Issues raised by hackers remain unaddressed
Researchers who point out flaws are threatened, so they rely on hackers from abroad.
Hyderabad: Indian ethical hackers and cyber security researchers find it difficult to report leaks or loopholes in government websites or apps. The redressal mechanism for issues raised by researchers in government websites is not streamlined and even the data protection law does not seem to address it. Indian cyber security experts, who are superior at spotting bugs and issues in the infrastructure, are cagey about the repercussions.
Some issues which were raised almost two years ago remain unaddressed till date. A hacker, who goes by the id “Anonymous India” on Twitter, dumped the Aadhar data of Andhra Pradesh school students and teachers in 2016. This was data of allegedly 1.69 lakh people. Since 2016, the issue has not been addressed. Neither the state government nor the Centre has taken any cognisance of the issue.
Both the state government and the Centre have no redressal mechanisms for such leaks. The National Critical Information Infrastructure Protection Centre has a method to raise issues, but the action taken or follow up is not available either to the complainant or the public.
Internet researcher, Kingsly John said, “NCIIPC Responsible Vulnerability Disclosure Program is a good start and they even promise to allow contributors to stay anonymous. But, they are humans who are looking at the reports which can be automated, especially the timelines and tracking is not reasonable. The person reporting the issue should be able to see what the progress is and where it is stuck. Consequently, there is no track if the issue is resolved or not and the onus is on the person who pointed it out.”
Moreover, researchers who point out flaws are often threatened because of which they tend to rely on anonymity or hackers from other countries. Several issues, be it BSNL website defacement or Isro website, were disclosed by Indian online security researchers who even alerted these organisations. But nothing materialised, and only when the French Security hacker Robert Bapatiste, who goes by the name Elliot Alderson, posted it online, did the authorities seem to act. The researcher later said that in our country, neither the issues were fixed nor did the country have a law to protect researchers.
However, the Data Protection Bill does not address the issue either. Srinivas Kodali, an independent security researcher who was allegedly threatened for exposing loopholes said, “I experienced it and if you point it out anything can happen to you. The data protection law does not guarantee or talk about the safeguards for individuals. It does not propose any such mechanism either. Until the law is proposed and data protection authority comes, it may choose to do that, but nothing is concrete.”