An ordinary person who wants to invest in the stock market or a mutual fund, or simply open a saving bank account, is bombarded by ever increasing compliance regulations under the pretext of automation, efficiency, better governance or prevention of money laundering. Anil Bakle, a tax consultant says, “I currently have a Unique Identification Number (which was introduced, suspended and due to be revived by SEBI, a PAN (Permanent Account Number of the Tax Department), a MIN (Mutual Fund Identification Number), a DIN (Directors Identification Number), a Passport Number and an Election Card”.
While Bakle is among the many who are harassed by the increasing paperwork, the bigger worry, to my mind, is data security and the absence of a redressal mechanism for victims of data theft or misuse. The data collection process in all cases is outsourced to Point of Service (POS) agents appointed by different government departments. How secure are their systems? Does the government guarantee the safety of this information? Does it have backups?
A security expert says, “Biometric data is being gathered by government agencies with increasing regularity since it is viewed as a panacea to crumbling records and identity systems. There is no consensus among government agencies on the technology or vendor to be used to capture this data, nor is the data treated with the reverence it deserves. The captured biometric data is in the hands of the data collection agencies hired by the government with little or no access restriction in place to prevent the thousands of temp workers and government agents who use the systems from making a copy.”
This becomes especially worrisome because contracts are usually handed to the lowest bidder, rather than one with the best data infrastructure and security systems. In fact, the managements of a few companies that have already bagged central and state government contracts to issue identity cards or manage sensitive databases were infamous for their liaison with Ketan Parekh and the late Harshad Mehta to ramp up their share prices.
The managements of a few companies with contracts for card issuance or database upkeep have had dubious links
Security concerns are especially high with regard to the e-filing of Income Tax returns that is rapidly being extended from commercial entities to individuals. Leading IT security experts and tax consultants are unhappy at the lack of security in e-filing of Income Tax returns. They point out that although they are completely dependent on their chartered accountants and tax practitioners to prepare their accounts and file returns, the physical filing of documents and manual security imparted a measure of security. In the e-filing system, the accountant has the user identity and password of each company. This would potentially allow a rogue accountant to play serious mischief with the accounts of an entity.
The tax chief of a top accounting firm says, “A person can access the assessee’s information on the tax website, even without a user ID and password, if he has details such as PAN, or name/ date of birth / incorporation. These basic details provide access to the user ID and this in turn can be used to reset the password without reference to the original password.” A technology expert says, “Let alone e-filing, even the basic Saral Form is badly designed (privacy wise) so that anyone who has a copy of a Saral IT return form has 80% of the information required to clone your identity (the balance 20% can be winkled out very easily) for on-line transactions and other scams.”
The same privacy and security concerns apply to bank credit information bureaus, voter cards, car registration databases, passports, driving licenses and information collected by telecom companies.
In case of credit information bureaus, a customer protection mechanism was installed only after complaints piled up for several years. In the absence of robust security systems and proper policies, tech savvy persons are paranoid about parting with any personal information even to their banks. Some argue that even physical databases were open to abuse and fake passports or driving licenses were fairly common. But technology, coupled with poor security systems, can ruin innocent victims’ lives by wiping out their bank balances or investments, or by misusing their identity for dubious deals. Given the potential of technology to ruin lives, it is imperative that security concerns are addressed and a proper mechanism installed even while mandating multiple identification requirements.