Bulk data sharing policy scrapped is an incremental victory that requires follow up action #SaveOurPrivacy

IFF Policy Team

Tl;dr

The Apex Committee of the MoRTH met on 4 June 2020 via a videoconference and decided to scrap its Bulk Data Policy (2019) that had earlier allowed private and government entities to buy bulk data from the ministry. This data was part of the MoRTH’s Vahan and Sarathi databases that contain sensitive details related to the citizens’ Vehicle Registration Certificates (RC) and Driving Licences (DL). While we acknowledge that this is a forward-thinking step aimed in the right direction, we also made a case that more loopholes need to be plugged, and more changes need to be incorporated to secure the citizens’ privacy and security in a more foolproof manner. So, we wrote to the Ministry highlighting critical steps as we move forward towards more complete privacy and security.

The Background

The Ministry of Road, Transport and Highways (MoRTH) holds citizen records as part of their issuance of Vehicle Registration Certificates and Driving Licences under their Vahan and Sarathi databases, or together referred to as Parivahan. In March 2019, the ministry decided to monetise this data by selling it to research and commercial institutions as part of their Bulk Data Sharing Policy (2019). While this mostly held non-personal details like chassis number, model type, year of manufacture among others, the MoRTH itself admitted that this data could be subject to Triangulation. Triangulation refers to the combination of different data-sets, which individually do not reveal much but viewing them together could lead to individual identification, and dilution of privacy. However, the policy did not provide any measures against triangulation, and simply placed the burden on the business/entity buying the data.

Making this worse is the fact that personal data like owner’s name and recent traffic violations can be accessed freely by anyone via the MoRTH’s Parivahan website, and mParivahan mobile app. Hence, it was not surprising that in February during the unrest in New Delhi, reports started coming in, which claimed that miscreants were using these easily accessible databases to target vehicles owned by the people of religious minorities.

IFF had reacted immediately and written to the ministry highlighting all the problems plaguing this practice of selling citizens’ data, and its lack of foresight in making personal information like name and traffic violation records freely available for malicious agents to exploit. We had summarised our stance and efforts in this blog post dated 26 February, 2020. Soon after, a few ministry officials had informed the media that the MoRTH was working to partially conceal the names of the owners on these databases.

Bulk Data Sharing Policy SCRAPPED! But the victory is still incomplete!

The Apex Committee of the MoRTH met on 4 June, 2020 to deliberate mainly on the privacy and security issues arising from the Bulk Data Sharing Policy. It was unanimously decided that selling of Vahan and Sarathi data to businesses can be prone to misuse. The basis of this reasoning resulted in scrapping the policy and we were pleased to know . We were also happy to note that the committee realises that such personal and sensitive data is not fit for sharing even through reports, and it is committed to complying with the Data Protection when it is legislated.

However, there are few issues that arise as a consequence of the topics discussed, and the proposals made during the meeting. Here are the major loopholes that we have identified, which need to be plugged to ensure that this step towards honouring the privacy of the citizens is fully realised. Hence, we called upon the MoRTH to take note of these issues and made a case as to why each of them is critical:

