Har Ghar Privacy Violation? #SaveOurPrivacy

tl;dr

As India celebrates Azadi ka Amrit Mahotsav, Indians across the nation were encouraged to geo-tag their own homes under the Har Ghar Tiranga campaign. Back in August, we wrote to the Ministry of Culture, highlighting the specific deficiencies in the harghartiranga[dot]com website and its privacy policy. Even though the website states that the data collected will be deleted at the end of the campaign, i.e., after August 15, the data is still up on the website. Concerned with the consequent privacy implications, we once again wrote to the Ministry today, urging them to delete the data at the earliest.

Why should you care?

The harghartiranga[dot]com website maintained by the Ministry of Culture collected citizens' personal data, including their names, contact numbers, email addresses, and the geolocation of their houses. The website also collected and displayed names of individuals who had uploaded their images with the national flag, including images of minors. According to a report by UNICEF, “Children, however, are more vulnerable than adults and are less able to understand the longterm implications of consenting to their data collection” and thus need a higher degree of protection for their data. As reflected on the website, by August 15, nearly 60 million Indians had uploaded their photos with the national flag on the Har Ghar Tiranga website. About 50 million had geotagged their homes and shared phone numbers to register on the portal. However, the website's privacy policy has several deficiencies which pose a grave risk to the privacy of citizens, especially in the absence of a data protection law.

Background

The Ministry of Culture launched a flagship website, harghartiranga[dot]com, allowing citizens to register using their mobile numbers or a single social sign-on such as through Google or Facebook. After logging in and permitting the website to access their location, the website allowed the users to ‘pin’ a digital flag on their location. Subsequently, a certificate of appreciation is generated for them to share and display publicly. These auto-generated certificates are a Faustian bargain in exchange for the structured and highly sensitive data with which the users have to part.

When we first came across this campaign, we were concerned by the proposed collection of personal data and geo-location by the government. Upon going through the website and the privacy policy of the campaign, our concerns grew. We first enumerated our issues with the campaign on August 6, 2022 (see tweet thread below). Subsequently, we raised these concerns with the Ministry of Culture through a letter dated August 12, 2022.

Issues

There are several other issues with the website’s privacy policy, as enumerated below:

  1. A boilerplate cut-copy-paste privacy policy: Prima facie, the privacy policy seems to have been drafted with little application of mind, using a pre-existing template. There seem to be several grammatical errors in the policy and unnecessary repetitions. However, without prejudice, the policy also refers to its commercial activity and the requirement for engaging in it. It states, “those who engage in transactions with Har Ghar Tiranga – by purchasing Har Ghar Tiranga’s services or products, are asked to provide additional information, including as necessary the personal and financial information required to process those transactions.” However, there are no products or services listed on the website, which might require a visitor to input their financial information. Furthermore, the privacy policy mentions, “You may consult this list to find the Privacy Policy for each of the advertising partners of harghartiranga.com” [sic]. However, there is no list of advertising partners on the website. This shows the poor application of mind while drafting or copying the privacy policy from other sources.
  2. Failure to delete data in consonance with the terms of the privacy policy: The website’s privacy policy mentions that the data collected would be deleted after the campaign. However, even a month after the date on which the campaign is supposed to have ended, i.e., August 15, 2022, the photographs and names are still available on the website.
  3. Lack of data minimisation: The website allows users to log in using either their Google single sign-on (SSO) or a combination of their name and phone number. However, the collection of the contact information serves no purpose. The website must be re-designed to ensure the application of data minimisation principles, and it must do away with the collection of the phone numbers of visitors.
  4. Privacy policy not to apply to data collected from other sources: The website's privacy policy explicitly mentions that “it applies only to information collected through the website and not to the collection of information from other sources.” However, the website contains cookies which can track a user across the websites they visit. Further, while signing in using Google SSO, Google allows the website to associate you with your personal information on Google, view public information not limited to Google Account email address, and view the street addresses saved. This potentially constitutes data from other sources and is possibly outside the purview of the Privacy Policy.
  5. Lack of actual protections for minors’ data: While the website mentions that it does not “knowingly collect any Personal Identifiable Information from children under the age of 18”, it allows anyone to upload an image of themselves holding a flag along with their name, including minors. This failure to proactively safeguard minors’ data can have an additional negative impact on them. It has been established, most recently in the Hon’ble Supreme Court’s judgment in Justice K.S Puttaswamy vs Union of India (2017) 10 SCC 1, that there has to be an added burden while handling and processing children’s data.
  6. Shifting responsibility onto users: The privacy policy vaguely provides that it will “protect [the data collected] within commercially acceptable means". However, it fails to elaborate on the standard processes for identifying “commercially acceptable means” to safeguard users’ data. Further, it places the onus on the website visitors to protect themselves by expecting them to “set their browsers to refuse cookies before using Har Ghar Tiranga websites”. The website also “advises” visitors to “consult the respective Privacy Policies of these third-party ad servers” to understand how they might use visitors’ data. However, it fails to direct these ad servers not to serve ads on the website in the first place.

Our demands

The Ministry failed to acknowledge the flaws in the website, and the concerns we raised in our initial letter remain unaddressed. We have filed a Right to Information application with the Ministry on the actions taken and, more specifically, whether the data has been deleted per the privacy policy. Further, we have also sent a follow-up letter dated September 21, 2022, urging them to take the following actions:

  1. Delete all data - including aggregate and non-identifiable copies - from the website and the Ministry’s or the third-party host’s servers, per the privacy policy.
  2. Issue a public statement either through a disclaimer on the website or a press release stating that all data has been deleted and that it has not been shared with any third party(s) or put to any other use.

Important Documents:

  1. Letter to the Ministry of Culture on the Har Ghar Tiranga campaign dated August 12, 2022. (link)
  2. Follow-up letter on the initial letter sent to the Ministry of Culture on the Har Ghar Tiranga campaign dated September 21, 2022. (link)