Could rioters use a free app and a government database in order to track down people by their religion, allowing them to carefully target their victims? A message that’s doing the rounds on WhatsApp right now claims to show just such a chilling scenario of how technology can be misused. While the details shown in this picture cannot be verified at present, the potential harms that it represents cannot be understated at a time when the capital city is facing unprecedented violence.

A picture of a burning car, with a graphic showing the name of the owner, a Muslim-sounding name,  has been doing the rounds of WhatsApp groups in Delhi. It’s a screenshot based on an image shared by a Twitter account called Chaai Wala, and the accompanying text reads, “Wow! What fantastic use of technology. Using an app, rioters identified vehicles belonging to the Muslims and then burnt them down.”

I have not been able to identify the app in question but the picture used in the tweet is a PTI photo from the violence that rocked Chand Bagh in Delhi on Monday and Tuesday. The numberplate is clearly visible, and it is possible for an app to have used computer vision to decipher the characters on the plate. After that, it is trivially simple to get the owner’s name from the official website of the Ministry of Road Transport and Highways.

Whether or not this particular image showcases a car burnt because the perpetrators were looking for cars belonging to Muslims using an app or not, the potential for this kind of misuse remains, particularly given the tense situation that is prevailing in Delhi.

According to a report in NDTV, all internal examinations in government and private schools in violence-hit North East Delhi have been cancelled and all schools remained closed on Tuesday.

screenshot of vahan site full screenshot

Screenshot of Vahan website showing personally identifiable information without any safeguards, redacted by Gadgets 360

Government website gives away personal information with no safeguards

“The Vahan data was build on the recommendation of a consultant by ministry of road transport,” noted security researcher Srinivas Kodali, speaking to Gadgets 360. “It chose to make the data public to earn back the money spent in digitization. There is no primary purpose of the data except for policing. Instead the ministry started selling it to insurance agencies, banks who finance sale of cars.”

The potential for misuse in a scenario like this is simply terrifying. The most obviously possibility is of course the way it’s shown in the image above — by rioters to identify people by their religion. Before redacting the image of personal information, we were able to confirm that the data shown in the picture was in fact correct. 

Gadgets 360 then double-checked the Vahan information with that of other cars in our lot and found that they were also checking out perfectly — this information is freely available, and all someone needs to know your name is to take a picture of your number plate. With that, we were able to find the owner’s name, and from there, you can track them through social media, Google, and other tools.

This could open up other scenarios, such as stalking too — imagine a stalker following a stranger, getting a look at their number plate, using that to find their name and from there, their Facebook page? From there, you could use other leaky government databases in order to zero in on the person’s address as well, which would take the potential for harm to the next level.

“The choice of making personal data public without any laws is dangerous,” Kodali added. “Even though India is in the process of getting a new data protection law. It still prioritises economy over people’s rights. Thus enabling sale of Vahan data to private firms and it being publicly available.”

“The weaponisation of information and data is already happening in our elections, social media and society at large. This can’t be allowed and prevention is key, rather than bringing laws to prove harm when it is really hard to do,” he added.

Could data leaks make a tense situation worse?
Union Home Minister Amit Shah, whose department said on Monday evening that the situation is under control, chaired a meeting with Delhi Police officials late that evening — his third in 24 hours — as the government tries to combat the violence and restore law and order in affected areas.

This violence is taking place while US President Donald Trump was in India. President Trump said that he had heard about violence in Delhi but did not discuss it with Prime Minister Narendra Modi during their talks. Former Karnataka chief minister Siddaramaiah blamed BJP’s Kapil Mishra for Delhi violence, tweeting that the triggering point of the Delhi violence seems to be the inciting speech of BJP leader Kapil Mishra.

“Delhi’s condition is extremely bad. It is saddening as it is India’s capital. I regret that the government is not taking paying attention to it. Steps should have been taken within a few hours only but it has been two days and now the situation is getting worse,” Gulam Nabi Azad told ANI.

The lack of control over one’s data in a situation such as this is incredibly dangerous, and even if it hasn’t already been used to target Muslims, there is every possibility that could change in the coming hours and days, unless the situation calms down. It brings back to mind events of the 1984 riots in Delhi when Sikhs were attacked in a similar manner, which claimed 3,000 victims.

In those riots, mobs were armed with voter lists, ration cards, and even school registrations in order to identify Sikh households. In a modern scenario, all one needs is a smartphone and a chance to look at someone’s car. Even if you can not identify a person simply by pointing your camera at their license plate (as the tweet purports) looking up this information on a very mobile friendly site is the work of seconds, and could be a trigger to terrible violence.

What’s the risk?

In the absence of personal data protection laws to protect people’s online privacy, the Government has been increasingly centralising and aggregating government databases, to extract economic value. An entire chapter in the 2018-19 Economic Survey of India discussed this in great detail. However, these efforts have little regard for individual privacy and do not seek the informed consent of individuals before their personally identifiable information is integrated or used in these datasets. Further, aside from inter-departmental use and sharing of datasets, the Government is also increasingly making these databases available to third parties and even the wider public. The issue with such unfettered sharing of data, without appropriate consent mechanism or legal/institutional safeguards, the data can be misused in a myriad of ways. For instance, the Vahan database is accessible by Government and external parties under the MoRTH’s Bulk Data Sharing Policy. The purpose of this policy is to help the ministry monetise the data which it has in its coffers and allows private parties create solutions and services for its own commercial (or sometimes research) interests. However, in this instance, we have observed the risk of how such Government projects can be misused and can threaten the security and fundamental freedoms of minority and at-risk groups.

Internet Freedom Foundation Representation

Deeply concerned that government administered databases could inadvertently mobilise threats of violence and public property damage, we have written to different departments of the Union Government and the Chief Minister of Delhi articulating our concerns with the Vahan database and immediate actionable steps that we expect leadership to take. Our requests from the government were as follows:

  1. Immediately stop public and private access to databases like Vahan and Sarathi.
  2. Seek a legal opinion from Union Ministry of Law and Justice on the legality of MoRTH monetisation of these databases in light of the Hon’ble Supreme Court’s decision in the matter KS Puttaswamy (Retd.) v Union of India.
  3. Immediately stop the aggregation of government databases which lead to seamless sharing of individuals’ personal and sensitive personal data without any meaningful consent.
  4. Since several third party developers and private firms have already downloaded this data from the vahan website and related applications. We urge you to issue an urgent advisory for third party mobile applications to remove their applications from respective mobile stores.  It is reminded that these private firms and developers have illegally obtained this information and must be held accountable for their actions. The ministry is requested to take legal actions against these private firms and individuals.
  5. Finally, moving forward we urge the Government to immediately issue a notification to ensure that public official usage of such datasets adhere to established principles of access control. Such measures are imperative to prevent misuse and/or abuse of personally identifiable datasets.

IFF will keep track on the situation and follow up if necessary. We would like to thank Srinivas Kodali for his inputs without which we would not have been able to send our representation.

Important Documents

  1. Link to IFF’s Representation to Government requesting they stop the public access and use of Vahan and other similar databases (click here)
  2. To read more about the Vahan database please check out this useful issue brief written by Shashidhar K.J. (click here)