the mobile number and full residential address of the well-known matriarch of a famous business family. A search under the Bandra Gas Agency promptly showed the full residential address of a famous Bollywood actress. Your next stop could be the website of the Election Commission of India, which has asked all state Election Commissions to place the entire voter rolls online.
The voter roll also has the full residential
address, age and gender of a person. A quick search on the MTNL Mumbai
directory online will reveal the landline number for a person. With a little
bit of luck and time to troll social networks such as Facebook and LinkedIn, a
skilled cyber criminal can discern your date of birth and professional details.
Date of birth, phone number, alternate number and billing address are the details many telephone companies and banks use to determine whether a person calling its customer helpline is indeed who she says she is. This kind of information also allows a hacker to design effective phishing attacks, which lures a person into revealing information such as passwords or credit card numbers. An email that lists accurate personal information appears authoritative and has greater likelihood of being trusted by a recipient.
Date of birth, phone number, alternate number and billing address are the details many telephone companies and banks use to determine whether a person calling its customer helpline is indeed who she says she is. This kind of information also allows a hacker to design effective phishing attacks, which lures a person into revealing information such as passwords or credit card numbers. An email that lists accurate personal information appears authoritative and has greater likelihood of being trusted by a recipient.
THREAT OF IDENTITY THEFT
This kind of crime has been on the rise. In December, US Department of Justice estimated that $24.7 billion were lost to identity theft in 2012, as 11.5 million Americans found themselves defrauded. Similar data is unavailable for India. "Privacy has become a matter of personal security. As the state has been pushed to function in a more transparent manner, authorities are making the details about us transparent instead! The data protection principles are well evolved all over the world.
This kind of crime has been on the rise. In December, US Department of Justice estimated that $24.7 billion were lost to identity theft in 2012, as 11.5 million Americans found themselves defrauded. Similar data is unavailable for India. "Privacy has become a matter of personal security. As the state has been pushed to function in a more transparent manner, authorities are making the details about us transparent instead! The data protection principles are well evolved all over the world.
All of these data controllers are in violation of every good
principle. We don't need to wait for a law to observe these principles,"
said Usha Ramanathan, an independent law researcher specialising in privacy,
surveillance and related issues. The ministry of rural development, which
administers the Mahatma Gandhi National Rural Employment Guarantee Scheme, goes
a step further, and places online the bank account numbers and IFSC codes for
all its beneficiaries.
RTI REQUIREMENTS
The justification for publishing this kind of data online is typically section 4 of the RTI Act, which requires all government departments to proactively publish details of subsidy programmes, including details of the subsidy availed. However, section 8(1) of the same Act says that personal information that invades privacy of an individual need not be published unless an appellate authority decides that a larger public interest is served by it. It's unclear what public interest is served by the publication of full residential address, mobile number or bank accounts by various agencies.
In some cases, like the MNREGS and the voter rolls, sector-specific laws also apply. "Going by the provisions of the MGNREGA, which mandates proactive disclosures, we keep all processes in the public view... We have not perceived any threat in displaying bank account numbers of wage seekers, most of which have been opened for receiving wages," said R Subrahmanyam, the joint secretary at the ministry of rural development who heads the MNREGA division.
The petroleum ministry did not respond
to an email requesting comment. In an emailed response, Chief Election
Commissioner VS Sampath referred to Rule 33 of the Registration of Elector
Rules, 1960, to establish that the voter roll was a public document. "Thus
it can be seen that Electoral Roll is a public document which is available to
the public for inspection. The Commission has, therefore, given instructions to
put this public document on the website to facilitate inspection by public. When
law stipulates that it is a public document, the public has a right to access
it," he said. But no law states that anonymising techniques or relevant
barriers to accessing private information should not be deployed.
LEGAL VACUUM
India does not have an omnibus privacy law that overrides sector specific legislation. According to Sunil Abraham of the Bangalore-based thinktank Centre for Internet and Society, there are some 50 different laws that have a privacy element in India. The Department of Personnel and Training has been working on a draft privacy law for three years now.
India does not have an omnibus privacy law that overrides sector specific legislation. According to Sunil Abraham of the Bangalore-based thinktank Centre for Internet and Society, there are some 50 different laws that have a privacy element in India. The Department of Personnel and Training has been working on a draft privacy law for three years now.
"We need to think of this problem in the light of
the privacy law that is being drafted. Traditionally and culturally our view of
privacy has been different. A more explicit understanding of the privacy needs
of the citizens is certainly welcome. Section 43A of the IT Act has provisions
for data protection," said J Satyanarayana, secretary at the department of
information technology.
But 43A applies only to corporations, and government
agencies are not bound by it. Apart from the central government agencies,
several state government agencies and schemes also collect and store personal
information. But no standard protocol binds them in deciding who shall have
access and who shall not.
Source
: The Economic Times
No comments:
Post a Comment