2023 Year in Review: Digital Transparency keeps public institutions accountable

tl;dr

The Right to Information Act, 2005 In 2023, we filed 295 Right to Information (“RTI”) applications and 66 first appeals with various public authorities at the state and union levels, and preferred 2 second appeals and appeared before 12 first appellate authorities and the CIC in 2 matters. Through these efforts, we tried to bring transparency and accountability into the functioning of a number of public authorities, and empower Indian citizens with information that affects their digital rights.

Why should you care?

The Right to Information Act, 2005 (“RTI Act”) was enacted to promote transparency and accountability in the working of public authorities by ensuring that citizens are able secure access to information in control of these authorities. Facilitating such access is necessary to ensure that democratic processes are not subverted by public authorities acting in private interests. Where transparency is not upheld as a value of public decision-making, citizens are at a disadvantage when it comes to keeping a check on abuse of power by the public authorities.

The RTI Act is thus one of the most important tools at the disposal of the public to engage with, and demand transparency and accountability from, our Union and state governments. The Digital Transparency vertical at IFF strives to routinely extract information about various ongoing policies and projects introduced in the public sector through RTI Applications filed under the Act. Responses we receive often pave the way for government engagement, advocacy, and even strategic litigation. Previous reports on our transparency endeavours can be accessed here. 

It’s a two-way street: transparency on public consultations

Free and open public consultations are the bedrock of deliberative democracy, in line with the Pre-legislative Consultation Policy, 2014. In 2023, we filed RTI applications with various ministries asking for more transparency on the policies released for public consultation and the comments or feedback they received. Much of this data was either denied to us, claiming privacy concerns. On two occasions, we were invited for physical inspection of files to the Ministry premises. Our experience and responses received are tabulated below.

A few highlights:

We filed two rounds of RTIs on the three criminal law bills. In August 2023, we approached the National Law University, Delhi (“NLUD”) and the Ministry of Home Affairs (“MHA”) to obtain information on the National Level Committee for Reforms in Criminal Laws formed at the university level to help draft the bills, and the drafting and consultation process generally. A response from NLUD stated that the report of the Committee had been handed to the Ministry in a sealed envelope, but we did not receive a response from the Ministry. We preferred a first appeal on the issue, which was also transferred . Then three weeks ago, in November 2023, we filed fresh RTIs with the MHA on consultations and comments invited on the BNS, BNSS and BSB, including details on the Parliamentary Standing Committee on Home Affairs’ review of the bills. We await a response to this round of RTIs.

Additionally, we filed several RTIs with the Ministry of Electronics and Information Technology (“MeitY”) on the consultations, drafting and reviewing processes of the Digital Personal Data Protection Bill (“DPDPB”), 2022 and 2023 (see here, here, here and here). In response, we were invited to conduct a physical inspection of files at the Ministry office, the findings from which are tabulated below. Based on the inspection we filed two more RTIs – first with MeitY, seeking information on the Ministry officers who worked on the DPDPB, 2023, and second with the Cabinet Secretariat, seeking copies of cabinet notes for the 2022 and 2023 versions of the DPDPB, along with comments received on the DPDPB, 2023. We were stonewalled for all of these RTIs and preferred a first appeal against the lack of response to our first set of applications.

This year, we were invited for several physical inspections of files – on the consultation processes for DPDPB, 2023 (here) and the Draft National Robotics Strategy, 2023 (here), on policies governing the APAAR unique school ID (here), and on the use of scan-and-share token facilities at All-India Institutes of Medical Sciences, Delhi. Of these, we were able to undertake two physical inspections, findings from which are tabulated below:

What we learnt

Other than policy consultations, we tracked news headlines and emerging government schemes, and made measured RTI interventions on a number of concerning initiatives. Here are some key responses we received to our RTIs this year, along with a summary of outcomes that emerged from them:

DigiYatra is NOT mandatory!

