Amid a raging controversy over whether Indians will have to prove their citizenship again, comes news that the public has lost access to data about millions of people registered in the state of Assam due to a bureaucratic bungle.

Critics say the error is an ominous warning for those in the government advocating a nationwide roll-out of the citizenship program. The government led by Prime minister Narendra Modi wants to expand the National Register of Citizens (NRC) beyond Assam in the country’s northeast – to help identify “illegal intruders” who have slipped in from neighboring countries.

The Modi administration even passed a controversial citizenship law that fast tracks naturalization applications but bars Muslims. This new law has stirred sustained protests across the country since December.

The loss of citizenship data can be catastrophic for individuals, as well as the state. Documents going back several generations had to be produced in Assam to prove that the people were Indian. So far, 1.9 million people were found with inadequate documents after a massive exercise at considerable cost. If this project goes nationwide it will lead to major chaos and strife, critics say.

After several years of legal wrangles, the Supreme Court ordered citizens to be registered in Assam. The order came with a specific mandate on the data security measures that had to be put in place. “We direct that an appropriate regime be enacted on lines similar to the security regime provided for Aadhaar data,” the court said.

A bureaucratic lapse

But last week the NRC data suddenly became inaccessible. The contract to manage the data processing was given to Indian information-technology giant Wipro. As news spread about the “data loss”, the Ministry of Home Affairs issued a clarification that “there is a technical issue regarding visibility on Cloud”.

The NRC website is hosted in the URL http://nrcassam.nic.in/ on a domain which is under the National Informatics Center, a Government of India entity. However, it contained a link to other domains owned and operated by Wipro, from which data is served.

For instance, on July 2, 2019, it contained a link to the Draft NRC data which was served from http://www.nrcdrafts.com. On September, 2 last year, this was reconfigured to serve the final NRC list from http://www.thefinalnrc.in and on October, 24, this was again modified to serve the final NRC list from http://www.thefinalnrc.com.

A domain name search (DNS) lookup that converts these website names into Internet Protocol addresses now displays the numbers of an IP address – “127.0.0.1”, indicating the NRC websites are offline. It turns out that the website is no longer accessible because someone failed to renew the contract with Wipro.

Government sources have now confirmed that despite several reminders from Wipro, government officials managing the project did not renew the contract. With bills pending and debts rising, Wipro shut down access to the sites.

Wipro had also used Amazon Web Services (AWS) to host the NRC data. Investigations by Asia Times reveal that the data has not been lost, but access has been switched off till dues are cleared. Interestingly, officials knew that access was likely to be turned off, but did not do anything to address the issue.

A DNS trail analysis shows that the IP Address of thefinalnrc.com was changed to the IP address 127.0.0.1 on December 20 last year. There were enough indications to the federal Ministry of Home Affairs that the data would be made offline from December.

The DNS servers that convert the names to IP addresses go to Amazon Web Services, as the trail analysis shows. It indicates that the data is indeed served from Amazon Cloud service and was taken offline deliberately by redirecting all the domains to 127.0.0.1.

A recurring cost

Government officials have also noted that the services of AWS and any other IT company that manages such data comes at considerable expense. Once the program goes nationwide, the government will have to incur recurring costs in perpetuity.

“While this was factored in and we paid close to Rupees 12.2 billion just for the state of Assam, this will be a massive cost if it is rolled out nationwide,” a senior Indian government official admitted. “This will mean paying charges for collection, processing, hosting, security and maintenance. It is not clear how that will help and we have already mapped nearly everyone using the digital identity project, Aadhaar.”

Officials also say that with the availability of documents that can be accepted as proof will need to be decided and digitized. This data will then be relied upon to establish identity. So, if it gets lost or becomes inaccessible, it could lead to major adverse consequences for citizens.

The incident, however, seems like a lesson on how not to run a technology project – with no data security safeguards, despite the fact it affects the fundamental rights of a large number of people, as the chronology indicates.

The NRC was ordered by the Supreme Court and closely monitored on a regular basis – with many orders were issued. Wipro emerged as the sole bidder and there were issues with regular payments from the government, along with the underpayment of data entry operators provided from an outsourcing agency.

The government’s federal auditor found financial irregularities to the extent of Rupees 1.08 billion on a project that cost Rupees 12.2 billion (8.85% of the project cost). The court transferred the NRC’s program head on October 24 last year, and non-payment of dues started after that, ending with Wipro taking the data offline after the services contract was not renewed.

Government officials do not have a copy of the data, so they have filed a police complaint against former officials who ran the project – for not surrendering the passwords when they were transferred out.

The outstanding dues were in the region of Rupees 100 million.

It is also likely that data security aspects of the project were in gross violation of the Supreme Court’s orders.

However, in this case, the court not only ordered the exercise, it also managed and supervised day-to-day aspects of projects.

It is possible that the Supreme Court did not have the capacity to fully fathom what such a complex technology project would entail. A rush to complete the exercise in a short timeframe, as it insisted, resulted in shortcuts in data quality, plus time and running costs being under-estimated.