Reports emerged early this morning, that a vehicle registration database developed by the Ministry of Road Transport and Highway (MoRTH) called Vahan, which is accessible (to different degrees) by third parties and the public, maybe being misused by rioters for purposes of targeted violence. Although these reports have not been confirmed, sharing and aggregation of public datasets by departments like MoRTH lead to potential risks of safety and fundamental freedoms. With the help of Srinivas Kodali who provided some timely insights and inputs we have co-developed a response to various departments of the Central Government and the Chief Minister of Delhi, Mr. Arvind Kejriwal. In it we asked them to take immediate remedial measures.
So what’s the situation?
In context of recent violent clashes in Delhi, disturbing reports emerged this morning which suggested that a database for vehicle registration called Vahan was exploited by malicious actors in identifying vehicles owned by Muslim vehicles, which were allegedly being burnt down. Although, this has not been confirmed by any formal news sources we feel this brings to light a serious human security risk emerging from the ethos of governing personal data.
What’s the risk?
In the absence of personal data protection laws to protect people’s online privacy, the Government has been increasingly centralising and aggregating government databases, to extract economic value. An entire chapter in the 2018-19 Economic Survey of India discussed this in great detail. However, these efforts have little regard for individual privacy and do not seek the informed consent of individuals before their personally identifiable information is integrated or used in these datasets. Further, aside from inter-departmental use and sharing of datasets, the Government is also increasingly making these databases available to third parties and even the wider public.
The issue with such unfettered sharing of data, without appropriate consent mechanism or legal/institutional safeguards, the data can be misused in a myriad of ways. For instance, the Vahan database is accessible by Government and external parties under the MoRTH’s Bulk Data Sharing Policy. The purpose of this policy is to help the ministry monetise the data which it has in its coffers and allows private parties create solutions and services for its own commercial (or sometimes research) interests. However, in this instance, we have observed the risk of how such Government projects can be misused and can threaten the security and fundamental freedoms of minority and at-risk groups.
Deeply concerned that government administered databases could inadvertently mobilise threats of violence and public property damage, we have written to different departments of the Union Government and the Chief Minister of Delhi articulating our concerns with the Vahan database and immediate actionable steps that we expect leadership to take. Our requests from the government were as follows:
- Immediately stop public and private access to databases like Vahan and Sarathi.
- Seek a legal opinion from Union Ministry of Law and Justice on the legality of MoRTH monetisation of these databases in light of the Hon’ble Supreme Court’s decision in the matter KS Puttaswamy (Retd.) v Union of India.
- Immediately stop the aggregation of government databases which lead to seamless sharing of individuals’ personal and sensitive personal data without any meaningful consent.
- Since several third party developers and private firms have already downloaded this data from the Vahan website and related applications. We urge you to issue an urgent advisory for third party mobile applications to remove their applications from respective mobile stores. It is reminded that these private firms and developers have illegally obtained this information and must be held accountable for their actions. The ministry is requested to take legal actions against these private firms and individuals.
- Finally, moving forward we urge the Government to immediately issue a notification to ensure that public official usage of such datasets adhere to established principles of access control. Such measures are imperative to prevent misuse and/or abuse of personally identifiable datasets.
IFF will keep track on the situation and follow up if necessary. We would like to thank Srinivas Kodali for his inputs without which we would not have been able to send our representation.