Security
Headlines
HeadlinesLatestCVEs

Headline

A Privacy Panic Flares Up in India After Police Pull Payment Data

Nonprofit donors had their information given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy.

Wired
#vulnerability#git

Prasanto K. Roy, a public policy consultant from New Delhi, is worried. In 2017 he began sending regular donations to the Indian fact-checking organization Alt News to support its work countering online misinformation. But on July 5 the nonprofit said that Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.

Roy is now hesitant to use Razorpay, saying he is concerned about tech companies handing over data—including his own—to law enforcement without consent. “When a payment gateway gives out donor databases on a police demand that is excessive, that information can be misused by the police or others it could reach,” he said. “India doesn’t even have privacy laws in place yet.”

The full extent of the data that Razorpay shared with police remains unclear, but Alt News said that the data it collects from donors includes phone numbers, email addresses, and tax IDs. A police official told the Hindustan Times that the force is gathering data from banks to cross-reference with the Alt News data.

The investigation appears to be part of an ongoing probe to check whether Alt News received donations from outside of India, after police claimed that the organization’s parent received funds from several other countries, including Pakistan and Syria. Zubair, the cofounder of Alt News, was arrested on June 27 for a 2018 tweet that allegedly hurt religious sentiments, but is also being investigated for other charges, including receiving foreign funds under India’s Foreign Contribution (Regulation) Act, which restricts foreign donations to nonprofits.

While the arrest has spurred many Indians to fear that police are quashing internet freedom, it has also highlighted the limited legal protections on privacy in the world’s largest democracy, which lacks a comprehensive data protection law. The stakes are growing higher as more people in India use the internet for leisure, communications, and commerce. The country’s digital payments market—already at $3 trillion in value—is expected to skyrocket to $10 trillion by 2026, according to Boston Consulting Group.

Razorpay has faced social media backlash and threats of a boycott for sharing donor data without first informing Alt News. “Many donors and fundraisers said they wouldn’t use Razorpay again, and that was my initial reaction too,” said Roy, while adding that perhaps other companies would also have caved under the same pressure from police.

In a public statement on Twitter, Razorpay did not mention Alt News and said that the data shared was “restricted to what was within the scope of investigation.” Razorpay CEO Harshil Mathur tweeted that police were attempting to “determine whether there were any foreign donations or not” and claimed that donors’ tax IDs and addresses were not shared. Razorpay did not respond to a request for comment; Alt News cofounder Pratik Sinha declined to comment.

Indian police obtained the data from Razorpay under section 91 of the Criminal Procedure Code, which allows officials to seek documents or data connected to an ongoing investigation. But criminal lawyers told WIRED that the law gives police considerable flexibility, leaving room for overreach or misuse.

“Section 91 allows the police to make any request for information to any person during an inquiry, and it’s a standard investigative tool,” said Abhinav Sekhri, a criminal lawyer based in New Delhi. “Companies routinely receive such requests, at severe cost, because there are consequences for noncompliance, leaving them with no choice at times.” One such consequence could be an executive facing criminal action and potentially imprisonment, Sekhri says.

Meanwhile, financial technology experts say that even if Razorpay hadn’t complied with the demand to hand over Alt News data, the police could likely have retrieved it from other players in the payments ecosystem. “The source and destination information is stored across the entire chain,” said Srikanth Lakshmanan, a researcher who runs Cashless Consumer, a collective that works on consumer awareness of digital payments in India. “It’s not just Razorpay that will store this information, but also the card issuer and acquiring bank and payment network.”

This broad collection and sharing of data can make privacy in digital payments in India seem nigh on impossible. “The state of privacy in digital payments in India is nonexistent,” Lakshmanan says. The ease with which digital data can be shared and leaked makes privacy challenging around the world, but India’s centralized biometric identity system, Aadhaar, can add extra vulnerabilities, he says. “It’s easy to look for more information in India where a whole range of data sets are cross-linked, giving a much richer profile.”

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist