In August, Prime Minister Narendra Modi voiced his desire that on August 15, 2022, when we celebrate our 75th Independence Day, ‘Azadi ka Amrit Mahotsav,’ every Indian should hoist a flag from the rooftops of their homes. In addition, he encouraged people to take selfies with the national flag at their residences during the exercise from August 13 to August 15 and upload them on the “Har Ghar Tiranga” official website.
Thanks to aggressive campaigning government’s Har Ghar Tiranga campaign received unprecedented participation nationwide, according to the BJP party’s official statement on August 12, 2022. The Ministry of Culture reported that by August 15, approximately 60 million Indian citizens had posted images of themselves holding the national flag on the website, describing it as a “stupendous achievement.” About 50 million people have geotagged their homes with images and provided their phone numbers to register on the platform.
Digital rights advocates questioned the initiative at the same time, claiming that what appeared to be a simple voter outreach exercise could actually be an elaborate plan to gather personal information from residents. Earlier, the Har Ghar Tiranga website claimed data would be deleted after the campaign. However, the geotagged selfies have been online for over a month now. The images are still available on the internet, they can be zoomed and could be saved too. Further, according to the website, it doesn’t intentionally gather any personally identifying data from users under the age of 18. However, the publicly available selfies on the website prove otherwise.
Srinivas Kodali, a researcher with the Free Software Movement of India, expressed reservations about the Indian government’s extensive use of geotagging of its own populace. The magnitude of response for Har Ghar Tiranga was unmatched, despite several earlier attempts to geotag citizens to cash in data. This information can be used to fabricate votes, thereby influencing the outcome of elections.
Adding fuel to the fire, last week, a viral news story published by the international non-profit journalism group, Rest of the World, penned by Srishti Jaswal, highlighted digital rights advocates could be right in stating the Bharatiya Janata Party’s voter outreach project, was a veiled scheme to gather data from citizens, which might now be exploited by commercial corporations looking to sell personal data.
She claimed that their initial plan was to compile information on nearly 200 million Indians and that Independence Day celebrations offered the perfect opportunity to carry out this notorious plan because the majority of the public is susceptible to manipulation due to nationalist sentiment, patriotism, and zeal. The alleged pro-BJP propaganda gained momentum when well-known celebrities and athletes, including Amitabh Bachchan, Rajnikanth, Anupam Kher, Sachin Tendulkar, and Rohit Sharma, increased traffic to the website by taking part in the initiative. Even the caller tones have been replaced with a voice requesting telecom customers to sign up for the Har Ghar Tiranga initiative. The Ministry of Culture awarded “Har Ghar Tiranga Certificates” to anyone who registered on the website, revealed their location, and uploaded a selfie. This certificate played a huge role in catalysizing participation from the citizens.
The union government had hired around 200 manufacturers, including small and medium-sized firms and self-help organizations, to manufacture the flags. According to the ministry, the program was designed to encourage both a physical and emotional connection to the flag within a personal setting. Before, Indian people could only hoist the National Flag on specific occasions.
This changed when Naveen Jindal, an industrialist, won a decade-long legal battle that resulted in the historic Supreme Court ruling of January 23, 2004, which stated that the freedom to fly the national flag with respect and dignity is a fundamental right of an Indian citizen under the terms of Article 19(1)(a) of the Indian Constitution.
The Har Ghar Tiranga portal is hosted on Amazon web servers, in contrast to the majority of Indian government websites, which are housed on nic.in’s official servers. Tagbin, a private firm located in India, Singapore, and Dubai, is behind the website, according to a press release released by Asian News International (ANI). The location of where the website stores the data it collects is unclear. Additionally, the website shares your IP address with over 15 other websites, some of which have country code extensions from other regions of the world, leaving Indian people’ sensitive information prone to exploitation.
