How Poor Data Protection Can Endanger Communities During Communal Riots

Reports allege that data provided on the 'Vahan' app was used to selectively target vehicles owned by Muslims.

On February 23, large scale violence broke out in North East Delhi that left over 50 people dead and more than 200 injured

There was also an overwhelming loss of property, mostly belonging to the Muslim community. Amidst this, the possibility of misuse of government data to selectively target communities during violence has been noted.

While there hasn’t been any concrete evidence to suggest that any government database was used during the Delhi riots, only reports of alleged usage, the Internet Freedom Foundation wrote letters to the government on February 26 asking them to revoke public access to the Vahan database as such targeting was clearly conceivable.

The possibility of the usage of government databases to target certain communities during inter-group violence is not unique to the case of the Delhi riots. During the 2002 Gujrat riots, electoral rolls were reportedly used to target Muslim households in neighbourhoods. However, the reason why the Vahan database is a cause for alarm is that, in the digital age, the process of obtaining such information has become infinitely easier, and the government, with its profit-based approach to citizen data, is complicit in facilitating this process.

While digitisation and pan-ministry databases are matters of necessity in today’s age, at a fundamental level, the government has been less than perfect in its execution of Digital India – especially while putting sensitive citizen data out on open, online platforms. The repeated Aadhaar data leaks and that while under the National Data Sharing And Accessibility Policy we have an open data source for government data from 2012 even after six attempts to pass data privacy legislation since 2011, we do not have a law protecting digital identities as interest is a clear testament to that. This is chiefly because citizens’ data is still not seen as something which needs to be protected, as much as something to be sold for profit, and that shapes our policies and legislations.

Also read: Is Delhi Police’s Use of Facial Recognition to Screen Protesters ‘Lawful’?

Coming to the database in question, Vahan and Sarathi are data repositories of vehicle registration and driver license data, set up in 2011 by the Ministry of Road Transport and Highways (MoRTH), which are considered nonsensitive personal data. Under its Bulk Data Sharing Policy, its 285,601,972 strong vehicle database is available for sale to third parties, and accessible to a certain degree on its online platforms for all citizens.

If one types in the car registration number on the online portal for Vahan, the kind of data anyone can get access to would include, registration details and attributes of the car, along with the name of the vehicle owner. In India, a name can reveal the caste and religion of a person, and that in itself is what has been misused. This information can also be accessed through mobile apps like mParivahan, which is free for usage.

The stated purpose of publishing such information is “… is to promote statutory compliances and also facilitate individual hiring/ renting or purchase/sale of vehicles and hiring of drivers.” Such policies obviously demonstrate the government’s continued stance of treating personal data as a natural resource or input for economic growth, without considering the human element of database aggregation and collation.

Biometric verification of Aadhaar. Photo: Reuters

The transport ministry announced that it would be partially redacting the names of the car owner from open access records days after the violent attacks, while insisting that the move had nothing to do with the said attacks. However, the concern of this database is wider, since, under its Bulk Data Sharing Scheme, license and registration data is shared with specified law enforcement agencies and with automobile industries, banks, finance companies etc, at specified rates for each data set. This kind of sharing comes with its own problems.

In 2017, The Electronic Frontier Foundation (EFF) chronicled abuses by law enforcement officials of the California Law Enforcement Telecommunications System (CLETS), a computer network that grants the police access to criminal histories and driver’s records. The EFF’s investigations brought to light 143 instances in which the CLETS system was abused; this included police officers accessing confidential information for domestic disputes, running background checks for dates, and handing over witness information to the family of a convicted murderer.

Also read: Has India’s Privacy Bill Considered the Dangers of Unrestricted Processing of ‘Anonymised’ Data?

In November 2019, the transport ministry issued a notification which stated that from April 1, 2020, mobile numbers must be linked with your registration database. One of the many possibilities such an act guarantees is geo-targeting of advertisement that is currently being piloted in Japan. Dentsu and Cloudian, the companies working on this product, gave an interview in 2016 which outlined the potential for such software. Ichiro Jinnai, Dentsu’s director of out-of-home media service division, in an interview, said, “Upon identifying the vehicle model, custom ads could then be displayed on a nearby billboard based on the likely profile of the vehicle’s driver.”

For those of us with minimum knowledge of data science, the primary concept which brings out value from data, is triangulation, which is basically using multiple data resources to merge and extract meaning with higher validity.

While this method might not be used directly to orchestrate violence, it essentially means the government will be selling all this data to corporations who will be undertaking said triangulations to build a profile out of your private data and then use that to target advertisements aimed at you, in the best-case scenario. In the worst-case scenario, it can be used for undue profiling by insurance companies, or even for personal harm, like in the infamous case with the police in California.

While data science technology is clearly our future, the simple idea is that while we cannot prevent our personal data being used by different parties for their gains, we must have certain levels of control and choice in the matter.

Mukesh Ambani, at the Gujarat summit 2019, said ‘data is the new oil.’ In an extensive study of the Vahan database undertaken by ORF, K.J. Shashidhar wrote:

“The notion that “data is the new oil” is problematic, to begin with: it views data from the prism of profitability—to be harvested, stored and traded. This reduces people’s data to a commodity that can be bought or sold without their consent.”

Also Read: Delhi Police Is Now Using Facial Recognition Software to Screen ‘Habitual Protestors’

At the end of the day the government, which collects our data, must be held accountable for its safety – because our identities now span the digital landscape. In Justice K.S. Puttaswamy v. Union of India, the Supreme Court stated that right to privacy was a fundamental right under Article 21 of the constitution. It is based on this ruling that the Private Data Protection Bill had been envisioned. But the amendments made to the Bill before it was tabled in 2019 has turned a necessary Bill for the right to privacy into a Bill to legislate the profitable use of citizen data. In the light of all that is happening, we must voice our concerns on it, as well.

Sreemoyee Mukherjee is a media communications scholar currently studying at Jamia Milia Islamia University.