“Congratulations!! Few More Things For Your New Venture!!”
Isn’t this a wonderfully welcoming way to receive an announcement that your company has been registered? But hang on. You have got it all wrong. This is, indeed, the first welcome that every new company receives in Digital India, but it is not the official welcome (if there were such a concept) or confirmation mail from the ministry of corporate affairs (MCA) informing you that your registration is complete.
Ask anyone who has registered a company or a limited liability partnership (LLP) online, and you will learn that a flood of spam calls to your registered mobile number, scores of emails and WhatsApp messages marketing bank accounts, compliance services, rubber stamp-makers, etc, will be your first intimation of formal registration. The official email will reach you a few days later.
If this does not frighten you, then it should. It tells you that there is a fat pipeline stealing all your personal and corporate data, directly from MCA and it is being retailed to hundreds of business entities who see you as their target customer. I use the word steal, because senior MCA officials, when alerted to what is happening, are investigating the data leak. This indicates that there is no formal sanction to release or sell such data.
Techies will jump in now to gaslight this serious issue by tutoring me about how tech companies are able to ‘scrape’ data and build databases to sell your information. Yes, we know about large-scale scraping of data; but when it happens, even before a formal (automated) email goes out of the ministry informing you about the registration, it points to a systematic sale of data at source by those handling government contracts.
It also raises questions about data privacy and whether careless and callous automation contracts of the government are exposing us to risk.
But let me start with a case study of company ‘X’, which I have provided to receptive senior officials at MCA, for their investigation. On 19th July, at around 9.30am, the partner of X LLP received a call from ICICI Bank congratulating him on the new registration and sought an appointment to open an account for the entity. Surprised, he asked the marketer for the basis of his information. “How do you know? We don’t have any official confirmation as yet,” he said. The answer, “We receive this information from the back-end.” That was only the first call. In the next hour, his mailbox had offers from Axis Bank, HDFC Bank, IndusInd Bank, South Indian Bank, Deutsche Bank, Kotak Bank—some of them sent multiple emails through different officials, who were perhaps buying the database independent of one another.
Then there was Filingbuzz which claimed to have “started an association for Start-ups & MSME companies” and provided mentoring, legal consultancy, guidance on a plethora government benefits and financial advisory services, for a fee. There was Falcon Ebiz, Bizz At Ease, H&G Ebiz, My Biz Development and Filingbuddy.in with a similar spiel, with the addition of full complement of compliance services, including board meetings, tax filings and annual reports. There were a couple of rubber stamp and letterhead-makers, a trademark and licences expert who also made a pitch, although it is hard to see how an LLP provides a big business opportunity for them.
There was even an email that showed up as ‘MCA Support’, but was pitching a registration “under Startup India and take benefits from India Government for your new venture…” This, too, was two days before the official confirmation from MCA. The list above does not include innumerable WhatsApp messages and spam calls that he continued to receive.
The email that really mattered—the official communication from MCA—finally reached him at 8.40pm on 21st July, by which time you could hardly blame the businessman, if he had mistaken it for a spam email. As I said earlier, the silver lining to this story is that MCA realises that this level of leakage could have serious implications for the security of its systems; so an investigation has been initiated.
I am more concerned with the manner in which our privacy is being compromised with direct leaks from compromised government databases. As the reporting trustee of our not-for-profit organisation, Moneylife Foundation, I am routinely harassed with calls to my mobile number offering compliance and legal services or those helping you access corporate social responsibility (CSR) funds. The source of the data is a statutory reporting database.
Way back in May 2005, I had written a column in Indian Express (read https://indianexpress.com/article/news-archive/need-for-an-effective-privacy-policy/ ) on the need for an effective privacy policy in which I mentioned serious concerns among leading data security experts about information collected by the tax department, credit information companies and other government-mandated databases (mutual funds, depositories, voter databases).
Eighteen years later, private players seem to have a direct pipeline to government databases, which are part of the mandate of creating a Digital India and offering Ease of Living. In 2005, there was considerable concern over the Securities and Exchange Board of India (SEBI) collecting biometrics under its MAPIN database. Although MAPIN was junked due to protests from the financial sector, there wasn’t a squeak from this very sector when Aadhaar, a national biometrics-based identification project, was taken up without addressing any of the concerns of misuse, cloning, theft etc. The need for an effective privacy law with adequate checks & balances, grievance redress and penalties for misuse has yet to be implemented.