We filed RTIs on the use of DigiYatra across Indian airports and received a response from the Ministry of Aviation stating that use of DigiYatra is not mandatory. The Ministry of Civil Aviation’s Digi Yatra initiative, which is (supposedly) an expedited check-in service at airports, widely deploys facial recognition technology across Indian airports to scan passengers’ faces and their boarding passes. Digi Yatra already raises a number of concerns in relation to data collection, storage, and processing with weak or non-existent privacy safeguards. On top of this, passengers are being coerced into opting for it over a regular airport check-in, through deception and coercion by airport staff (see tweets here, here, here, here and here, to name a few). The Ministry clarified that the service is not mandatory, which is a significant statement given the thrust to manipulate passengers into taking it up on ground. 

Time to rethink Aadhaar? 

Along with Article 21, Rethink Aadhaar, and Access Now, we submitted a joint submission on the draft Aadhaar Amendment Rules, 2023 (read here). We then filed an RTI with the UIDAI seeking information on the proposals received, the proposals approved, and the proposals denied based on the provisions for Aadhaar linking under the Rules. A perusal of the documents proved true our fears regarding the expanding use of Aadhaar across sectors, services and usecases, which could severely jeopardise individuals’ privacy. Use of Aadhaar to access government services and work with government agencies sets a dangerous precedent and could result in the unwarranted exclusion of those who either do not have Aadhaar or are facing technical issues with their Aadhaar.

Flagging campaigns with privacy concerns 

Last year, Indians across the nation were encouraged to geo-tag their homes under the Har Ghar Tiranga campaign, which we probed into by filing RTIs. This year too, the Ministry of Culture launched the Har Ghar Tiranga Abhiyan 2.0, which was scheduled to run from August 13 to August 15, 2023. We filed another RTI with the Ministry on the second edition, and related privacy concerns of individuals posting their pictures on the website. The response was interesting, to say the least – the Ministry stated that the data collected will be deleted at the end of the campaign, i.e., after August 31, 2023… but personal data of participating Indians, such as their names, photographs and geo-tags, can be seen on the website to this day. Concerned with the consequent privacy implications, we also wrote to the Ministry of Culture urging them to delete the data of Indian citizens as well, but to no avail. Read more about our engagement on the issue here.

Don’t need DigiLocker to create a passport

We filed RTIs with the Ministry of External Affairs and several regional MEA offices, asking whether one needs a DigiLocker account to submit an application for a new passport or to renew old passports, and whether such account needs to be linked to an Aadhaar ID. The responses received all state that it is not mandatory. See responses Mumbai, Panaji, Chennai, Pune, Patna, and the Union ministry. We were able to successfully verify this information by assessing the online passport application process. Although, the reality at regional passport seva kendras/offices is different, where Aadhaar ID-linked DigiLocker accounts are frequently asked for and even forced on applicants. So on that count, the RTI responses are a significant statement.  

We’re in the panopticon

This year, we filed a number of RTIs on the use of facial recognition technologies (“FRT”) and CCTV cameras at the state and union levels. The responses were sparse, save for these two, which give us a glimpse into the extent of surveillance and data collection happening through FRT:

1. We filed an RTI with the Department of Pensions and Pensioners Welfare on the use of face authentication technology in the issuance of Digital Life Certificates to pensioners, who cannot physically go to banks for authentication. The RTI, which was a mix of quantitative and qualitative questions, was promptly transferred to the National Informatics Centre. The NIC responded to only the questions pertaining to statistics, revealing that the Department is actively employing Aadhaar-based FRT for user authentication, and over 21 Lakh certificates had been generated using FRT till November 9, 2023. The questions pertaining to accuracy and privacy concerns of this FRT system were evaded by both bodies, claiming that they are “not related to NIC”. 
2. In April 2023, we filed an RTI on the use of FRT by the state of Goa in user authentication for online learners’ licence applications. Goa’s response revealed that FRT is in fact being used for all online learners’ licence applications, with a 97% accuracy rate, and that all applicants’ pictures and metadata collected from this process is being stored on a government portal without a clear privacy policy safeguard on data retention.

