Centre for Internet & Society

Some depts have posted bank account & income details on net for transparency; experts cry privacy breach.

The article by Somesh Jha and Surabhi Agarwal was published in the Business Standard on October 29, 2013. Sunil Abraham is quoted.

To push the government's agenda of greater transparency and accountability, several states and central departments might be, unwittingly, following a bare-it-all approach in posting citizen data online. And, even sensitive and personal information, such as bank account numbers and income status, is not being spared. A Business Standard investigation reveals, with so much citizen data already in the public domain and more getting added every day, the government could be jeopardising the privacy of its 1.2 billion citizens, who stand exposed to a variety of risks, including those of 360-degree profiling and financial frauds.

For instance, the Centre's National Rural Employment Guarantee Scheme puts out full bank account numbers of its beneficiaries, along with details like the amount they received. So, one can easily know the bank in which most residents of, say, Punjab's Machhiwara district have their accounts. Also, their account numbers are complete, with photographs. In the case of Haryana's 25-year-old Ram (surname withheld), the photograph is not available but one can get his financial details on the portal, along with the first eight digits of his number (the last four have been muted).

Sample this: The occupation and yearly income of one Amrita of Uttar Pradesh are just a matter of a few clicks and so are her ration card number, full address, age, father's/husband's name, category and poverty status. A farmer from Amethi district, she doesn't have a gas or an electricity connection, but Lucknow-based Manu, who earns Rs 4 lakh a year, does have. Amrita's yearly income is Rs 1.2 lakh a year. These details are all there on their respective ration cards, out in the open on the government website of Uttar Pradesh, a state that might have gone overboard in revealing citizen data under the ongoing computerisation of the public distribution system.

"If people start publishing information like these and the government doesn't regulate it through a data protection law, criminal minds can harvest and combine all databases accurately," says Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore based think-tank. People often create passwords and pins based on dates and numbers very important to them. "A little bit of intelligence and some amount of social engineering could lead to guesses... and financial fraud." Even by sifting through just three databases, it is quite easy to get a random person's details like voter identity card number, address, name, age, date of birth, ration card number, information on family members, along with income status and photograph.

One can argue the electoral roll is a public document and there is nothing wrong with a person's voter identity card number, full address, name, age, father's name and even date of birth being easily searcheable online. But a few states like Uttarakhand have even published photographs, an element barred from online posting under the law. Experts argue a massive digitisation exercise is underway in the country and, with the lack of standards and clear advisories from the Centre, the situation could worsen in the future.

A Cabinet minister, who did not wish to be named, said there was a continuous tug-of-war between the imperative of privacy, which doesn't allow you to share information; and transparency, which says you should share it. "Also, the Right to Information Act says if somebody is receiving government subsidy, it is public information." However, the Indian laws might not be consistent on this issue as "under Section 43a of the Information Technology Act, any kind of financial information is classified as 'sensitive personal information' and can't be put online," says an official of the communications and information technology ministry who has closely worked on drafting of the IT Act.

But, the IT Act provides an exception for matters covered under the RTI Act. This could infer that when the recently-approved Food Security Act comes into being, the income status of two-thirds of the population (that the Act covers) could be posted online. Also, the law would permit bank account numbers of beneficiaries of various welfare schemes like cooking gas subsidy under the ongoing direct benefit transfer scheme to be made public, as subsidies are transferred directly to accounts under the project.

A statement from the office of Rural Development Minister explained the National Rural Employment Guarantee Act provided for "making available for public scrutiny" all accounts and records related to the scheme. It added "there appears to be no evident risk of misappropriation or financial fraud". Sudhir Kumar, secretary in the Department of Food and Public Distribution, says the whole system needs to be transparent, especially when huge government subsidy is going out in the case of PDS. However, "if states are putting unnecessary details online, it can be looked into". Deputy Election Commissioner Alok Shukla says, according to an EC order, states are not allowed to put photographs of voters online to ensure their privacy is safeguarded. These will be removed if such cases are found. He adds a standard protocol is also being worked out for states.