This article exists as part of the online archive for HuffPost India, which closed in 2020. Some features are no longer enabled. If you have questions or concerns about this article, please contact indiasupport@huffpost.com.

Andhra Pradesh Tracked You As You Bought Viagra, Then Put Your Name and Phone Number on the Internet for the World to See

Just another day in the data disaster that is our country.
Anna Sanjivini

Bengaluru — If you are the gentleman who bought Suhagra 50, a generic version of Viagra, and some Vomiford anti-nausea drops, on June 13 from a government-run Anna Sanjivini store in Anantpur in Rayalseema, your name, phone number and purchases, were listed on an Andhra Pradesh government website — until HuffPost alerted the authorities.

The link has since been taken down (you're welcome).

An unsecured dashboard on the Anna Sanjivini website allowed anyone with an internet connection to access the names and phone numbers of everyone who has bought medicines from every single such store, HuffPost has learnt.

This interface, discovered by security researcher Srinivas Kodali, contains thousands of pages of daily data and each order shows the Order ID, the Store Operator ID, Customer name, Customer phone number, details of the medicines, and the money paid.

This latest privacy breach, experts say, vividly illustrates how the head-long push to digitise everyday government processes has been accompanied by a blatant disregard for the privacy of citizens.

Andhra Pradesh's careless indifference to the confidentiality of medical data acquires significance in the context of the draft Digital Information Security in Healthcare Act (DISHA).

This act will enable the sharing of personal health records between patients, hospitals, and clinics. This means an exponential increase in the quantum of confidential data flowing between government departments, and private parties — raising the repercussions of future privacy breaches in every Indian state.

"Medications indicate the possible conditions a person or someone in their family may have," said Pam Dixon, founder and executive director of the World Privacy Forum. "This information can be especially sensitive when employers gain access, or even just neighbours who learn of a sensitive condition."

Medical conditions like AIDS and depression continue to carry a stigma in India; publishing such data, Dixon noted, could cause real harm.

"People who are discovered by employers to have serious medical conditions can be fired, children can be treated unfairly in school due to a past or current medical condition," Dixon said. "People have quite literally been stalked and harmed as a direct result of inappropriate personal information disclosure."

HuffPost Staff

Leaky Pradesh

This is not the first time the Andhra Pradesh government has unwittingly exposed its residents by publishing their intimate details online.

In April this year, Huffington Post revealed that it's possible to geolocate people in Andhra Pradesh by caste or religion down to their doorstep, allowing for the targeting of every minority family, in a state that has witnessed outbreaks of communal violence.

"This is an important issue because it is not the first time that something like this is happening in Andhra Pradesh," said Kodali, the researcher who first spotted both leaks. "But no one is held accountable for the loss of privacy for citizens."

Kodali said he wrote to the authorities when he discovered the vulnerabilities, but did not hear back from them.

HuffPost reached out to the Society for Elimination of Rural Poverty, the agency responsible for the Anna Sanjivini programme, but they did not respond.

HuffPost also reached out to the Chief Minister's Office Realtime Executive (CORE), whose dashboard leads to Anna Sanjivini. They locked down access to the site, but did not respond to HuffPost's questions.

"Governments do collect a lot of data. But it is rare for a government to also expose the data about its citizens in such an open fashion, as there are substantial risks of multiple types of harms associated with this kind of broad, identifiable data release," said Dixon, from the World Privacy Forum. "There are many risks with collecting the data. But there are far more risks with exposing the data to anyone with an Internet connection."

Private Interests

While the Indian government drags its feet over drafting a robust data privacy law, private companies are already hoovering up personal information wherever they find it, even if they don't quite know what to use it for.

For instance, a database of phone numbers, linked to the medicines purchased by the holder of that number — of the sort published by AP — can easily be leveraged by medical insurance companies looking to snoop on their clients before they sell them insurance.

"A couple of years ago, the election commission website had leaked people's voter ID data," said a Bengaluru-based start-up entrepreneur speaking on the condition of anonymity. "It was all just there district-wise as open PDF files.

"I wasn't sure if it would be useful, but I wrote a scraper to download all the voter IDs anyway, in case we could find a use later. I also did a few e-commerce campaigns where we bought people's data from brokers who had 'acquired' the data from IRCTC. I don't know how they got that, but I'm guessing someone junior somewhere probably put in a USB drive and just copied everything."

HuffPost Staff

The Human Factor

"Whether it's a massive cybersecurity incident or small-scale one, about 80 percent of them point to having been caused by human error," said a representative from Kaspersky Lab, a multinational cybersecurity firm. "Even with the most secure systems, the human element can lead to leaks. So we go back to the people, the employees."

"Educating the governmental staff on the motivations of security policies, the importance of working safely and how to contribute to the security of their organizations can help mitigate the risk of security incidents and safeguard what is truly important - their data," the Kaspersky representative said.

KK Mookhey, the founder and CEO of Network Intelligence, a global cybersecurity company, agreed with this perspective.

"No system is fully secured and government systems don't necessarily have the highest security levels in place always," Mookhey said. "There's always a chance that a highly motivated set of attackers can find their way around the best defences in the world."

Close
This article exists as part of the online archive for HuffPost India, which closed in 2020. Some features are no longer enabled. If you have questions or concerns about this article, please contact indiasupport@huffpost.com.