“This is a deliberate attempt to mimic a breach, and it is being investigated”, India’s IT Minister Rajeev Chandrasekhar said at the inaugural Digital Bharat Summit organized by business publication Financial Express. Chandrasekhar was referring to the emergence of a bot on Telegram that threw up personal details of individuals upon being queried with their mobile number, including their Aadhaar number, vaccination status, gender, date of birth, as well as identification documents like Voter IDs, and passport numbers (depending on which was used during vaccination), and details of others who were vaccinated based on registration using the same mobile number. The bot was apparently reported to Telegram, and has now been deactivated.
“It is the simplest thing today to mimic the data breach and then create a corresponding narrative saying [that the data has been breached,” he said.
Anyone can fake a data leak, Chandrasekhar says
“In 24 hours, I can create a bot on Telegram. I enter your number, Rishit,” he added, pointing towards an Indian Express journalist, “because I have your number on my phone, and that throws out some publicly known data about you. Then I can say that the Indian Express payroll database has been breached, and you will be left defending yourself for the next two days, saying, no, no, no, no, no, my Indian Express payroll data was not breached.”
Chandrasekhar questioned the veracity of the data being reported by the Telegram bot, saying that the data was from a database by the person who owned the bot and that “the data is, to a large part, fake. That means there are names, there are some telephone numbers, there are some Aadhaar [India’s National ID] numbers. But CERT (India’s Computer Emergency Response Team) has verified that at least a few of those entries that they have seen, are fake. Now, assume for a minute that there is some real data in there. Today, there is nobody in the room that does not agree, or will not agree, that Aadhaar data has been breached pre-2014 repeatedly. And pre-2014, there were almost 60 crore [600 million] Aadhaar entries. And I have personally gone to Parliament and waived the Aadhaar breach data. So how old is the data? Where did that data come from? How much of it is false and fake?”
Chandrasekhar also repeated that the government has made it a point to ensure that “every application within the government follows a standard protocol in terms of data storage, data security, data access”, and “that has been now made into a policy called the National Data Governance Policy, which is being approved by the cabinet and that will be applicable across the government.” He expects a deep behavioral change in “everybody, private and public, private and government, in how they collect data, store data, manage data, and provide security for that data.”
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
He expects the Data Protection Bill to be introduced in the July session of Parliament.
My Take: It’s important to note that the bot threw up data of individuals that would otherwise have been anomalies in the database: for example, while it might have been obvious to put details of individuals like Members of Parliament, it would be surprising if someone constructing a database to mimic a breach would add anomalies like Hanuman, or a Pakistani spy who had been captured.
In addition, the apparent combining and displaying data of family members together, based on the mobile number that was used to register for CoWin, also indicates that the minister is perhaps trying to manufacture doubt. It’s hard to believe the Minister when he says: “That so called breach was not a breach of CoWin. That data that the Telegram bot was throwing up was not from CoWin. I’m emphatically repeating that so that nobody should mistake this and label this as a CoWin data breach.”
To his credit, though, he didn’t go as far as saying that there’s a 13 feet high 5 feet thick wall around the CoWin datacenter. He’s much too savvy for that.
Apart from that, the Minister (and the journalist from the Indian Express group who asked about it), failed to consider that the previous few versions of the Data Protection Bill have largely exempted the government of India from the Bill, and that the National Data Governance Policy also seeks to make anonymised personal data public, which is a privacy concern for citizens. The final version of the National Data Governance Policy still isn’t public, and lets hope it fares better than the mythical National Cybersecurity Policy.
On Safe Harbor
Chandrasekhar believes that the concept of Safe Harbor, which protects digital pipes, platforms, marketplaces, and aggregators, collectively called intermediaries, from the liability of the actions of those who use it, is completely outdated. In fact, in the not-so-public consultations on the Digital India Act, Chandrasekhar had posed the question of whether we even need safe harbor protections for intermediaries.
He reiterated this position: “I think the concept of a Safe Harbor emerged at a time when the concept of the Internet was a lot more simplistic. Therefore there was an Internet and there were these dump pipes that connected the consumer to the Internet. And therefore the pipes or the platform would say that don’t involve me. I would argue today that it is time for us to revisit that assumption, and maybe we should look at safe harbor in extremely rare, exceptional cases, when it’s up to the platform to prove that they have absolutely no control on what goes through the platform or what is in the pipeline. And that Section 79 [of the IT Act, which enables Safe Harbor protections in India] should be an exception rather than a general rule”.
