Government

Govt Scrapped Vehicular Bulk Data Deal Over Privacy Issues. But a German Firm Was Already Involved.

The partnership with German firm ManServ, in Fast Lane’s own written admission, included sharing of “very sensitive information”.

Read the first part of this investigation here.

New Delhi: Months after India’s transport ministry allowed a New Delhi-based company access to data on Indian vehicle ownership and registration, the company went on to sign a separate and sensitive data sharing agreement with a German company, according to government documents obtained through RTI queries.

The Indian firm, in a letter to the ministry reviewed by The Wire, informed government officials of this agreement only when the German company refused to delete data it received from the former after the deal between the two went downhill.

Months after this revelation, the ministry snapped off data supply over security concerns, show official records.

As reported in Part 1 of this investigation, this Indian company, Fast Lane Automotive (FLA), had gained access to the database as an exclusive low-cost bounty.

The Union transport ministry let the deal with the Indian company linger on for a long stretch despite senior officials raising several red flags, show documents accessed by The Wire under RTI.

Fast Lane’s agreement with the German firm soured over what the former’s CEO described as ‘differences in vision’. The German company went on to make repeated attempts to obtain the data directly from the transport ministry.

By the time the government of India became aware that Fast Lane Automotive had quietly cut a deal on vehicular bulk data with a foreign entity, the Indian firm had already provided samples of the data to the German one.

The partnership, in Fast Lane’s own written admission, included sharing of “very sensitive information”.

The data sharing deal between the two private firms took place with the government having neither a generic privacy law nor any specific clauses in the contract with the Indian firm to protect against such transactions.

While the Ministry scrapped its Bulk Data Sharing Policy and the 2014 deal with Fast Lane over security concerns, another policy that allows access to the same data but along with personal details continues to be active without any protection against transfer of data or signing any sub-contracting agreement. This scheme, known as NR (National Register) Access Policy, allows some private buyers to purchase vehicular data on a per-record basis from MoRTH. Automobile manufacturers and insurance companies can purchase one complete vehicle registration and driving licence record – along with the name and other details – for Rs 50-100.

Also read: MobiKwik, Cybersecurity and a Tradition of Going After the Messenger

The data shipped to the overseas firm was a sample of the information shared by the Ministry of Road Transport and Highways (MoRTH) with Indian firm Fast Lane Automotive under a contract which preceded the now-defunct Bulk Data Sharing policy of 2019. The data in question is the digitised vehicle registration and driving licence details of Indians stored in the National Register.

Nirmal Singh Saranna, CEO of Fast Lane, speaking to The Wire over the phone, said the sample shared was ‘altered’ and not ‘factual’. However, in his own correspondence with the German firm, he referred to all information shared as ‘very sensitive’.

In 2020, the ministry scrapped the Bulk Data Sharing Policy over concerns of citizens’ privacy and potential for misuse of data sold to private firms, and decided to wait for “The Personal Data Protection Bill, 2019” in Parliament.”

Documents obtained by Srinivas Kodali, an independent researcher on data governance, and The Reporters’ Collective through Right to Information queries show nearly two years after the MoRTH-Fast Lane contract was signed, officials realised: “There [are] security issues and data leakage possibility”.

The realisation came after Fast Lane informed the ministry it was engaging with a German firm – Management Services Helwig Schmitt GMBH (ManServ) – and sample data had been transferred to it along with important documentation of the contract.

The Wire contacted the Chief Executive Officer of Fast Lane, Nirmal Singh Saranna, on phone and later with detailed written queries.

In his detailed response to the queries, Saranna denied any wrongdoing on part of the company. “There was no impropriety at all at any level or any stage,” he wrote. (Note: The full text of his reply to written questions is appended below)

Saranna denied any link between FLA signing an agreement with a German firm and the government deciding to nix data supply. “The government stopped supplying bulk data due to a change in policy and not due to any act or omission or breach by FLA.”

He also asked this correspondent to “desist from undue harassment to FLA and its officials”.

He added, ‘If in spite of this reply, you choose to act maliciously against FLA, FLA will take recourse to appropriate legal remedies, as and when required, including in respect of defamation and disparagement.”

The Wire also sent detailed queries to the office of the Minister for Road Transport and Highways, the secretary and other officials. None of them responded despite repeated reminders.

Fast Lane’s contract with the ministry did not prevent it from entering into an agreement — on October 16, 2014 — with an overseas firm and transferring sample data accessed through Indian government databases. Even though the agreement involved NIC, the custodian of the data, it had been bypassed during the signing of the contract, as the previous story shows.

The contract between the two firms hinged on Fast Lane’s “right to use Indian vehicle registration and changes of ownership data to provide information services”.

The sub-contract between the two firms soon fell through. Fast Lane, in an email on March 31 2015, requested ManServ to honour the contract and delete all the explicit data sets it had received. The German firm did not comply with the request. Fast Lane told the ministry in July it was pursuing legal action against ManServ in “relevant courts”.

When contacted over the phone, Fast Lane’s CEO, Nirmal Singh Saranna, first denied sharing any information with ManServ at all.

When this correspondent brought up the letter by Fast Lane to the ministry mentioning the fact that some data had indeed been shared, he said, “That was just an anonymised sample,” and then added, “It was nothing related to the data shared with us.” But followed this up with, “It was just a fraction of the data.”

Separately, over email, he said, “Only structure of the data and dummy data was shared as was permitted under the Contract. We were always fully compliant and this was ensured.”

The Wire reached out to the ministry with a specific query about safeguards in the deal with regards to transfer of data but did not receive any response.

While Saranna may emphasise that only an ‘anonymised sample’ was shared, his own email correspondence with the German firm underlines the importance of the information.

On March 31, 2015, Saranna wrote to ManServ officials asking them to delete the data they received from Fast Lane, noting, “We would like to stress again the very sensitive nature of the data and information being exchanged and the damage that any abuse of such data and information may cause for the FLA business.”

On August 13, 2015, MoRTH asked Fast Lane to give details on the legal action it took against ManServ ‘on priority basis’. However, the ministry continued the bulk data supply for months before it finally  turned off the tap over security concerns on February 17 2016.

When asked about the legal action Fast Lane pursued against ManServ, Saranna told The Wire, “It was settled amicably given no actual data, and only dummy data, was shared. We, as a responsible organisation, kept the ministry informed of the situation and to intimate them the sub-contracting arrangement no longer subsists.”

Saranna informed the ministry that it was pursuing legal action against the German firm only 4 months after Fast Lane first asked ManServ to delete data and the latter did not comply.

Timeline

Date Event
16-09-2014 Transport Ministry signs data sharing agreement with Fast Lane
16-10-2014 ManServ, German company, signs contract with Fast Lane for access to bulk data.
16-02-2015 ManServ makes official request to Transport Ministry to enter bulk data contract with them. It has particular interest in location details.
31-03-2015 Fast Lane sends email to ManServ, asking them to delete the data they have received till then since they’re ending the partnership.
15-04-2015 ManServ then asks Transport Ministry if it can partner with an Indian company for access to bulk data since the govt won’t give it on its own.
16-07-2015 Fast Lane writes to Transport Ministry, says ManServ won’t delete the data despite being asked to. This, it says, is in violation of the contract between the two firms. It says it’s pursuing legal options.
17-02-2016 Ministry decides to not share data anymore. Further notes that NIC should classify data as sensitive and non-sensitive data and that sensitive data should not be shared any more.

 

19-02-2016 NIC suggests that data sharing has ‘security issues’ and ‘data leakage possibilities’. Transport Ministry asks it to cut off data flow.
30-05-2018 Transport Ministry decides to terminate contract with Fast Lane
March 2019 Govt launches Bulk Data Sharing Policy.
04 – 06 – 2020 Govt rescinds Bulk Data Sharing Policy over ‘privacy issues’
11 – 02 – 2021 Nitin Gadkari, in Parliament, says private firms who have accessed Vahan and Sarathi data will not be asked to delete it

Armed with documentation of the deal and sample data, ManServ got in touch with the ministry. In 2015 beginning, it officially requested access to bulk data. The company was interested in a range of data sets but had particular interest in the district and postcode location of car owners.

The ministry responded that “MoRTH can enter into a bulk data sharing contract only with a company incorporated under the Indian Companies Act or a partnership firm registered under the Partnership Act or a Trust registered under relevant law”.

ManServ, in an email on April 15, 2015, stressed on why it’s important for the firm to have access to the data. It added: “So far the only firm that receives data from you is Fast Lane and they are very new in the market.”

This email was sent a month after the Fast Lane CEO had requested them to delete data they had received and three months before the Indian firm wrote to the ministry about the legal actions it is pursuing against ManServ.

Saranna, over email, informed The Wire the sub-contract between the two firms fell apart ‘due to commercial reasons and differences in our visions, we mutually decided to not pursue our intended partnership’. If it had carried through, the German firm would have become party to the processing and analysis of Indian data stored in government databases. This would not be in violation of the contract that the Indian government signed with Fast Lane.

Also read: Feminist Perspectives on Space, Safety and Surveillance: Improving a Woman’s Right to the City

Ministry officials held a series of meetings to discuss the rough patches in the deal, and on February 19, 2016 snapped data supply to Fast Lane after NIC pointed out that the business deal presented “security issues and possibilities of data leakage”. Further, the ministry asked NIC to segregate data and not share sensitive information any further.

The contract sparked major debate within the ministry: whether data should be used as a tool for revenue generation at all. Instead, officials batted for making information in Vahan and Sarathi databases public on Open Government Data platforms. However, records of October 21, 2019 show the ministry noted that privacy would still be a concern.

The Bulk Data Policy rolled out in 2019 had its share of privacy worries. The policy admitted there’s possibility of ‘triangulation’ but shifted the policing responsibility to data buyers. Triangulation helps data holder to paint a complete picture of each vehicle owner by reading the data together with easily available Know Your Customer (KYC) details.

The company, however, had already combined the data with information collected from many additional data sets to become its exclusive seller in the global market. This was allowed under the contract it had signed with the ministry.

Internet Freedom Foundation, an Indian digital liberties watchdog, wrote to the government during the 2020 riots in Delhi detailing why it should withdraw the policy. In June 2020, Ministry officials decided to scrap the policy. They even ruled out the possibility of sharing reports based on data stored in the National Registry of transport with private entities.

Kodali said, “MoRTH has claimed that the policy has been scrapped but the private firms still have access to the data. They have not been asked to delete the datasets shared and the government has not refunded the money earned.”

Read FLA CEO Nirmal Singh Saranna’s full response to The Wire’s queries below.

Nirmal Singh Saranna response letter by The Wire on Scribd

Shreegireesh Jalihal is the Assistant Editor of Reporters Collective.