Last week, Deepak Maheshwari, a public policy consultant, posted an article written in 2017 on LinkedIn (https://www.linkedin.com/pulse/privacy-do-you-know-what-did-decade-back-deepak-maheshwari/) where he refers to concerns over cross-border data flow and need for encryption policy as well as CCTV surveillance, that were voiced at a workshop conducted by the ministry of personnel as far back as in 2010. Since then, CCTV installation has been widely mandated by state and municipal authorities, with no progress on the privacy and data protection aspect.
Personal data protection legislation has been going through many iterations and the Digital Personal Data Protection Bill, 2022 has been introduced in Parliament, but data privacy still feels like a distant dream. The biggest threat to our privacy arises from government mandates, wrote Mr Maheshwari, to which, Nandkumar Sarvade, former IPS officer and data security expert, had this sharp response: “In our country, privacy has been the neglected younger sibling of cyber security, which itself is a malnourished child, waiting for the State to start giving it some proper diet.” He says, the failure to put in early ‘guard rails’ for technology-based projects tend to “derail good-intention projects, as they get mired in poor vision and shoddy execution.”
As things stand, the only time that every government department zealously protects personal information is in connection with queries under the Right to Information (RTI) Act. The manner in which sensitive personal data is leaking from MCA makes a mockery of Section 43A of the Information Technology Act (ITA), which, on paper, provides that any body-corporate that possesses, deals or handles any ‘sensitive personal data’ or information should maintain reasonable security practices and procedures relating to such data.
Data is leaking from the government itself and ‘body corporates’ are buying it to market services with no regard to privacy, sensitivity or data protection, endangering everybody who complies with statutory filing and reporting requirements.
In fact, the entire discussion on PDP seems afflicted by MAFA (mistaking articulation for action) syndrome. Narayanan Vaghul, former chairman of ICICI, had coined the term in the 1990s to explain why no final decisions were forthcoming on key issues especially those that impact individual freedom. We will soon complete the first quarter of the 20th century and policy-makers have segued directly to the use of artificial intelligence (AI) without fixing the issue of personal digital data privacy.
Exactly! You're on point man! I have experienced the spam calls and messages after making some registrations online. You actually don't need to go to Nexford or Jupeb before you know it's spam. Those spamers usually get details of contact from the forms you fill, but it's worse in this case. Maybe it's time the nNavy or other authorities know about this new schemes
It is my guess that such data leaks and sale of such data, is happening at the end of third-party service providers. This government has engaged a large number of service providers to capture data of public under its various programmes. Apart from collecting data for government, they are also using the data for analytical and marketing purpose, sometimes even for fraudulent purposes. Only this morning, there is news (https://www.freepressjournal.in/mumbai/fpj-cyber-secure-using-biometrics-collected-at-aadhaar-camp-rs-2-lakh-withdrawn-from-15-villagers-accounts-in-nashik) that 3 employees at an Aadhaar updation camp hacked into bank accounts of at least 15 villagers in Chalisgaon (Nashik district), Maharashtra and illegally withdrew Rs.2 lakhs, using biometric data of these villagers collected at the Addhaar updation camp. Government needs to tighten data collection at such service providers so that data goes only to government servers and service providers are unable to access or misuse it.
I think it is happening everywhere at every layer, be it government deparments, PSUs and even private companies and banks also. I have always wondered how some one comes to know about my travel plans, my investment and my FDs and how I start receiving all sorts of mails, phone calls and SMSs and now Whatsapp msgs from different entities.
It is really scary and we all are severally compromised.
Fiercely independent and pro-consumer information on personal finance.
1-year online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
30-day online access to the magazine articles published during the subscription period.
Access is given for all articles published during the week (starting Monday) your subscription starts. For example, if you subscribe on Wednesday, you will have access to articles uploaded from Monday of that week.
This means access to other articles (outside the subscription period) are not included.
Articles outside the subscription period can be bought separately for a small price per article.
Fiercely independent and pro-consumer information on personal finance.
Complete access to Moneylife archives since inception ( till the date of your subscription )
It is really scary and we all are severally compromised.