Website of IRCTC, a subsidiary of the Indian Railways, is one of the biggest e-commerce portal in India so much that around 1.2 crore (~ 12 million) tickets are booked on the IRCTC website every month.
The website has around 3 crore registered users and about 60 million visits every month. That’s around 2 million site visitors every day, and IRCTC issues 700,000 tickets on average each day, which adds up to massive 100 terabytes of passenger data piled each year — name, age, phone numbers, gender, meal preferences, their income bracket, if they have a physical disability, or fall under the defence quota.
Shockingly, the government of India is now planning to sell this data to the highest bidder, which will be unknown third parties despite of the fact that unlike European Union`s law of GDPR, India DO NOT have any data protection and privacy law.
This is a rare instance where a government is tapping the data potential of one of its own department and it is also be noted that this is the first instance of the possible privatisation of citizen data, by a government department, to earn a profit.
“The Indian Railways is one of the largest data creators in the world. It has to handle a large volume of data which needs to be used wisely. Data analytics is a way forward,” said the minister, last month, while inaugurating a round table conference on data analytics for the railways.
Besides this instance of an announcement on selling citizens’ data, Prabhu had earlier talked about this in his Rail Budget presentation of year-2016, and then too he had said that the railways is exploring possibilities of monetizing user data. “Though Indian Railways, as an organisation, collects over 100 Terabytes of data every year, yet it is hardly analysed to gain business insights,” he said.
It is to be noted that privatization of data is part of Indian Railways’ plan of disinvestment of IRCTC.
Passenger reservation data of trains, passengers, earnings, utilisation of trains, class wise occupancy, waiting lists and passenger profile are also available in e-ticketing system.
“The Indian Railways is one of the largest data creators in the world. It has to handle a large volume of data which needs to be used wisely. Data analytics is a way forward,” the minister had said.
“Data itself is of no use unless it is tabulated into something,” added the railway minister not knowing the ethics of selling users’ data only with the consent of customers/passengers and without compromising their privacy.
According to Railway officials quoted in the Huffington Post, the monetisation of railway data has been in the works for a while. Moreover, the Rail officials have even spoken on ways to collaborate with private companies like Ola and Uber.
“Based on a passenger’s booking history, she can get a message offering an Ola or Uber cab on reaching New Delhi railway station. We can also offer food options or a booking for National Museum or Rail Museum through the site,” an officer in the ministry told Times of India.
Vasant Dhar, a data scientist and professor at the Stern School of Business and the Center for Data Science at New York University, said in a statement to Huffington Post, “when a passenger gives the railways her data, she doesn’t expect the data to be sold further for profit. Sharing IRCTC data as part of a disinvestment deal would mean that data given to the railways as a custodian would be passed on to unknown third parties.”
According to IT Security Act 2000 (Fairly open ended law) Storing/Sharing/Selling of health, banking, passwords & Identity data has to be ONLY with the user consent, else one can be dragged to court of law however in this case it is the government itself.
Data Breach in India By Government & Other Entities
In 2016, in India’s biggest data heist, the IRCTC database got leaked with the information of around 1 crore people was feared stolen. IRCTC officials feared that personal details including phone numbers, date of birth and other such details of its customers have been sold in a CD for Rs 15,000 for whosoever was interested.
Earlier in March, Prime Minister Modi’s own app ‘Namo App’ was also accused of giving users data to a company outside the country. It was then denied by govt agencies and the case was set aside without doing any investigation further despite of the fact that many media outlets, with the help of experts, were able to identify the loopholes and found the data privacy breach to be true.
Later in May, Alibaba-backed PayTM was also alleged to have had given users’ data to Prime Minister’s Office, without the consent of its users but it too set aside without any satisfactory clarification.
In the same month, IT media cell of India’s political party in rule, Bharatiya Janata Party (BJP), in Karnataka has also admitted to use the behavioural aspects of social media users to influence potential voters, which is exactly like Cambridge Analytica’s deeds of past.
In August 2017, whistle-blower agency Wikileaks released a report wherein it stated that US-based Central Intelligence Agency (CIA) is using tools devised by US-based technology provider Cross Match Technologies for cyber spying that may have comprised entire database of India’s Aadhaar having data of over 1.2 million Indian citizen.
[Top Image – Jen Persson’s blog]