India’s defense data leaked as it debated data protection law
In the days following India’s currency demonetization, the Central Board of Excise and Customs (CBEC) stopped publishing raw transactional trade data of every product being imported and exported by India. The trade database was public and provided market intelligence for traders and businesses.
As India debates data protection and information security, this database shutdown provides insights on issues of transparency, privacy, national security, ownership and security of data controlled by various government departments.
The daily list page of the customs portal provided a week’s span of transactional trade data every week for years. The fields of these data included product harmonized code, description of goods, port of origin, quantity, and value of goods. The description of goods also had sensitive information of its purpose. In the case of defense imports, a simple bolt imported had descriptions like “for defense use,” “aircraft engine parts for defense use,” or “for Indian Navy use.”
Private companies collected this information for years and provide search functions on these data, enabling clients to search for defense products being imported by India.
With India importing significant amounts of its defense equipment, the database was very detailed, with a wide range of granular details. There were details of nuclear-reactor parts, research equipment for the Defense Research and Development Organization (DRDO), naval anti-air guided-missile defense systems imported from Russia, and MICA missiles imported from France, with details of quantity, price and date of import.
The description of products sometimes even disclosed sensitive defense locations. A researcher could easily find details of exports being made to the Indian mission in Antarctica and look at what recycled waste was imported back from Antarctica in adherence to international conventions on not polluting the frozen continent.
India is not the only country that has published this kind of transactional trade information, and was one of several countries that continued to publish such information as a part of their transparency measures. Several private companies in the United States publish bills of lading, which also have information on the buyer and seller, including address details. Similarly, it is easy to identify defense exports by the United States to other countries, including India, while the scale of information might not be as detailed as what the Indian customs board has published.
Japan’s Ministry of Finance publishes individual trade transactions without description of goods, thus not allowing anyone to identify the product entirely or the buyer.
From both a national-security and an information-security angle, these data should not have been made public at this scale and the threats cannot be anticipated. It is also interesting that the Department of Defense may not have noticed this cache of sensitive information for years. Or perhaps it may not have been aware that the customs board had made this information available online. As a custodian of critical information, the CBEC may have caused some harm to India’s national security. This kind of information could be used to identify defense capabilities and could pose a threat to India’s strategic capabilities.
The publication of trade data by CBEC, which handles the country’s seaports, airports and land entry points for trade, was a legacy issue dating back to 1951 under the Sea Customs Act of 1878. CBEC issued new rules in 2004 to publish daily lists of imports and exports data through electronic data interchange, which were subsequently amended in 2012 to remove information on steamers carrying the goods. On November 25, 2016, under the advice of the federal commerce secretary, CBEC issued a notification to shut down public access to this information.
Access to the trade database was stopped primarily on complaints made by export and import businesses to the Prime Minister’s Office, CBEC and the Commerce Ministry over privacy of sensitive business information as documented by the customs board. The primary dispute was that private parties could use this publicly available trade data to inform competitors about the quantity, price and destination of goods using the wide description of goods. Shutting down the trade database also caused issues for businesses that were using these publicly available data to provide analytical services.
The Defense Department in the future will also start increasingly using data as it plans to adopt artificial intelligence (AI) in the defense sector. The AI task force constituted under the leadership of Natarajan Chandrasekaran, chairman of one of India’s largest corporations, Tata Sons, has submitted its report on “Artificial Intelligence for National Security and Defense” to Defense Minister Nirmala Sitharaman. The Defense Department needs to be more cautious on security of data as it plans to venture into domains that are just emerging and where the risk mapping does not exist yet.
The government wants to promote such data-based innovation to build a trillion-dollar data economy for India. With these security challenges, the committee formed to frame India’s data-protection law has put in a framework of purpose limitation, where data collected for one purpose cannot be used for any other purpose. The committee was expected to recommend mild regulations to push business interests on privacy and national security. Such a case may still pose a national-security threat with current data leakages and vulnerabilities as business interests are prioritized.
The government has been citing national-security issues on publishing details of the defense-procurement process with the recent uproar over the Rafale fighters deal with France. While there are legitimate concerns on not publishing details of the procurement process, transparency in government spending requires the details of the deal to be made public in the larger public interest. The government’s doublespeak on transparency, national security and citizens’ rights to privacy is conditional as it helps people in power.
Neither privacy, transparency nor national security is absolute. The right balance among these terms ensures accountability in a democratic society. The often-cited national-security clause of Section 8 under the Right to Information Act to deny information can been overruled when there is a larger interest to society. The RTI Act was brought about to let citizens know how the government is spending public money.
Larger societal needs are always above national security or privacy. There is a need to make this distinction as these issues are debated for the proposed data-protection law.