If you are a cyber criminal
trying to commit identity theft or digitally impersonate a citizen, you have
help from the unlikeliest of sources — the Government of India. Various
government agencies have put vast amount of personal information online, often
with little barrier to access and with hardly any provision to prevent their
misuse.
Combine a few of these databases and you have a
gold mine of information on India's citizens, including some of its wealthiest
residents, whose bank accounts are of special interest to thieves.
"If I want to target someone, I now have access to so much detail that
shouldn't have been in public. Hackers with good social engineering skills will
be able to call a call centre and impersonate a person. And from a stalking
perspective, it has implications for not just celebrities, but anybody with a
jilted lover, a political rival, and so on," said Binoo Thomas, a digital
security expert at McAfee Labs.
For example, if somebody wants to get
personal details of some of India's richest people, he would simply need to
click on the LPG transparency links on Indane, Bharat Gas and HP portals and
narrow the search to the South Mumbai region. Many gas agencies have their area
of service in their names, such as Bandra Gas Agency or Colaba Gas Agency.
Select one of these gas agencies and you have a
list of all the customers, with their consumer number, address and, in many
cases, a mobile number, address and, in
many cases, a mobile number. This database is also searchable by name. You can
quickly search for any famous surname and be rewarded with a consumer number,
residence address and in many cases, a mobile phone number.
A cursory search gave ET the mobile number and
full residential address of the well-known matriarch of a famous business
family. A search under the Bandra Gas Agency promptly showed the full
residential address of a famous Bollywood actress. Your next stop could be the
website of the Election Commission of India, which has asked all state Election
Commissions to place the entire voter rolls online.
The voter roll also has the full residential
address, age and gender of a person. A quick search on the MTNL Mumbai
directory online will reveal the landline number for a person. With a little
bit of luck and time to troll social networks such as Facebook and LinkedIn, a
skilled cyber criminal can discern your date of birth and professional details.
Date of birth, phone number, alternate number
and billing address are the details many telephone companies and banks use to
determine whether a person calling its customer helpline is indeed who she says
she is. This kind of information also allows a hacker to design effective
phishing attacks, which lures a person into revealing information such as
passwords or credit card numbers. An email that lists accurate personal
information appears authoritative and has greater likelihood of being trusted
by a recipient.
THREAT OF IDENTITY THEFT
This kind of crime has been on the rise. In
December, US Department of Justice estimated that $24.7 billion were lost to
identity theft in 2012, as 11.5 million Americans found themselves defrauded.
Similar data is unavailable for India. "Privacy has become a matter of
personal security. As the state has been pushed to function in a more
transparent manner, authorities are making the details about us transparent
instead! The data protection principles are well evolved all over the world.
All of these data controllers are in violation of every good
principle. We don't need to wait for a law to observe these principles,"
said Usha Ramanathan, an independent law researcher specialising in privacy,
surveillance and related issues. The ministry of rural development, which
administers the Mahatma Gandhi National Rural Employment Guarantee Scheme, goes
a step further, and places online the bank account numbers and IFSC codes for
all its beneficiaries.
RTI REQUIREMENTS
The justification for publishing this kind of
data online is typically section 4 of the RTI Act, which requires all
government departments to proactively publish details of subsidy programmes,
including details of the subsidy availed. However, section 8(1) of the same Act
says that personal information that invades privacy of an individual need not
be published unless an appellate authority decides that a larger public
interest is served by it. It's unclear what public interest is served by the
publication of full residential address, mobile number or bank accounts by
various agencies.
In some cases, like the MNREGS and the voter
rolls, sector-specific laws also apply. "Going by the provisions of the
MGNREGA, which mandates proactive disclosures, we keep all processes in the
public view... We have not perceived any threat in displaying bank account
numbers of wage seekers, most of which have been opened for receiving
wages," said R Subrahmanyam, the joint secretary at the ministry of rural
development who heads the MNREGA division.
The petroleum ministry did not respond
to an email requesting comment. In an emailed response, Chief Election
Commissioner VS Sampath referred to Rule 33 of the Registration of Elector
Rules, 1960, to establish that the voter roll was a public document. "Thus
it can be seen that Electoral Roll is a public document which is available to
the public for inspection. The Commission has, therefore, given instructions to
put this public document on the website to facilitate inspection by public. When
law stipulates that it is a public document, the public has a right to access
it," he said. But no law states that anonymising techniques or relevant
barriers to accessing private information should not be deployed.
LEGAL VACUUM
India does not have an omnibus privacy law that
overrides sector specific legislation. According to Sunil Abraham of the
Bangalore-based thinktank Centre for Internet and Society, there are some 50 different
laws that have a privacy element in India. The Department of Personnel and
Training has been working on a draft privacy law for three years now.
"We need to think of this problem in the light of
the privacy law that is being drafted. Traditionally and culturally our view of
privacy has been different. A more explicit understanding of the privacy needs
of the citizens is certainly welcome. Section 43A of the IT Act has provisions
for data protection," said J Satyanarayana, secretary at the department of
information technology.
But 43A applies only to corporations, and government
agencies are not bound by it. Apart from the central government agencies,
several state government agencies and schemes also collect and store personal
information. But no standard protocol binds them in deciding who shall have
access and who shall not.
Source
: The Economic Times
