Flagging privacy concerns with Har Ghar Tiranga 2.0

The Har Ghar Tiranga 2.0 campaign by the Ministry of Culture set out to display the names and pictures of Indian citizens holding the tricolour on its website for a stipulated period, to celebrate India’s 76 years of independence. Except, user data is still displayed on the website.

26 October, 2023
6 min read

tl;dr

Last year, Indians across the nation were encouraged to geo-tag their homes under the Har Ghar Tiranga campaign. This year too, the Ministry of Culture launched the Har Ghar Tiranga Abhiyan 2.0, which was scheduled to run from August 13 to August 15, 2023. Despite stating via a Right to Information (RTI) response that the data collected will be deleted at the end of the campaign, i.e., after August 31, 2023, personal data of participating Indians, such as their names, photographs and geo-tags, is still up on the website. Concerned with the consequent privacy implications, we wrote to the Ministry of Culture urging them to delete the data of Indian citizens.

Why should you care?

The harghartiranga[dot]com website maintained by the Ministry of Culture, as per an RTI Response dated 25.09.2023, collects and displays the names and photographs of individuals with the national flag, which includes images of minors. According to a report by UNICEF, “Children are more vulnerable than adults and are less able to understand the long term implications of consenting to their data collection”, and thus, need a higher degree of protection for their data. During the campaign, over 88 million Indians uploaded their photos with the national flag on the Har Ghar Tiranga website. The website's privacy policy suffers from several deficiencies which cannot preserve the interests of these 88 million participants. Moreover, with a data protection law which provides sweeping exemptions to the government and affiliated agencies, it becomes imperative for the Ministry to minimise the collection of citizen data and establish adequate safeguards before launching such a campaign.

Background

On July 22, 2022, the Ministry of Culture launched the Har Ghar Tiranga campaign as part of the Azadi Ka Amrit Mahotsav celebrations, commemorating 75 years of India's independence. The Ministry of Culture launched a flagship website, harghartiranga[dot]com, allowing citizens to share their pictures posing with the tricolour which would be  displayed on the website along with the display name entered by the user. Ahead of the Independence Day celebrations this year, the campaign was relaunched as Har Ghar Tirangan Abhiyan 2.0

When IFF first came across this campaign last year, we were concerned by the proposed collection of personal data and geo-location by the government. Upon going through the website and the privacy policy of the campaign, our concerns grew. We flagged them to the  Ministry of Culture through a letter dated August 12, 2022 and a subsequent follow up letter dated September 21, 2022. Following this, Google single sign-on (SSO) requirements were removed from the website. Yet, other privacy concerns remain. 

Our Right to Information Request

After the announcement and reports on the relaunch of the Har Ghar Tiranga campaign by the Ministry of Culture as Har Ghar Tiranga Abhiyan 2.0, we filed an RTI Application with the Ministry of Culture dated August 18, 2023 requesting information on the privacy policy for the harghartiranga(dot)com. We asked several questions in our RTI request which are given below:

  1. Please provide an exhaustive list of changes made to the privacy policy of the website since its launch.
  2. Please provide an exhaustive list of data that the website stores and collects from its users.
  3. Please share the time period for which the website stores the data of its users.
  4. Please provide information with regard to the database/s used to store the data collected through the website.
  5. Please provide an exhaustive list of entities that would have access to the database storing the data collected through the website.
  6. Please provide an exhaustive list of entities/individuals who worked on the development of the website.
  7. Please provide an exhaustive list of safeguards that have been put in place to ensure the protection of the data collected under the scheme.
  8. Please share the details of any review or oversight committee formed under the scheme to ensure safeguards for public data.
  9. Please share if the Department/Ministry has released any guidelines, policies, rules or standard operating procedure on the storage of data. If so, please share a copy of the relevant documents.

Response Received

We received a response from the Central Public Information Officer for the Ministry of Culture on September 25, 2023. Below is a tabulation of the responses we received with each corresponding question: 

Query

Response 

Please provide an exhaustive list of changes made to the privacy policy of the website since its launch.

Privacy policy was not changed as no functionality was updated.


Please provide an exhaustive list of data that the website stores and collects from its users.

Exhaustive list of data that the website stores and collect from its user are (i) user name and (ii) selfie.

Please share the time period for which the website stores the data of its users.


The data was stored on website till 31st August, 2023. [sic]

Please provide information with regard to the database/s used to store the data collected through the website.

The database used to store the data collected to the website is AWS hybrid mode.

Please provide an exhaustive list of entities/individuals who worked on the development of the website.

M/s Tagbin Services Pvt Ltd., 3rd Floor, Wing A, Enkay Centre, Vaniya Kunj, Udyog Vihar Phase V, Phase V, Udyog Vihar, Sector 19, Gurugram, Haryana 122016 developed the website.


Please provide an exhaustive list of safeguards that have been put in place to ensure the protection of the data collected under the scheme.

Consent from the user was taken before getting the image uploaded.


Issues Raised

Based on the RTI Response, we wrote a letter to the Ministry of Culture on October 20, 2023 highlighting our issues with the website’s privacy policy, as enumerated below:

  1. Data stored beyond the time limit: We filed an RTI application carrying registration number MCULT/R/E/23/00309 dated August 18, 2023 concerning the privacy policy and storage of personal data by the website. Concerning the query about the time period for which the website stores the data of its users, the RTI response from the Ministry of Culture dated September 25, 2023 read that “the data was stored on website till 31st August, 2023.” [sic] However, as of October 20, 2023 the images and names are still visible on the website – which does not align with the RTI response given by the Ministry of Culture stating that the data was only stored till August 31, 2023, as displaying images on the website would not be possible without also storing them on a platform.
  2. Privacy policy does not apply to data collected from other sources : The privacy policy of the website explicitly mentions that “the User is aware that he/she might encounter "cookies" or other similar devices on certain pages of the Harghartiranga.com that are placed by affiliates of the Ministry. The User expressly agrees and acknowledges that the Ministry or Website does not control the use of such cookies/other devices by such third parties, that the Ministry or Website is in no way responsible for the same and that the User assumes any and all risks in this regard.” The Ministry skirts any responsibility and control over the use of such cookies or other devices by third parties, including affiliates of the Ministry. 
  3. Lack of actual protections for minors' data: While the website mentions that it does not “knowingly collect any Personal Identifiable  Information from children under the age of 18”, it allows anyone to upload an image of  themselves holding a flag along with their name, including minors. This failure to proactively safeguard minors’ data can have an additional negative impact on them. It has been established under Section 9 of the Digital Personal Data Protection Act, 2023 and in the Hon’ble Supreme Court's judgment in Justice K.S Puttaswamy v. Union of India that there has to be added burden while handling and processing children’s data. 
  4. Shifting responsibility onto users: The privacy policy vaguely provides that it will “protect [the data collected] within commercially acceptable means”. However, it fails to define the standard of the “commercially viable means”  and the processes put in place to safeguard users’ data. Further, it places the onus on the  visitors of the website to protect themselves by expecting them to “set their browsers to refuse cookies before using Har Ghar Tiranga websites”. The website also “advises” visitors to “consult the respective Privacy Policies of these third-party ad servers” to understand how they might  use visitors’ data, without stating any steps taken to not allow these ad servers to serve ads on the website in the first place. 

Conclusion

We at IFF remain firm believers in institutional processes, and strongly hope that the Ministry of Culture remains cognisant of the fundamental right to privacy of Indian citizens. Last year after our representations, the website removed the restriction of logging in using only either Google single sign-on (SSO) or a combination of their name and phone number functionality, which unnecessarily collected user data. This was  a positive step towards data minimisation. This year as well, we urge the Ministry to delete all user data once the campaign has concluded, and to issue a public statement, either through a disclaimer on the website or a press release, stating that all data has been deleted and that it has not been shared with any third party(s) or put to any other use. 

This post has been drafted by Saharsh Panjwani, Policy Intern at IFF and reviewed by the Policy Team.

Important Documents

  1. IFF’s Letter to the Ministry of Culture dated October 20, 2023 (link)
  2. IFF’s RTI Application dated August 18, 2023 to the Ministry of Culture (link)
  3. RTI Response from the CPIO, Ministry of Culture dated September 25, 2023 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!