Why govt needs to act now on GST data theft challenge

After Cambridge Analytica, government needs to speed up plans to take over GSTN, the company handling data storage for the GST regime. GSTN’s majority stake is currently in private hands

After the recent Aadhaar and Facebook leaks, are we in for more data theft shocks? No one can say with any certainty, although many have red flagged the network on which the Goods and Services Tax (GST) functions as being particularly vulnerable and possibly compromised already. In fact, even before it was launched, the Goods and Services Tax Network (GSTN) – a non-profit company with majority private shareholding providing the cyber infrastructure for administering the new unified tax regime introduced on July 1 last year – has been the subject of much controversy. Its critics have argued from the outset that the organisation, meant to be the repository of exhaustive tax data covering practically every business in the country, would be unsafe in the hands of private stakeholders.

As of March 2, over one crore tax payers – which include big and small businesses – have already registered under GST. According to official figures, 72 lakh plus returns have been filed so far under the “one nation one tax” regime. So, the volume of data being processed and stored by GSTN is humungous since it records all transactions and indirect taxation liabilities of corporate bodies, traders, professionals and even those companies dealing with the government including defence establishments. The information that can be mined from data of this volume by analytics firms is mind boggling.

This is perhaps why the government was informally advised by some of its own MPs as well as the Indian Revenue Service Officers’ Association that it would do well to take over GSTN and weed out the private participation to minimise breaches in the computerised tax linkage and settlement system. While such suggestions were earlier brushed aside as an over reaction by those who read too much into data theft, the government earlier this month indicated that it is considering the taking over of GSTN and upping its stake to 100 % in the company. But the proposal has to be finalised, presented before the GST Council and cleared by the Cabinet before it is finally implemented. Many would argue that the government’s belated reaction, which has come in the light of the Cambridge Analytica controversy, may be too late and by the time the proposed takeover happens it could well be over a year after the GST roll out. Would it then be a case of bolting the stables after the horses have fled?

As recently as April 13, former Union Expenditure Secretary, EAS Sarma, who has been alerting the government on GSTN since the last one year, wrote to Finance Secretary Hasmukh Adhia. In his note he pointed out that the “NDA government has not displayed adequate sensitivity to the need to protect the sanctity of GST information” and underlined the urgent need to introduce stringent laws to ensure cyber security. He also importantly raised questions about the possibility of data having already been breached from the GSTN system and wondered, in which case, who would be held responsible for it.

To quote from Sarma’s email to the Finance Secretary: “After the revelations about unauthorised information mining by foreign agencies like Cambridge Analytica, your Ministry seems to have belatedly decided to restructure GSTN into a 100% government owned SPV (Special Purpose Vehicle). While it is a welcome move, how does Finance Ministry ensure data protection? Has Finance Ministry interacted with the IT Ministry to make sure that the latter has woken up to the reality of data hacking going on extensively without its knowledge… I find that 7.28 million returns have been filed by GST dealers till date. How is Finance Ministry certain that the information relating to the same has not been stolen or hacked? If such information leakage has occurred, who should own the responsibility?” (Letter appended below)

Although a government run organisation does not guarantee insulation from hackers, it has been pointed out that there is conflict of interest involving some of the directors in GSTN who are also linked to foreign companies. Moreover, the involvement of multiple entities in the management of GSTN only increases the risk of information leaks from several points. Some of the issues relating to conflict of interest were raised in Sarma’s letter to Finance Minister Arun Jaitley on July 1, 2017. (Letter below)

As things stand, the Central and State governments hold 24.5 % stake each in GSTN. This adds up to 49% stake. The majority shareholding (51%) is with HDFC, HDFC Bank, ICICI Bank and National Stock Exchange Strategic Investment Company which all own 10% each while LIC Housing Finance Ltd has another 11%. Many of these private players have a significant percentage of foreign investments in their company. They are also tax payers themselves under GST.

Objections to private participation found mention in the report of the Select Committee of Parliament headed by BJP MP Bhupender Yadav which looked at the amendment of the Bill that provided for GST and GSTN. The Committee tabled its report in the Rajya Sabha on July 22, 2015. But the government seems to have not given sufficient credence to the concerns raised as it pushed ahead with its plan to implement GST.

Here is what the Select Committee had to say about GSTN: “The Committee feels GSTN shall play a crucial role in implementation of GST as it shall provide the IT infrastructure for implementation of GST. It noted that Non-Government shareholding of GSTN is dominated by private banks. This is not desirable because of two reasons. Firstly, public sector banks have more than 70% share in total credit lending in the country. Secondly, GSTN’s work is of strategic importance to the country and the firm would be a repository of a lot of sensitive data on business entities across the country. In light of above, the Committee strongly recommends that Government may take immediate steps to ensure Non-Government financial institution shareholding be limited to public sector banks or public sector financial institutions.”

One curious aspect of the private shareholding in GSTN is whether there was any need to invite private participation in a company with an authorised capital of only Rs 10 crore. As one IRS official told Southword: “Normally in public-private partnerships it is for financial inputs that the government looks towards the private sector. In this case the requirement was only ten crore which did not require five entities to pool in their resources. It also remains to be seen as to why such big players showed interest in a not-for-profit company unless there were some hidden benefits accruing to them.”

As for professional expertise, IRS officials point out that GSTN, according to the company’s own profile, was set up “primarily to provide IT infrastructure and services to the Central and State Governments and tax payers” for implementation of GST. However, the Rs 1,380 crore contract to build, operate and maintain the technology network was awarded by the government to Infosys in 2015 for a period of five years. The first tranche of Rs 400 crore was released to the IT company in 2016.

So, the argument put forward by those opposed to the private participation is this: if the critical technological inputs came from a third party, what were the five entities roped in for? If the government was looking for administrative and management expertise, it could very well have sourced it from within the finance ministry and the tax department. There was no need to outsource the task to private players.

According to Sarma, the top priority for the government should now be to ensure that data with GSTN is sufficiently protected and to see if there have already been any data breaches and minimize any damage done. “Instead of demanding apologies from everyone else ever since the Cambridge Analytica controversy came to light, the IT Minister (Ravi Shankar Prasad) should look at his own ministry which was a passive witness to data theft going on for months since the first revelations about Cambridge Analytica surfaced more than a year ago. He should now frame a stringent law to protect data and to see that there are effective firewalls to ward off hackers,” Sarma told Southword.

Cambridge Analytica was perhaps only the tip of the iceberg. As India embraces information technology and races towards a digitalised world, it must also tread with caution. If it does not, then data breaches could spin out of control.

Letters from EAS Sarma to NDA government officials

EAS Sarma’s letter to Hasmukh Adhia dated April 13 2018
EAS Sarma’s letter to Arun Jaitley dated July 1 2017
Prof Yashwant Sinha’s easy tutorials for Indians on Modinomics
For every Nambi Narayanan, there are countless others whom the system fails
Were Jan Dhan accounts used to launder black money?
Editor’s Pick More