Security
Headlines
HeadlinesLatestCVEs

Headline

India’s New Super App Has a Privacy Problem

Tata Neu is the country’s latest do-everything app. When users signed up, their personal information was already there.

Wired
#amazon#git#alibaba#auth#sap

On April 7, Ranendra Ojha, a marketing professional in the eastern Indian city of Kolkata was looking forward to installing and using the new super app, Tata Neu. Super apps are umbrella mobile applications under which companies offer a bunch of services. But as soon as Ojha installed and signed up for Tata Neu on his phone number, he was appalled to see that this newly launched app already had three of his old addresses along with his full name—details he never shared with the app.

As he dug further, Ojha realized that the app seemed to have pulled data from the grocery app Big Basket, which Ojha uses frequently. Like Big Basket, Tata Neu is owned by the almost 155-year-old Tata Group. One of India’s largest conglomerates and a household name, the Tata Group sells everything from salt to software and recently forayed into the world of consumer tech through a slew of acquisitions.

“Frankly, I was quite shocked that Tata had picked up my personal details from one of the apps they owned and used it for this new app,” Ojha says. “In effect they have shared my personal details with the whole Tata Group companies without my permission.”

Another user based in the southern Indian city of Bangalore was equally shocked when he saw multiple addresses (including the address of his old home, where he doesn’t live anymore) and his date of birth already preloaded on Tata Neu when he signed up for it using his phone number and a one-time password. What he found more perplexing was that his wife’s Tata Neu also had her old office address, which he says they never used for any purpose. “Personally I am a very big fan of Tata Group, and there is trust when it comes to the Tata brand,” says Naren, who requested to be quoted under a pseudonym, fearing backlash from the company. “But that trust is lost when they do these sorts of sneaky things under the name of user experience.”

Tata Neu was launched in the first week of April and has had at least 2.2 million downloads. The app houses all of the company’s brands ranging across industries such as ecommerce, financial services, airline tickets, grocery, medicines, and hotels. But the inclusion of preloaded personal data in a new app means that the Tata Group has managed to save customer data across its online and offline companies and create their profiles. According to privacy advocates, this is problematic because it happened without users giving explicit consent and in the absence of a comprehensive data-protection law in India.

The Tatas, with a market cap of over $300 billion at current exchange rates, have had a strong offline presence across a wide range of sectors. But, until relatively recently, consumer tech remained an untapped market. So a few years ago, in a bid to compete with tech biggies like Amazon and Walmart-owned Flipkart, Tata started building its digital profile by acquiring startups like Alibaba-backed online grocery firm Big Basket and medicine delivery startup 1mg, along with an investment in health-and-fitness startup Cult.Fit.

Some customers of these startups acquired by Tata received an email with updated terms and conditions. Others, including the author of this piece, received no email and are unaware of any other form of notice. And while previous privacy policies of these apps vaguely said that they may share customer data with partner companies or other third parties in the event of an acquisition, experts say it’s the lack of explicit consumer consent coupled with the fact that this is data collected from acquired companies which, according to long-time privacy advocate Nikhil Pahwa, makes it “an ethical failure on the part of the Tata Group.”

“All super apps already do this [data sharing] but the difference for Tata Neu is the fact that they have acquired companies and then connected all of this data together,” says Pahwa, founder of digital media portal Medianama. “There is a different threshold of accountability for them, because customers who were using an app or service before acquisition naturally didn’t expect that the data would be linked to data from multiple different apps when an acquisition takes place.”

In response to queries sent by WIRED, a Tata spokesperson defended the company’s business practices and asserted that it is committed to user privacy and security.

“Respecting and safeguarding our customers’ privacy is vital to our business at Tata Digital. We take great care to maintain the confidentiality of their information,” the spokesperson said. “Tata Digital complies with, and will continue to comply with, applicable data regulations, both in letter and spirit.”

Last year, WhatsApp—for which India is the largest market—updated its privacy policy to require users to accept sharing their data with its parent company, Facebook (now known as Meta). This led to an outrage among its users, many of whom abandoned WhatsApp (if only temporarily) and moved en masse to other messaging apps like Signal and Telegram.

The Competition Commission of India, India’s antitrust agency, soon initiated regulatory action against WhatsApp for the unilateral changes to its privacy policy on the grounds of abuse of dominance. But antitrust and privacy lawyers say it may be difficult to make the argument of unfair policy terms as a form of abuse of dominance in the case of a new entrant like Neu, because it has a relatively small market share so far. “However, if any of the Tata affiliates hold a clear dominance in the markets that they operate in, then any sort of coercive data sharing with Neu could potentially raise competition law issues for that entity,” says Smriti Parsheera, a tech policy researcher with the think tank National Institute of Public Finance and Policy.

Tata’s data sharing stands against the void of a lack of a comprehensive data protection law in India. The closest thing the country has is now a finalized Data Protection Bill, 2021. But the legislation hasn’t been passed and relies on “informed” consent as one of the main grounds of data processing—meaning companies could still bury alerts about how their data could be used under a mountain of legalese while giving people no opt-out beyond not using the service.

“Merely having the new law would not completely solve the problem,” says Parsheera. “But it will create a framework of accountability where the new regulator can take actions, and consumers can seek redress.” The new regulator would also be expected to frame regulations around the tools that can be used to make privacy policies more understandable to users.

Ojha, for one, is not waiting for the Indian government to bring a legal framework for data protection. He decided to delete the app the same day it first resided on his phone’s home screen. “I found it very cumbersome and absolutely zero value addition to me,” he says. “Also, I was uncomfortable that they were using my personal information without my explicit permission.”

More Great WIRED Stories

  • 📩 The latest on tech, science, and more: Get our newsletters!
  • The race to rebuild the world’s coral reefs
  • She was missing a chunk of her brain. It didn’t matter
  • You should always question the default settings
  • Battle Kitty stretches the limits of Netflix’s tech
  • The rise of brand-new secondhand EVs
  • 👁️ Explore AI like never before with our new database
  • 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers

Related news

Third-Party App Access Is the New Executable File

By providing these apps and other add-ons for SaaS platforms and associated permissions, businesses present bad actors with more opportunities to gain access to company data.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist