Data Leaks: Grave Security Threat

1301
Data Leaks: Grave Security Threat

Above: Prime Minister Narendra Modi addressing a special session of parliament during the launch of GST. Photo: UNI

Launched with much fanfare, the new tax regime is operated by an entity in which private players own majority stake. This, say critics, could compromise data security and disrupt the economy

~By Usha Rani Das

On July 1, India became a “one nation, one tax” republic with the rollout of the Goods and Services Tax (GST) regime. While citizens and businesses are still coming to terms with this “revolutionary” change, dissenting voices are already raising questions about the Goods and Services Tax Network (GSTN)—the cyber hub firm that runs the GST. And the concern stems from the security aspect of the enormous volume of tax data that is processed on a daily basis by a public-private-partnership company in which the majority stake is not with the government.

It has been alleged that the information technology system which allows taxpayers to register and file tax returns online, has links with foreign companies that puts crucial data of all taxpayers of the country at risk. It has been further alleged that foreign stakeholders are in a position to control GST funds through private banks which hold majority shares in GSTN, the multi-ownership entity that operates the new tax collection system.

SHAREHOLDING PATTERN

To understand what is at stake, one needs to understand the shareholding pattern of GSTN.  It was set up as a public-private partnership in 2013 to primarily provide IT infrastructure and services to central and state governments, tax payers and other stakeholders for implementation of GST. In other words, it handles the database of almost every significant transaction being carried out in the economy. The stakeholders in GSTN are central and state governments who hold 49 percent shares and the following private entities—HDFC, HDFC Bank, ICICI, NSE Strategic Investments Co and LIC Housing Finance Limited—who together hold 51 percent of the shareholding. (see infographic).Data Leaks: Grave Security Threat

A closer look into the shareholding patterns of these private players in GSTN reveals how foreign stakeholders are indirectly linked to GST funds. Some of these entities are controlled to the extent of 75 percent by foreign institutional investors (FIIs). For example, in HDFC foreign holding or investment is 77.27 percent as per the company’s balance sheet last fiscal. Those critical of the very concept of starting a PPP tax collection network will argue that these FIIs and other foreign players can manage access to data within the network.

EAS Sarma, former expenditure secretary, has been pointing out the dangers of the foreign hand in GSTN to the government. In fact, he wrote two letters articulating these concerns to Union finance minister Arun Jaitley—one on June 30 and the other on July 1, the day GST was rolled out. In his June 30 letter, made available to India Legal, he noted:

“Since GSTN is going to be the IT backbone of GST and will be privy to almost all vital information revolving around GST, it would have been prudent for the government to have structured it as an entity owned 100% by the government. The fact that 51% of its equity is held by non-government entities raises concerns of security of information and conflict of interest. Many Directors on the Board of GSTN simultaneously function as Directors of other companies (subsidiaries of foreign companies) as evident from the attached documents. The government seems to have allowed the nomination of such persons as Directors of GSTN without any application of mind.”

Data Leaks: Grave Security ThreatSarma elaborated further to India Legal about the inherent dangers: “Such high foreign stakes are alarming as it is possible that some of the non-government companies having a significant shareholding in GSTN will soon become subject to control by foreign companies because of the liberal policy being followed in allowing foreign investment to flow into different sectors.”

Also, those critical of GSTN point out that there is a potential conflict of interest here as well—all these banks and financial institutions which are stakeholders in GSTN are themselves taxpayers under the GST regime. Since, GSTN would be a repository of sensitive data on business entities across the country, the FII stakes in the banks might even give them access to vital tax and trade information from the GSTN system.

RISK OF DATA MISUSE

Sarma explains: “If foreign companies take a substantial share of equity in GSTN through the domestic private companies, there can be issues of national interest. They can use the tax data to assess the activities of their rival companies and thwart competition. Foreign companies may misuse the data on identity of the dealers and even their Aadhaar card numbers and the data linked to it. They cannot be bound by any code of conduct. Also, in case a private company leaks the data, even if deterrent penalty were to be imposed, would it ever compensate the loss of privacy? If there are foreign companies also involved, can the government do anything once data is stolen and misused?”Data Leaks: Grave Security Threat

Last fortnight an expert team from the Centre for Cyber Security, IIT Kanpur, reportedly briefed the Parliamentary Committee on Finance on the threat that the nation faces from cybercrime. Data theft was a prime area of concern that the panel felt needs to be addressed with urgency.  The view of the team was that currently, security systems in the country are ineffective. The chairman of the Committee, Veerappa Moily, confirmed to India Legal that the briefing had taken place. “Cyber security was discussed in detail but it was all confidential and I cannot share it with you,”he said.

Data Leaks: Grave Security ThreatOther than data theft, there are other concerns as well, say experts. Now that the tax system nationwide is run by GSTN, any disruption can upset the revenue data systems and indirectly, the larger economy. It is pointed out that considering India’s weak defence mechanism against cyber-crimes, the company is vulnerable to hacking and disruption.  Even though the chairman of GSTN, Navin Kumar, claims that data is completely secured and GSTN is a tough nut to crack, private entities who are part of GSTN are not so resilient to such attacks, say critics. They cite a recent incident when the NSE collapsed due to a cyber-attack, causing major data breach.

Ministry’s Defence

Santosh Kumar Gangwar, minister of state for finance, responded to issues raised by BJP MP Subramanian Swamy relating to GSTN in the Rajya Sabha during zero hour on April 5, 2017.

To quote from the written reply: “…To enable efficient and reliable provision of services in a demanding environment, the Empowered Group (of the cabinet) recommended a non-government structure for the GSTN SPV after considering key parameters such as independence of management, strategic control of government, flexibility in organisational structure, agility in decision making and ability to hire and retain competent human resources. The Empowered Group (EG) and the Union Finance minister endorsed the recommendation of EG… It may be seen that it was the conscious decision of the competent authority to go for a private limited company to achieve the identified objectives.

Also, CAG has audited GSTN for FY 2013-14, 2014-15 and 2015-16. This is the period for which Cabinet approved provision of the grant-in-aid of Rs 315 crores towards expenditure for initial setting up and finance of the SPV. Further, the Guarantee Agreement between Department of Revenue and GSTN for extending government of India’s guarantee, for borrowing loans up to the limit of Rs 800 crore (the term loan of Rs 550 crore and the working capital credit of Rs 250 crore) by GSTN, explicitly states that GSTN shall allow Office of CAG to audit its accounts.

As regards the issue of security clearance, it is stated that ministry of home affairs has conveyed security clearance to GSTN with respect to core national security parameters i.e. unity, integrity and sovereignty of the country. Necessary steps are also being taken to ensure robust cyber security of GSTN in consultation/cooperation with National Cyber Security Coordinator, Intelligence Bureau and CERT-In. GSTN has also partnered with Standardisation Tasting and Quality Certification (STQC), Department of electronics and Information Technology for providing security audit and compliance. For the issue regarding questioning under RTI, it is stated that as GSTN falls within the purview of ‘Public Authority’ under section 2(h)(d)(ii) of the RTI Act, 2005 with Mohammad Shadaab, AVP (Legal) as designated CPIO and Dr Abhishek Gupta, executive vice president (Support) as designated First Appellate Authority.”

NO PRIVATE PLAYERS

The shareholding pattern of GSTN has engaged both houses of parliament. One of those opposed to GSTN is BJP MP Subramanian Swamy. His view is that the government and not private entities should hold majority shares so that decision-making is in the hands of the government. A majority private shareholding of such a company means the critical information of about 6 million taxpayers is in the hands of private players. He has even called it a “shady operation”.

It has been alleged that the system, which allows taxpayers to register and file tax returns online, has links with foreign companies.

In a letter to Prime Minister Narendra Modi, he stated it was not advisable to bring private firms at all in the administration of tax-related matters. During a discussion on the GST Bill in the Rajya Sabha on April 5, 2017, Swamy explained: “Public sector banks have more than 70 percent of the total credit lending in the country. Secondly, GSTN work is of strategic importance to the country and the firm would be a repository of a lot of sensitive data on business entities across the country. Hence, the government may take immediate steps to ensure non-governmental financial institutions shareholding be limited to public sector banks or public sector financial institutions.”

Source: GSTN.org
Source: GSTN.org

Curiously, before the formation of GSTN, a select committee of parliament, headed by BJP MP Bhupender Yadav, was formed to look into its structure and give its recommendations which will have to be implemented mandatorily.

In its report, the select committee noted that the non-government shareholding in GSTN is dominated by private banks, which is not desirable. It also recommended that the non-government institutional shareholding be limited to public sector banks and financial institutions.

Unfortunately, GST Bill was passed without taking its recommendations into consideration. Swamy claims that the recommendation (of the select committee) has been completely ignored and has not been part of any debate either in the Lok Sabha or Rajya Sabha.

The Central Board of Excise and Customs had also raised concerns regarding the ownership and security of crucial taxpayers’ database in 2015. But it later decided not to question the decision of the cabinet. According to a Business Standard report, the Department of Expenditure under the ministry of finance, had red-flagged the large expenditure by the private company (besides a proposed loan of Rs 515 crore). The administrative cost in running the GSTN with around 45 employees, all of whom have been hired at market rates and given additional perks like house rent, car and other allowances besides productivity linked incentives, is substantial. The expenditure department has expressed its concerns over the financial outgo.