CoWIN Breach Shows Us the Structural Problem With Digital India’s Infrastructure

Even if there is a giant hole in the 13ft wall guarding our personal data, we will be pointed to a gate with a lock.

5 min read

On the day news broke that vaccination portal CoWIN suffered a data breach, Indian policymakers were meeting to promote India’s digital solutions at G20 meetings.

India has been promoting its digital systems like Aadhaar, UPI, DigiLocker, and CoWIN to other countries, marketing it as digital public infrastructures. The building of these infrastructures have been highly political in India because of the constant disregard for citizens' privacy while promoting them as new-age economic investments.

The CoWIN incident shows yet again, how the software development models that are used in building these systems are failing us. As much as both the Health and IT ministries deny that CoWIN data was breached, there is evidence to prove a breach of personal data has indeed taken place.

The main question is the scale of it. The disagreements primarily stem from whether the entire data of every Indian who got vaccinated was breached or only an unsecure API end point was compromised, allowing hackers to search for some personal records.

Only a forensic analysis of the breach will give us the proof to conclude anything with certainty.

A Network of Applications by Govt & Private Sector

The Indian Computer Emergency Response Team (CERT-In) has a poor track record of actually carrying out forensic analysis of breaches and even if this analysis does take place, the records will likely never be shared with the public. The incident response efforts from this Indian nodal agency has primarily been non-existent because of the lack of budget and capacity within the organisation.

The regulatory capacity for Digital India is so weak that even if there is a giant hole in the "13-foot walls" guarding our personal data, we will be pointed to a gate with a lock. In an ideal world, regulations for privacy protecting this sensitive medical health information would have been thought out within several democratic bodies.

The CoWIN (COVID Vaccine Intelligence Network) system is not a single platform or a database, but a network of applications built by both private sector and government.

As India wants a health data economy, the COVID-19 crisis proved to be an opportunity to build this economy. The challenge with allowing the private sector and many other actors like healthcare providers, insurance agencies, and even apps like WhatsApp is that the attack surface area of the CoWIN network is increasing.

The Cost of Economic Development Without Addressing Privacy

A centralised database with a series of application ecosystem partners eventually allows proliferation of information or leads to data breaches. It is impossible to protect a centralised set-up with so many actors accessing this information.

From an information security standpoint, CoWIN was a disaster waiting to happen given its rushed, unilateral roll-out. But to the government, proliferation of this information is necessary for building a digital health economy as part of the National Digital Health Mission (now known as Ayushman Bharat Health Mission).

Both are contrary goals, thus making the government ignore privacy and focus on the economic goals. The bureaucrats in-charge of these systems like RS Sharma, deeply understand the stakes at hand.

Privacy issues similarly existed with Aadhaar and were always ignored while he was CEO of UIDAI and then later, as the head of National Health Authority in-charge of CoWIN.

Bureaucracy consistently refuses to acknowledge these challenges and problems, as they want to maximise data collection from citizens. This model of data-based economic development without addressing challenges of privacy is harming the liberties of citizens.


Policies Remain Mere Statements

The demands for ensuring CoWIN security and privacy have been very clearly communicated to the people responsible with constant push back from citizenry too. The lack of a data protection law and mandatory demand to share personal information through a centralised database was always criticised.

Most important of all, CoWIN was being experimented for the first time during the COVID-19 crisis with not enough regulation and safeguards being built for protecting citizens.

The Internet Freedom Foundation (IFF) which led the legal battles around this issue, filed several Right to Information requests in 2021 asking both the Ministry of Health and Ministry of Electronics and Information Technology on accountability mechanisms around CoWIN.

The responses forced them to take these issues to court. The privacy policy for CoWIN did not even exist when the vaccination drive was initiated and only happened after the Delhi High Court directed the Ministry of Health to have a privacy policy.


After this breach, the Minister of State for Electronics and Information Technology, Rajeev Chandrashekar informed that the ministry is working on a National Data Governance Policy to address these issues.

There have been multiple CoWIN-related privacy policies, National Digital Health Mission data management policy and Aarogya Setu Data Access and Knowledge Sharing Protocol, which were introduced temporarily to convince people there are safeguards in place.

But these policies are often ignored and never implemented, as is the case with CoWIN.

Policies are mere statements, while laws can force them to act. There is a structural problem with this model of digital infrastructure development where the government ignores safety procedures and regulations.

It is often argued that these regulations become a hindrance for the private sector to emerge and even when laws are required, the safety aspects are always watered down to help the economy. As long as this is the government policy, there will be similar issues with data breaches across the Digital India ecosystem.


Even the upcoming data protection law is too late and will not help us when all these problems are to be addressed at the design stage, instead of after building the solutions. If there had been a data protection law already in place when CoWIN was being built with an independent data protection authority, they would have demanded these protections at the start of the project instead of its end.

The purpose of Aarogya Setu and CoWIN is over as the COVID-19 crisis has been addressed. These tools are now being upgraded to help with other vaccination drives and general healthcare management, which means that these breaches and its security needs to be addressed for future uses.

The architecture of these systems is primarily designed to promote a data economy, instead of addressing healthcare problems. The focus has moved from healthcare to investments in technology.

As long as healthcare practitioners and various other public interest technology actors are not allowed to participate in this development model, these challenges will remain. A top-down forceful push of software is bad for the citizenry, and this needs to be understood.

(Srinivas Kodali is an independent researcher working on data, governance and the internet. He tweets @digitaldutta. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More