It isn’t suspicious that e-governance apps have access to government databases. But how did third-party app developers get hold of vehicle registration databases? The answer: illegally.

The govt is selling our vehicle data with no framework to protect our privacy
news Privacy Friday, March 06, 2020 - 14:09

Log in to Google Play store and key in ‘vehicle info’, and at least 200 mobile apps – both free and paid – will show up in the search results. A single click and a wait of 10 seconds is all it takes to find the name of vehicle owners by entering any vehicle registration number. Type in other combinations of words such as RTO info, vehicle details and so on, and hundreds of apps are listed – and each day, the number keeps increasing. Some of these apps have been downloaded a million times — each. 

And if you look closely, this list of the apps includes only a handful run by the government — such as mParivahan, run by the National Informatics Centre (NIC). And while it isn’t suspicious that e-governance apps have access to government databases, how did third-party app developers get hold of vehicle registration databases? The answer: illegally. 

A central government-managed bulk database of registration details of 28.5 crore vehicles in India, Vahan is a saleable entity. This database can be obtained by automobile industries, banks, finance companies, research institutions etc. Ministry of Road Transport and Highways (MoRTH) earned Rs 68 crore between 2014 and 2019 by monetising this information. The question of whether the government should be doing this apart – an RTI response from 2019 shows that only 127 private and 15 government organisations have paid for and accessed this data. 

And so the only plausible explanation for how most of these third-party app developers got hold of vehicle registration database is, by crawling the web for the data. And each time a private entity does this, they commit an unchecked data privacy breach. The consent of the individuals to whom this data belongs to remains unsought for. 

The Parliament is yet to pass the Personal Data Protection Bill, and activists and research scholars have expressed several concerns with this state of affairs. “A strong data protection law should establish a baseline privacy standard where you incorporate consent,” says Sidharth Deb, Policy and Parliamentary Counsel at Internet Freedom Foundation (IFF). “That should include the provision for an individual to be able to object to their data being transferred and shared across databases, to raise money, or allow businesses to harvest that data for their own economic interests," he adds.

Consent isn’t just a reasonable framework. In its landmark judgement of 2017, the Supreme Court upheld that privacy is a fundamental right.

What’s in a name? 

Further, we also need to have conversations about consent exemption for ‘reasonable purposes.’ 

While it might seem harmless that the name of an individual owning a vehicle can be obtained worryingly easily, the recent viral, unconfirmed tweets suggesting that such data could have been potentially misused by rioters to target vehicles of Muslims in Delhi has brought to fore the need for a conversation about the potential risks and lapses.

Following the concerns on social media platforms, on Feb 26, IFF – an Indian digital liberties organisation – submitted a representation to the Union Government and the government of Delhi requesting them to ‘stop public and private access to databases like Vahan.’

“In India, an individual’s name itself carries multiple layers of connotations. It denotes your caste or can reveal if you are a member of scheduled tribe communities and also, of course, it indicates your religion. That information being in the public domain may itself be considered sensitive personal data to some extent,” explains Sidharth.

The availability of public access to names of vehicle owners creates another sort of vulnerability too – ‘triangulation’. Simply put, other datasets can be matched against the name to derive more personal and sensitive information about the individual. 

In a research paper published in December 2019 in the Observer Research Foundation (ORF) by their associate fellow KJ Shashidhar, the author provides an example of how triangulation can happen.

“If information from the mParivahan application is combined with KYC data, it is not difficult to imagine a situation in which a person is stalked or put under illegal surveillance,” writes Shashidhar in the paper. 

In its five-page ‘Bulk Data Sharing Policy & Procedure,’ the government admits to this risk of triangulation and says it is possible for “individuals to be identified and their privacy compromised,” however squarely places the responsibility of not doing so on the organisations purchasing and accessing this data.

Procedural issues

Apart from the consent and privacy of individuals being key issues, the availability of Vahan data for purchase is also reflective of procedural lapses.

While the creation of Vahan database and the subsequent provision to purchase the data predates the 2017 Supreme Court judgment, the amendment to introduce National Register of Vehicles to Central Motor Vehicles Rules (CMVR) 1989 was only passed in 2019.

The National Register was proposed to be created to “bring harmony of the registration and licensing process.” However, the mention of this register occurs multiple times in correspondence between MoRTH officials while framing the policy rules for data sharing. 

In 2014, in one such correspondence (The News Minute has accessed the RTIs), issuing a gazette notification (for collection of fee for access of vehicle data) under CMVR is debated against as National Register wasn’t then a part of CMVR and initiating a process to amend CMVR would mean the officials had to wait for months before the process could begin. Since this was bypassed by operationalising the scheme to sell data using an ‘administrative order’, the public had no way to put forth their objections/suggestions.

Later in 2019, the ministry brought in rules for bulk data sharing of vehicle data without identity detail (i.e. name). Even then, the risk of triangulation exists. 

Currently, there are two ways in which one can access Vahan data, one is through buying access of records (including name of the vehicle owner), the sale of which started in 2012. The other is sale of bulk data, for which a policy was put forth in 2019. An annual fee of Rs. 3 crore is to be paid to access this bulk data. 

Srinivas Kodali, an independent researcher on open data says, “The issue of every national register out there is a misuse of information and weaponisation of data. There is no reason for this data to be in the public domain or be sold without the consent of individuals.”

Vahan data now exists across multiple platforms, including those that got it illegally. IFF in its petition – among other privacy concerns – urges that the government needs to issue an ‘urgent advisory’ to mobile stores in order to tackle this problem. 

“This is information that an individual is providing to be able to own and drive a vehicle. That is the specific process. That is the limited extent that the state or local RTO has been given permission to access that data. A larger database if attacked leads to greater harm as opposed to it being restricted at the state level. Risk of large scale abuse is less in the latter,” adds Sidharth.

Apart from the consent and privacy of individuals being key issues, the availability of Vahan data for purchase is also reflective of procedural lapses.

Help us provide quality journalism. Become a TNM member today! Click here.