Apart from these highlights, we also learnt some other ways in which Union and state governments collect personal data. For instance, we filed an RTI with the Central Board of Excise and Customs and GST Council in the Department of Revenue, seeking information on the use of geo-tagging for verification during the GST registration process. Response from the Goods and Services Tax Network revealed that the geo-tagging functionality is live across India, and that the data collected from this “belongs to the government and the same will be accessible to the entities to whom the government decide” (sic). Further, we sought information on various state-level Family ID schemes, and a response on the Karnataka ration card scheme revealed that a state-wide portal had been established for registration of all residents, but there was no public or inter-ministerial consultations before the scheme, and without privacy safeguards in place.

What we didn’t… 

We were also met with sealed lips (and envelopes…) at many turns this year, which may even lead one to draw some patterns. Here is a summary of RTIs and follow-ups that yielded no responses from the public bodies.

Our Fact(check unit) Finding Mission

In June, Karnataka Minister Priyank Kharge announced the setting up of a state-level FCU in Karnataka stating that the unit will not only be a fully operational department to monitor “fake news”, but will be able to pursue legal action with the support of the Home Department and Karnataka Police against those found guilty. In light of this, on July 13, 2023 we filed an RTI application with the DCP, Bengaluru Police asking several questions regarding allocation of duties, procedures and techniques that will be used by the Unit, legality of the Unit and the budget allocation. 

The RTI was rejected by the PIO, however the queries raised in the RTI highlighted crucial information about the FCU, we preferred a first appeal against the response with the First Appellate Authority.mWe received a response to our first appeal from the PIO for the Office of the Commissioner of Police, Bengaluru Police stating “it is hereby informed that there is no fact checking cell in the Bengaluru City Police Commissionerate” despite  reports announcing the framework and EOI for the FCU.

Additionally, we filed another RTI request with the Secretariat of the Karnataka Chief Minister’s Office requesting a copy of the official notification announcing the establishment of the fact checking unit by the Karnataka government. On October 16, 2023 we filed another RTI request with the Ministry of Electronics Information Technology Biotechnology and Science & Technology (Secretariat of eITBT and S&T), Government of Karnataka to share the responses received on the EOI and the criterion they will use for the empanelment of agencies. We have not received a response yet.

On content censorship, takedowns and blocking

1. Now you BB-See me, now you don’t! The Ministry of Information and Broadcasting (“MIB”) disposed of our RTI request on March 15, 2023, for the ban of the BBC documentary on the Prime Minister of India, stating that they are authorised to take down digital news and online content under Section 69A of the Information Technology Act, 2000 and Rule 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. Further, they have also stated that the proceedings of the Inter Departmental Committee are confidential and exempt from disclosure under S.8(1)(a) of the RTI Act.
2. Prepare for trouble, make it double: We filed RTIs with MIB and MeitY on the Muzaffarnagar slapping incident and in separate responses (here and here respectively), both Ministries conceded that they did, in fact, order content censorship. However, they refused to reveal which tweets or twitter accounts or other pieces of online information were censored by them, so it is not possible to determine whether there are any tweets or accounts in relation to which both Ministries issued concurrent orders. Both Ministries also refused to reveal why the censorship was undertaken, invoking exemptions under Section 8(1)(a) of the RTI Act.
3. Were you JK about the banned apps? On May 1, 2023, it was reported that 14 mobile applications that provided end-to-end encrypted messaging services, enabled peer-to-peer messaging, etc., were banned purportedly on the basis that they were being used by terrorists in Jammu & Kashmir.  We filed a series of RTIs with MeitY, MHA and J&K Police to gather more information about the ban, enquired about the territorial scope of the ban-whether its application and enforcement is limited to J&K or pan India, requested a list of the mobile application which were banned by MHA and MeitY as well as the list of mobile applications recommended to be banned by the J&K Police to MHA and MeitY, and also requested copies of the blocking order and recommendations leading to the ban. Additionally, we asked about the basis for identifying the applications as being used by terrorists, and if they were given any notice, opportunity for hearing, or appeal prior to the ban. We were met with radio silence at all crossroads, but more information about our endeavours is documented here.
4. Sneaky links? We requested MeitY and MIB revealed the number of URL takedown requests made under Section 69A of the IT Act, 2000, and the reasons for these requests being denied or accepted. While MeitY gave us numbers for the total requests made in individual years from 2018 to February 2023, all other requests were denied in the interest of ‘confidentiality’. 
5. Take it all down: We filed several RTIs with MeitY on its child sexual abuse content warnings to Youtube, X, Telegram, and other takedown warnings it has issued through the year, as well as other takedown or blocking orders issued by MeitY or MIB on social media platforms, apps, users or content (see here, here, here and here). All we heard was radio silence, or an occasional reference to Section 8(1) of the RTI Act (see here and here).

Don’t blame the machine! 

This year, we tried to keep up with Union and state governments’ rapid deployment of emerging technologies across sectors in India, and filed several RTIs on government interventions on AI, automation, and ‘smart’ cities. These included the use of artificial intelligence in traffic management systems, chatbots, surveillance, authentication, healthcare, urban administration, policing, education, agriculture, and various other use cases, which are tracked on our internal resource – a working Transparency Tracker on the use of AI/ML by Governments. Some of our filings included seeking information on:

1. Use of 726 AI-cameras under the Safe Kerala project (see RTI), which did not receive a response.
2. Usage of robust data analytics and artificial intelligence (AI) by the Government of India to identify and track risky taxpayers, as reported in an article dated May 17, 2023, in the Economic Times (see RTI), which was denied invoking Section 8(1)(h) of the RTI Act (see response).
3. Vetting of the AI and facial recognition powered Solution for Telecom SIM Subscriber Verification by constitutional lawyers, as reported by an article titled, Telecom Bill should be finalised by July: Vaishnaw, dated May 16, 2023, in The Hindu (see RTI), which was denied in part (see response).
4. Usage of robust data analytics and artificial intelligence (Al) by the Government of India to identify and track risky taxpayers (see RTI), which did not receive a response. 
5. Karnataka using AI to curb fake news (see RTI), which was transferred, but received no response.
6. Use of AI to store data of criminals by the UP Special Task Force (see RTI), which received no response.
7. AI Direction to detect pesky messages by the Telecom Regulatory Authority of India (see RTI), which received no response.
8. Fatigue Detection AI for Bus Drivers in Telangana (see RTI), which received no response.
9. Use of FRT and AI during Independence Day by Delhi police (see RTI), which the police force denied doing.
10. Development of AI based devices to detect driver fatigue in Northern Frontier Railways (see RTI), which received no response.
11. Use of AI-Chatbot for PM-Kisan Scheme (see RTI), which received a response on the use cases of the chatbot, but not the technologies used or questions relating to privacy and accuracy concerns (see response).
12. Punjab Police using AI (see RTI), which was transferred, but received no response.
13. Use of AI for traffic management in Lucknow (see RTI), which received no response.
14. Aadhaar Face Authentication enhancements with AI and ML (see RTI), which received no response.
15. Use of FRT and AI for crowd management in Shree Mahakaleshwar Temple Management Committee, Ujjain (see RTI), which received no response.

All eyes on me! 

We filed several RTIs with UIDAI on the use of Aadhaar-based face, iris, or biometric authentication across schemes and sectors. These included pointed RTIs on the use of CCTVs and FRT in schools, roads, events, temples, and various other use cases (see RTIs here, here, here, here, here and here; see responses  here, here, here); as well as two rounds of RTIs on the use of ASTR and user verification in telecom under the Sanchar Sathi Portal (here, here and here; see responses here and here).

Stealth in health?

We filed several RTIs to the National Health Authority on their POSHAN tracker, U-WIN initiative, and other tech-based health databases (see here, here, and here). We also filed RTIs on NHA’s digital health digest on Scan and Share and issuance of ABHA, Healthcare Workforce Mobility Portal, WhatsApp Bot and asking for MoUs of interfacing agencies (see here, here and here; see responses here, here, here). Further, we filed RTIs on data use and sharing policies and privacy policies of NHA (see here and here; see responses here and here). 

