The arrest of Mohammed Zubair, the co-founder of Alt News, and the subsequent investigation into alleged violations of the Foreign Contribution (Regulation) Act (FCRA) by the fact-checking website has sparked intense debate about the data sharing practices of payment gateways and the sanctity of donor privacy.While the initial arrest of Zubair was over a 2018 tweet, and under Section 153A and Section 295A of the IPC, matters quickly spiralled.The Enforcement Directorate reportedly sought details from the Delhi Police on July 1. The next day, while opposing his bail plea, additional public prosecutor Atul Shrivastava appearing for the state submitted to the court that Zubair “accepted payments through RazorPay from Pakistan, Syria, Australia, Singapore, UAE, which all require further investigation”.Subsequently, on July 4, Alt News issued a statement saying their Razorpay account was blocked, citing a law enforcement request. Soon after, the payments gateway company responded saying they received “clarity” on the matter and unblocked the account. On July 5, Alt News released a second statement alleging that Razorpay had shared all of their donor data with police. This sparked outrage, leaving many Indians, whose donations would not come under the FCRA scanner, upset that their privacy had been violated and perhaps viewed as mere collateral damage in the probe into Alt News. Razorpay said it responded to a ‘written order from legal authorities’ under Section 91 of the Code of Criminal Procedure (CrPC) and was mandated to do so.Should Razorpay have pushed back? In the US, there are a few examples of tech companies of holding their ground when they believe American government is guilty of overreach. The most famous example is that of Apple vs FBI over the issue of unlocking iPhones. In India, if companies have contested the validity of a user data request, the tussle hasn’t come out into the public domain. Indeed, the general practice in the Indian tech industry has been to comply with requests in order to gain intermediary liability protection under the IT Act. There is one school of thought that companies are not required to mindlessly comply with CrPC 91 requests, but it is unclear how this would play out in a court of law.Should we have expected Razorpay to do more? The company’s own privacy policy baldly states it is not required to question or contest the validity of any search warrant or user data request it receives from the government. The privacy policy notes:“We may disclose your Personal Information to third parties in a good faith belief that such disclosure is reasonably necessary to (a) take action regarding suspected illegal activities; (b) enforce or apply our terms and conditions and Privacy Policy; (c) comply with legal process, such as a search warrant, subpoena, statute, or court order; or (d) protect our rights, reputation, and property, or that of our Users, Affiliates, or the public. Please note that we are not required to question or contest the validity of any search warrant, subpoena or other similar governmental request that we receive. [Emphasis added]”This implies that even if there was wiggle room, a Razorpay user shouldn’t expect the company to stand up for her rights. This explains Razorpay’s prioritisation of the government over its users and while that might be a legitimate business stance, it certainly doesn’t give customers confidence that the company is doing everything it can to keep their data safe. Mohammed Zubair. Photo: Twitter/@zoo_bearWhy is pushback important?India doesn’t have a data protection law, but the real problem with law enforcement getting access to big databases for specific cases is that the general culture of handling data is not trustworthy.Leaks of private WhatsApp chats to the media in a startling number of recent cases have shown that there is a real concern when agencies hoover up unrelated data for a specific case.Even now, there is confusion. While initial reports indicated that full Alt News donor data had been handed over by Razorpay, a report in Moneycontrol quoted anonymous sources to note that only data related to ‘source and destination’ were shared with law enforcement. The fact of the matter is that individual users – whose transaction data have been handed over to the police – do have a right to know and Razorpay can’t brush aside that moral responsibility under the compliance mandate of Section 91 CrPC. The question of whether users have a right to be notified when it comes to government requests is precisely what Twitter is battling in the Karnataka high court. Razorpay also autonomously blocked Alt News’ account briefly – even when the police themselves have claimed they did not request it – and restored it a few hours later. This again is similar to social media companies blocking individuals under ‘community guidelines’ with little or no actual recourse.Most experts believe that the Bill should be sent to a parliamentary committee for further review. Photo: ReutersForeign donor debate A recent Indian Express report quoted a Delhi Police official who said: “We approached Razorpay about the donations and asked them for account details. They asked us if we wanted to freeze their account. We said there was no need since our investigation pertains to donations made from foreign accounts. They themselves took action against Alt News. We have received account and transaction details