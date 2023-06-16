On June 14, Derek O’Brien, a Member of Parliament in the Rajya Sabha, filed an FIR on the CoWIN data leak mentioning that his personal information (date of birth, passport details, and mobile number) and that of lakhs of other Indian citizens were made publicly available through a Telegram bot.

“Individuals reposed their trust, faith and belief in the said government scheme [the COVID-19 vaccination drive] and divulged their personal information in a desperate hope to swiftly receive their vaccination and receive life-saving medication. However, now it seems there is a notorious conspiracy at play to make available sensitive information to private players through government resources,” O’Brien said in the FIR reviewed by MediaNama.

The background of this FIR:

On June 12, the Fourth reported that a Telegram bot was leaking the personal information of those who were registered to get vaccinated against COVID-19 on the CoWIN portal. The bot allowed one to simply enter someone’s phone number and receive details like the person’s Aadhaar number, vaccination status, gender, and date of birth.

Why it matters:

The CoWIN data leak has made visible the fault lines in India’s digital health infrastructure and put the privacy of millions of Indian people at risk. Despite the seriousness of the alleged leak, the government responded by saying that the data came from a database (other than CoWIN) that had been breached in the past. It further used the fact that the bot was revealing people’s date of birth, even though the CoWIN database only captures the year of birth, as a means to suggest that the CoWIN database had not been hacked.

Whether or not the database was hacked, a lot of private information was leaked and the government is yet to take any action on the matter. O’Brien’s FIR might help citizens at large hold the entity behind the data leak accountable.

Key points mentioned in the FIR:

O’Brien says that to avail of COVID-19 vaccination, people had to register on the platform with identity proofs such as an Aadhaar card, Driving license, PAN card, Passport, and Pension book to name a few. “It is pertinent to indicate that all such ID proofs contain, inter alia, an individual’s address, date of birth, name of family members amongst other sensitive information.” This again makes one question the government statement saying that the CoWIN database could not have contained the date of birth, given that each of the ID proofs used to register on the portal did have the said information.

He also mentioned how the Aadhaar card, one of the identity proofs that could be used to register on CoWIN, enables financial transactions and is used in the issuance of ration cards, passports, and PAN cards. “As such, Aadhaar and its connected ecosystem is a repository of critical information, breach of which is detrimental for the entire nation.” He added that Aadhaar also contains biometric information, which is considered sensitive personal information as per Section 30 of The Aadhaar (Targeted Delivery of Financial and Other Subsidies) Act.

“In such circumstances, I request you to treat this letter of complaint as an FIR and take urgent steps to investigate and book the antisocial elements under Sections 120B/379/406/409/411/414/426 of the Indian Penal Code, 1860 read with Sections 66/66B/66C/70 of the Information Technology Act, 2002 read with Sections 37 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,” O’Brien wrote.