On AI valuations and regulation of AI
On valuations of AI startups: “So anybody who has an AI startup, you can command his value or her value. Semiconductors startups are now seeing AI compute startups that are seeing value…look at Nvidia’s valuation. Just a few years ago, it was just another semiconductor company struggling to make gaming boards, high performance gaming boards. And here they are now, obviously, a [multi] billion dollar company. So I think that is part of the technology ecosystem. People see a certain trend, a certain new disruption. Capital will fly towards there. Valuation, then, bubbles will be formed. Then it will correct. It’s a part of the DNA of a technology ecosystem”, Chandrasekhar said. On the current situation in startup funding he added that many startups are going to go bust and people will run out of capital to grow. “That is again, in my opinion, the very nature of being in the startup ecosystem.”
“I don’t see anything dramatically different, excepting that post the Ukraine-Russia war, there is a certain risk aversion that has emerged for the equity class as a whole. And so therefore there is less capital that is running after private equity deals.”
On India’s approach to AI Regulation: “We were in a meeting recently with another country, and we were talking about use-case regulation, and user harm regulation. And they, at the end of the discussion, agreed that our approach to user harm regulation is probably a better way to harmonize different countries’ approach toward AI regulation.”
On AI replacing jobs: There is a more conservative estimate that AI is currently at an early stage, he said. “It is only going to enable tasks, efficiency, is getting things done faster, getting things done with more intelligence, rather than replace mimicking human behavior, reasoning and human behavior, current AI models are far from it. [At] what stage does AI suddenly start replacing full jobs? I don’t think today anybody who has a reasonable view of AI can say it will happen five years from now, four years from now. Because the current AI is very, very far from the AGI, and the human reasoning, and the type of functionality that you need to replace human behavior or humans. But certainly today, in many job roles, AI, knowledge, using large language models, using the ChatGPT type models, will become part of the skill requirement. So even if I’m just doing basic data mining in an organization, or I’m doing data entries, or I’m doing something, certainly it becomes now clearer that even in that role of function, you will need some AI skills. So what AI is doing in the current context is putting the spotlight on reskilling the workforce, rather than this narrative, which I don’t subscribe to, that is going to certainly take away a whole set of jobs.”
On compute requirement in AI: “You have to build [high compute] and CDAC, one of the entities in the Government of India are building is now focusing on, in a sense, pivoting to high performance computing, super computing mission, to now focus on AI compute as their core application. So they are building that capacity and they’re working with some of the world’s leaders on that.” Chandrasekhar said that “we need to have that AI compute capacity as part of India AI”, and that “AI compute capacity should be available to all the research institutions and research industries.”
On Digital Public Infrastructure and India’s partnerships
On partnerships with the global north: “I think every reasonable country today understands that the future of tech cannot be led by one hand, except for China, who believes that they can do everything on their own”, Chandrasekhar said. “All of the open societies and open democracies of the countries in the world realise that the future is about technology. So India and the US have signed this really futuristic MOU on critically important technologies, which is ICET. India and EU have entered into a technology relationship. And we have a relationship with Japan as well. So I think the future of AI, the future of electronics, future of these supply chains are all going to be driven by these type of partnerships.”
My take: It’s worth noting that “Digital Public Infrastructure” isn’t a part of the Critical and Emerging Technology initiative (iCET) partnership between India and the US.
On offering Digital Public Infrastructure to the Global South: “We just had a DPI summit in Pune where three countries have signed MoUs”, Chandrasekhar said, “where they want to implement India stack in their countries. The premise here or the offer that the Prime Minister has made to the world, is that the narrative around tech used to be about haves and have-nots. So the Western world would have always these fancy technolgies, and the global south will basically continue their old style governance.”
“We are offering all of this to the global south: here’s an open source platform. You can use the entire stack, you can use pieces of the stack, you can customize the stack. And the most compelling proposition to use for countries that have zero or little of a digital economy, this can be the catalyst to creating an innovation ecosystem and innovators in your own country. So I think it’s been perceived very, very excitedly by many, many countries. And we will see, I think at least 10 to 12 countries implementing it very quickly.”
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.