from the company.”The same report also crucially notes that the cybercrime deputy commissioner of police K.P.S Malhotra had said earlier that the Delhi police wrote to Razorpay “and, based on the company’s reply, found that Zubair and his organisation were allegedly receiving money from foreign countries.” [emphasis added]This sets up an interesting clash of narratives. Alt News says it never enabled international payments on its Razorpay account. The police, however, say that the website did. More importantly, Malhotra’s earlier statement as laid out in the Indian Express report specifically states that the data handed over by Razorpay confirms Alt News’s alleged foreign donations. Both claims cannot be true at the same time.What is even more puzzling is that if in fact, Razorpay’s response to the police confirmed donations from abroad, why did the law enforcement agency allow Razorpay to unblock the account? India’s digital payments system is complex and involves multiple intermediaries and service providers. Much of this complexity is unknown to the public, which is why statements from investigative agencies and companies like Razorpay are difficult to unpack. Razorpay stores name, email, contact number, GSTIN (optional), notes by merchant and the time of creation of that customer entity. They also store order id, amount, description, payment mode (card, UPI, wallet), payment instrument reference (card reference or UPI ID) and bank transaction reference number for each payment transaction.Each payment is also auto-classified as international or domestic by default using the originating payment instrument. Cards usually have a bank-based card range (known as BIN or Bank Identification Number, that is the first 6 digits of a card’s number) which is used to identify the country of origin. In addition to this, Razorpay offers all its merchants the option to enable or disable payments via international cards. If the investigation was related to foreign sources of funding, there was ostensibly no reason for Razorpay to provide the police with donor data since Alt News has claimed they never enabled it. How international donations are disabled through Razorpay.This whole affair could be quickly clarified if Razorpay was more transparent with what the CrPC 91 order requested and if they disclose whether they shared the data of donors who had Indian bank accounts as well. Alt News has repeatedly claimed that it never enabled international payments and that the FCRA charges are frivolous. In a statement put out on Friday night, Razorpay’s CEO confirmed that Alt News‘s account had been configured to receive only domestic payments, in line with their policy for those accounts that did not have FCRA clearance.My perspective on the recent incident concerning @Razorpay pic.twitter.com/3B4mK73vJf— Harshil Mathur (@harshilmathur) July 8, 2022If Alt News was unable to receive payments from foreign bank accounts through Razorpay, what exactly was shared by the company and how does the Delhi police believe the data shows the fact-checking website engaged in FCRA violations?Beyond RazorpayOver the past decade, there have been glimpses of even more sordid stories. For instance, a 2018 sting operation by Cobrapost caught a senior vice president at the company claiming that they informally shared user data with the Prime Minister’s Office.India’s tech companies as a whole have certainly shot themselves in the foot for parting with user data, but only focusing on Razorpay would be to miss the forest for the trees. For a determined law enforcement agency, even if Razorpay had denied a user-data request, the same would have been obtained from other intermediaries such as banks and payment system operators. The heightened centralisation in payments with the National Payments Corporation of India (NPCI) processing over half of all digital payments (of all kinds) and the availability of mobile, Aadhaar number or card number-based mappers make it trivial to trace back individuals who donate to causes. The transaction data of every digital payment is stored for not less than a period of 5-7 years. And it’s not just payment apps, overall Prevention of Money Laundering Act (PMLA) compliance results in a whole lot of data being shared with the Financial Intelligence Unit (FIU). (Data compiled from FIU IND Annual reports)The data published by FIU in its annual report shows a significant surge in ‘suspect transaction reports’ and a rise in intelligence and law enforcement requests for this data.The increased use of FIU data by intelligence agencies, higher than law enforcement, is also a cause for worry as these departments are the ones that have the least amount of accountability.Given the range of intermediaries and volume of transactions generating transaction data, the digital payments ecosystem needs to urgently embed privacy and user rights into their systems to avoid erosion of consumer trust and build confidence that their data will not be shared as collateral damage.Srikanth Lakshmanan is part of CashlessConsumer, a consumer collective working on digital payments.Note: A reference to The Wire’s Tek Fog findings has been edited out as the stories have now been removed from public view pending the outcome of an internal review, as one of its authors was part of the technical team involved in our now retracted Meta coverage. More details about the Meta stories may be seen here.