  • Preventing accumulation of personal data through government proxies: The Committee decided that ‘the non-personal anonymized vehicle data available in the National Register be provided free of cost as a bulk data on considering such requests from reputed public research institutions / educational institutions, which are controlled by the Central Government or the State Governments. Further, such institutions shall share the study / research findings to the Ministry and that the institutions shall not further share the data to other organizations’ Here adequate measures should be taken to prevent private use through such bodies which may be used as proxies. It should be considered that a lot of research projects at both dedicated research institutions as well as educational institutions are funded by private funders and organisations. In this case, the sanctity of the data can not be ensured since the institute would invariably be sharing this bulk data with these private funders, directly or indirectly through reports. Therefore, we feel that simply giving data access to publicly funded institutions will not solve the problem as the data will still remain prone to misuse. We recommend proper transparency and accountability mechanisms even when data is shared with Central Government or State Government entities.
  • Definition and risks of sharing, ‘non personalised anonymised vehicle data’: We made a case that while removing personal identifiers like name and address does make the data anonymised, this can easily countered by a process called Triangulation as acknowledged itself in the Bulk Data Sharing Policy. Triangulation means the combination of different datasets which individually do not reveal much but viewing them together could lead to individual identification, and dilution of privacy. Given that personal details like owner’s name and traffic violation data are so readily available for public access on the Parivahan database, simply anonymising this data at one place will not solve any purpose until measures are put in place that prevent the possibility of triangulation. Here, we recommended instituting specific studies and risk assessments prior to the sharing of any such data with a focus on definition of what specifically constitutes, “non personal anonymised vehicle data”.
  • Follow up steps for ensuring deletion of data shared: The Committee remarked that, ‘it was further clarified that since the existence of the Bulk Data Sharing Policy at a cost, only a single request for the requirement of Bulk Data is being processed in the Ministry, but the application has not been accepted till date by the Ministry and is pending’. However, an answer to the Unstarred Question No. 1698 in the Rajya Sabha dated 8 July, 2019 reveals that the ministry sold bulk data stored in its Vahan and Sarathi databases to 32 government entities and 87 private entities since the inception of the policy in March 2019. Furthermore, this RTI reply [link] suggests that as of 1 August, 2019, at least 142 entities bought vehicle and licence data from the ministry. Therefore, we urged the ministry to verify this and duly state what is the current situation as this discontinuity in information is giving rise to a lot of confusion. And, in case the data is still held by other entities, we recommended that the government needs to ensure that this data is duly deleted. Our recommendation is that these entities should be made to sign an undertaking on an affidavit claiming the deletion of the datasets countersigned by their statutory auditors. This will ensure that misuse and mishandling of the data is prevented.
  • Parivahan Website and Mobile Apps: While scraping the Bulk Data Sharing Policy is a a very positive step, any positive outcomes would be nullified as long as personal and sensitive data like vehicle owner’s name and traffic rule violations can be freely, and quickly accessed via the Parivahan websites and mobile apps. We strongly believe that the names and traffic violations data can be removed from these platforms without affecting the functionality of the app and the website. Making sensitive data like this so easily accessible has very dangerous implications for security and privacy. This was evidenced during the state-wide unrest in Delhi in the month of February when unverified reports came out on social media that malicious agents identified individuals from religious minorities and damaged their vehicles, using the data from the Parivahan database. We, therefore, urged the ministry to remove the names of the owners and traffic violation data from the Parivahan database.

Additionally, the Apex Committee decided that a special committee comprising JS (MVL, MoRTH), Director (MVL,MoRTH), Shri Joydeep Shome, DDG (NIC) and Smt. Yagnapriya Bharath, CGM (IRDAI) shall be constituted to finalise structure, standardisation and mechanism for sharing of reports in public domain, through the portal. Here, we urged the Honourable Minister to make this process deliberative and participatory. We believe that the decision on the process of sharing these reports should involve all possible stakeholders like citizens, civil society members, digital rights organisations, traffic, security and technology experts among others so that both the process and decision are inclusive and well-informed. Today, fellow Indians and civil society organisations are eager to assist the Government in participatory rule-making to ensure individual liberty, social justice and the imperatives of good governance.


Important Links

  1. Our letter to the MoRTH dated 29 June, 2020. It thanks them for scrapping the Bulk Data Sharing Policy and further asks them to resolve the pending privacy and security issues that remain after scrapping the policy. [link]
  2. Minutes of the meeting of the MoRTH’s Apex Committee, which unanimously decided to scrap the Bulk Data Sharing Policy. Dated 19 June 2020 (meeting held on 4 June, 2020). [link]
  3. Our letter to the MoRTH highlighting the malicious usage of Parivahan database during the unrest in delhi in February, which also contains our suggestions, and arguments against the database. Dated 26 February, 2020. ]
  4. Our blog post dated 26 February 2020 summarising our position on the misuse of Parivahan database during the unrest in Delhi. [link]
  5. Shashidhar KJ’s Policy Brief assessing the impact of MoRTH’s Bulk Data Sharing Policy. [link]
  6. The MoRTH’s RTI response naming the 142 organisations in possession of vehicle registration and driver’s licence data. Dated 1 August 2019 [link]


#SaveOurPrivacy

#BanTheScan

Share Your Support