Ayushman Kaul, a senior threat intelligence analyst at Logically, a technology company that specializes in monitoring and combating disinformation, told Rest of World that the website also employs cookies to track users’ surfing patterns. Kaul thinks this is a baldfaced sign whoever is behind the website wants to collect more user data. Furthermore, linking a Google sign-in with the website might possibly allow the website creators to gather extra personally identifiable information from Indian citizens who used the website. This will allow user privacy abusers to build a complete demographic and psychological profile of the entire population by combining a variety of such information and personal markers.
A BJP member told Rest of World that individuals often post their photos on Facebook or Instagram without worrying about privacy issues in response to a question regarding the possible exploitation of these images. They dismissed the privacy concerns surrounding the data present on the website. The representative also denied the presence of sensitive information on the website and pointed out that users themselves consented to use the selfies while taking part in the Har Ghar Tiranga initiative.
The BJP-led Indian government has attempted to gather data unfairly before. The Aadhar identity database allegedly released all registered citizens’ personal information in 2018 including names, bank information, and biometric information. Last year, WhatsApp sued the Indian government to stop the implementation of new regulations that called for platforms for instant messaging to reveal the “originator” of communications upon request from law enforcement.
At least 1500 persons who took the COVID-19 test in 2021 had their names, birth dates, testing centers’ locations exposed on official websites. Interestingly, the data was freely accessible via Google indexing but was not sold on the dark web.
The government had also introduced the contact tracing app Aarogya Setu as part of its frantic attempts to tackle COVID-19. The goal was to locate users using geolocation and alert them if they had contact with an infected individual. The Indian government was already tracking potential illnesses and locating hand-stamped individuals who had vowed not to travel using airline and train reservation data. The Aarogya Setu app used a range of technology strategies to make contact tracking and location monitoring possible. These include real-time geotagging-enabled selfie-based hourly check-in(s), and face recognition software systems for those who are being isolated at home. However, it was often noticed that the app lacked accuracy!
The government assured that all contact and location tracking information was removed from the phone on a rolling 30-day period. Unless you test positive, in which case all contact tracing and location information was erased 60 days after being certified healed, the identical data on the server was deleted 45 days after the upload.
However, the Aarogya Setu Data Access and Knowledge Sharing Protocol specifies that de-identified data could be shared with any government institution, provided that it is done so in order to combat Covid-19. The protocol specifies that any received data shall be permanently erased after 180 days. However, privacy advocates claim there is no way to determine if that has actually occurred.
While it is undeniable that these technological interventions were essential for locating hotspots, coordinating efforts between relief organizations, allocating resources, and facilitating quick decision-making, they also pose the risk of systematic mass surveillance, so it is important to be aware of these risks. This suggests that the information from Har Ghar Trianga might be used for widespread monitoring and geo-targeted political advertisements.
Although the location data is not made publicly accessible, the Har Ghar Tiranga website retains it, according to Kodali, which could result in theft, hacking, and stalking. People may become more susceptible to geo-propaganda when siloed data, such as phone numbers, photos, and location, is combined with other data sets, such as constituency demographics and voting preferences. This Orwellian possibility draws parallel to the mass abuse of user data privacy using US Presidential elections. While Cambridge Analytica’s activities are widely known, during the 2020 US Presidential elections, Catholics who regularly attended church services were identified via geotagging. The Donald Trump campaign subsequently targeted these individuals with personalized advertisements.
India presently lacks data protection legislation that may protect its citizens from cyber risks. Just days after the Har Ghar Tiranga initiative was introduced, the Indian government abruptly withdrew a draft of Personal Data Protection Bill that had been making its way through parliament for over three years on August 3. The 2019 bill suggested strict controls on international data transfers and allowed the Indian government to request user data from businesses.
With the lack of data privacy laws, considering past attempts to misuse user data, it is probable that the geo-tagged data from the Har Ghar Tiranga website can see similar risks. Not only that, the use of such data can enable the government to nip any public dissent with measures ranging from lawsuit, unlawful monitoring, and social media account suspension!