Context:
Recently, Resecurity, an American cybersecurity company, reported the sale of Personally Identifiable Information (PII) of 815 million Indian citizens, including sensitive details like Aadhaar numbers and passport information, on the Dark Web. The threat actors behind the sale attributed the data to the Indian Council of Medical Research (ICMR), an organization that faced numerous cyber-attack attempts, with 6,000 incidents reported in 2022.
Relevance:
GS III: Science and Technology
Dimensions of the Article:
- Dark Web
- Data Governance Provisions in India
Dark Web:
- The dark web comprises unindexed sites accessible only through specialized web browsers, forming a smaller but concealed part of the internet.
- It requires special software, configurations, or authorization for access, making it intentionally hidden and challenging for average users to reach.
Personally Identifiable Information (PII) and Data Breach:
- PII includes information that can identify an individual, ranging from direct identifiers like passport details to quasi-identifiers.
- Threat actors on the dark web claimed to possess PII of 815 million Indians, including Aadhaar and passport details, sourced from the Indian Council of Medical Research (ICMR).
Data Source and Authentication Challenges:
- The threat actors did not disclose how they obtained the data, posing challenges in identifying the data leak’s source.
- Claims of a 1.8 terabyte data leak from an unnamed “India internal law enforcement agency” by a threat actor named Lucius are yet to be authenticated.
India’s Cybersecurity Landscape:
- India, a rapidly growing economy, ranked 4th globally in malware detection in H1 2023, exposing the vulnerability of its digital infrastructure.
- Unrest in West Asia contributed to an increase in cyber attacks, elevating the risk of digital identity theft as threat actors exploit stolen identity information for various cyber-enabled financial crimes.
Data Governance Provisions in India:
IT Amendment Act, 2008:
- Encompasses privacy provisions, but largely specific to situations like restricting the publication of names of juveniles and rape victims.
Justice K. S. Puttaswamy (Retd) vs Union of India 2017:
- Supreme Court declared Indians have a constitutionally protected fundamental right to privacy under Article 21.
B.N. Srikrishna Committee 2017:
- Expert committee appointed for data protection submitted recommendations in July 2018, proposing measures like restrictions on data processing, a Data Protection Authority, and the right to be forgotten.
IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021:
- Mandates social media platforms to exercise greater diligence in managing content on their platforms.
Proposal of ‘Digital India Act’, 2023:
- Aims to replace the IT Act, 2000, addressing gaps in the cybersecurity landscape and data privacy rights, promoting innovation, startups, and citizen protection.
Way Forward:
- Recommendation for using “masked Aadhaar” to enhance privacy and security, displaying only the last four digits.
- Suggestion to amend the Aadhaar Act for independent oversight through an “Identity Review Committee.”
- Limiting mandatory Aadhaar usage to permissible purposes and providing alternative authentication methods when Aadhaar fails.
- Users advised to lock their Aadhaar data through the UIDAI website or app for added protection, rendering compromised biometric information useless.
-Source: The Hindu