And some more

Well, we filed close to 300 RTIs this year, and above were some thematic highlights. Some notable RTIs that we also filed only to be met with silence are here:

1. We filed three rounds of RTIs with the Ministry of education on the status, data collection, consent framework, and implementation of the APAAR student ID and UDISE+ management systems at the school level (see RTIs here, here, here and here).
2. We filed an RTI to MeitY pertaining to the Apple threat notification for state-sponsored attacks, to which we were informed that CERT-In is now exempt from the RTI Act (see response).
3. We filed RTIs to access MOUs entered by the Ministry of Agriculture and Farmer Welfare with private entities for the development of farmer databases and the AgriStack (see here, here, here, here, here, here, here, here, here, here, here and here).
4. We filed an RTI on the tender process and proposal for empanelment of influencer marketing agencies with Union ministries.

What’s the Appeal(s)?

In 2023, we filed a total of 66 first appeals, and appeared before the Central Information Commission in 2 second appeals. Some notable ones are summarised below:

1. In her order in the MIB second appeal, IC Saroj Punhani found MIB's reliance on the fiduciary relationship exemption to be incorrect and directed the CPIO, MIB to provide the list of publishers.In response to CIC’s order, the MIB has furnished a list of 3,101 digital news media publishers and 57 OTT platforms. The disclosure of this information plays a crucial role in fostering and promoting greater transparency and accountability.
2. In a second appeal relating to the existence of Facial Recognition Biometric Attendance System existing at  Tirunelveli Bottling Plant of Indian Oil Corporation, IC Saroj Punhani found that the reply provided by CPIO adequately suffices the information sought by the Appellant as per the provisions of RTI Act.
3. IFF filed a first appeal seeking the blocking order, details of the review committee, specific reasons & evidence, and the recommendations which the Authorised Officer submitted to the Secretary, MIB pertaining to the ban on the BBC documentary, India: The Modi Question from CPIO, MIB. The First Appellate Authority in its order concluded that the reply given by the CPIO, is in line with the availability of records and applicable provisions of RTI Act, 2005.
4. In his order in the Ministry of Home Affairs First Appeal, seeking information about the plan of the Union government to make technology backed forensic audits of crime scenes mandatory where the punishable offence is for six or more than six years, the First Appellate Authority, remitted the appeal to PIO/Crime to re-examine the information sought by us as the   reply provided was not convincing. 
5. Unsatisfied by the responses provided by the Department of Electronics and Information Technology, we filed  first appeals pertaining to the notices that are being sent out by CERT-In to service providers seeking compliance with directions (iii) and (v) of Direction No. 20(3)/2022-CERT-In dated 28.04.2022. The First Appellate Authority disposed off the appeals under section 8(g) of the RTI act, stating that an appropriate reply to the RTI has been given by  the CPIO. 
6. In a first appeal relating to internet shutdowns in Puducherry, the First Appellate Authority directed the PIO to make a thorough search again in the relevant files/records to find whether any such orders have been issued. In response to this, the PIO provided Orders that have been issued for constituting/ re-constituting the Review Committee for obtaining interception of messages under the provisions of Rule 419-A of Indian Telegraph Rules 1951 and u/s 5(2) of Indian Telegraph Act 1885.
7. In a first appeal relating to internet shutdowns in the state of Jammu Kashmir, the First Appellate Authority directed the PIO to revisit the instant RTI application and provide information. It was further directed that in case of denial, the apposite reasons be explicitly indicated for withholding the information.
8. In a RTI, we sought information regarding the blocking of various Twitter accounts like BBC Punjabi since 17.03.2023 in the aftermath of the internet shutdowns in Punjab. The CPIO, in his reply, relied on Rule 16 of the 2009 Blocking Rules and refused to grant the applicant the information sought. Unsatisfied by the reply, we filed a first appeal. The First Appellate Authority reexamined the information supplied in respect of RTI Application and found it in order. 

So, what’s next?

We keep fighting the good fight – for transparent, accountable, and citizen-led democratic institutions. Next year, we aim to expand our inquiries into the use of emerging technologies.

This post was drafted with assistance from Medha Garg, Policy Intern and Yash Tiwari, Litigation Intern, Internet Freedom Foundation