Paytm Data Controversy

Stinging facts

Print edition : June 22, 2018

Paytm grew exponentially during demonetisation in November 2016 when e-payments became the order of the day in a cashless society. Photo: M. Periasamy

The controversy over e-payments company Paytm’s alleged sharing of user data with the government raises larger concerns about digital data privacy.

In a sting operation conducted by the online investigative portal Cobrapost, India’s popular e-payments company Paytm suggested that it might be sharing user data with the government. While the company later denied sharing any information with third parties, the reputation of this start-up, which saw overnight success, has suffered a nosedive. “As a Paytm user, this incident erodes my trust in its services, especially because Paytm holds sensitive financial information about its users. As a payment service provider, the most important unique selling proposition should be trust. Paytm is no longer a trusted brand,” said a user, requesting anonymity.

Ajay Shekhar Sharma, senior vice president and younger brother of Paytm owner Vijay Shekhar Sharma, was caught on camera revealing that he had received a phone call from the Prime Minister’s Office asking for user data in the aftermath of a stone pelting incident in Jammu and Kashmir. “They must have thought some of the stone pelters were Paytm users,” he told senior journalist Pushp Sharma, who was posing as “Acharya Atal”, an agent of the Sangh Parivar.

Earlier this year, Cobrapost had conducted a series of sting operations, codenamed Operation 136, on 25 Indian media houses and one digital payments company, asking them to promote Hindutva in exchange for huge sums of money. Most of the organisations fell for the ploy and some of them even made proactive suggestions on how to go about the promotion. The videos of the sting operation were released on YouTube in tranches, creating a furore on social media, but faced a near-total blackout in the mainstream press.

The video of the Paytm sting operation opened with “Acharya Atal” making a “pitch” to vice president Sudhanshu Gupta at Paytm’s Noida office about promoting the Bhagavad Gita. In turn, Gupta made known his political affiliations and explained how Paytm had been promoting Narendra Modi’s recent book, Exam Warriors, on the home page of its app. In the second meeting, Gupta was accompanied by Ajay Shekhar Sharma, who revealed his closeness to functionaries of the Sangh and named Sangh spokesperson Arun Kumar, S.K. Mishra, Panchajanya editor Praful Kelkar, Krishna Kumar, Union Minister Narendra Singh Tomar and Madhya Pradesh Chief Minister Shivraj Singh Chouhan. Ajay Shekhar Sharma went on to say that he had attended the Rashtriya Swayamsewak Sangh (RSS) shakha as a child, and that the RSS was “in his blood”. He explained how Paytm had placed large advertisements in the RSS mouthpiece Panchajanya [to finance the organisation]. “Some of the work we have been asked to do, I can’t even tell you,” he said. He seemed suspicious as to why the Sangh had not approached him directly, but reiterated that if the RSS wanted him to do something, there was no question of him not obliging. The meeting ended with Ajay Shekhar Sharma stating that he would personally tell Mohan Bhagwat [about promoting Bhagavad Gita for the Sangh] because “he should know”. Ajay Shekhar Sharma’s Twitter profile has photographs of him posing with Uttar Pradesh Chief Minister Yogi Adityanath, Union Minister Nitin Gadkari and Shivraj Singh Chouhan, among other BJP functionaries. If the sting operation is indeed proved genuine, it raises serious questions on the proximity between a corporate like Paytm and the Sangh Parivar.

In response, Paytm denied sharing user data with any company/any government or any country, and tweeted: “There is absolutely NO TRUTH in the sensational headlines of a video doing rounds on social media. Our users’ data is 100% secure and has never been shared with anyone except law enforcement agencies on request. Thank you for your continued support.” However, Paytm users found this response unsatisfactory, and the company faced a massive backlash on social media with queries such as: “More importantly will a user be notified when a government request is made? What kind of policy does the company follow regarding a warrant? I need more details as a user. Plus, is Paytm saying that the company’s own VP is lying? If so, whose word should I trust?”

Paytm, which reportedly had over 200 million subscribers, grew exponentially during demonetisation in November 2016 when e-payments became the order of the day in a cashless society. While most people were caught off guard by the 8.15 p.m. announcement made by Prime Minister Narendra Modi on November 8, the next day’s newspapers carried full-page advertisements by Paytm welcoming the move. Post-demonetisation, when ATMs ran out of cash, Paytm’s money transfers and Quick Response (QR)-based transactions saw an upsurge in activity. Paytm advertisements carried visuals of Modi, giving the impression that he was endorsing the company, a move that drew much criticism and which forced the government to issue a statement that they were sending notices to Paytm and Reliance Jio for using the Prime Minister’s image without permission. Paytm recently received its licence to operate as a payments bank and is already a large e-tailer, offering products and services that rival the likes of Amazon and UrbanClap put together. Paytm’s target is to amass an audience of 500 million by 2020.

Meanwhile, the reaction to the videos revealed the larger problems facing Indian media, where print and television en masse boycotted the news value in the Cobrapost sting operations. Most peculiar was the case of Economic Times, which ignored all the sting videos on media honchos (including its own managing director and Times Group owner Vineet Jain ) but carried a report on Paytm on ET Rise, a “Times Internet product” on start-ups and small and medium-sized enterprises (SMEs). Less than 12 hours after the report was posted on its website, it was taken down. Later, the Times Group claimed that it had been conducting a reverse sting on Pushp Sharma.

The ethical dilemma in reporting sting operations notwithstanding, the near-total absence of dialogue around the operation or intent to further probe for themselves the veracity of the claims made in the tapes, does not reflect well on the credibility of Indian media houses. Not one of the two dozen media organisations “stung” by Operation 136 has sought to conduct an internal probe on the allegations raised.

Only recently, several media houses had published news reports on a sting operation carried out by the Al Jazeera channel which claimed that India was part of three Test cricket matches where the pitch had been fixed, following which the anti-corruption units of the Board of Control for Cricket in India (BCCI) and the International Cricket Council (ICC) decided to investigate the matter. While one could argue that Al Jazeera was a larger and more credible news source than Cobrapost, conducting an independent research could only throw light on the truth.

Besides, there were other instances, such as the Radia tapes, where sting operations got coverage in the mainstream press. In that case, the ethical dilemma was higher as the source or sting operator for the audio recordings was unknown. A few Paytm users who tried to permanently delete their data on the app found that they could not do so. Likewise, Paytm’s insistence on users’ Aadhaar details for Know Your Customer (KYC) verification has also unsettled many users. Despite the Supreme Court’s order that Aadhaar is not mandatory, companies such as Paytm and other service providers continued to insist on linking Aadhaar numbers. It is a matter of great concern that even if a user wished to delete his/her Paytm account, the data would not be deleted and risk becoming a permanent repository in the hands of the private player.

Global data privacy crisis

As the use of digital systems grows, concerns over digital data privacy and breach plague not just India but countries across the world. A joint study conducted by ASSOCHAM and Ernst & Young, titled “Strategic national measures to combat cybercrime”, noted that mobile frauds were areas of great concern for companies, as 40-45 per cent of financial transactions were carried out through mobile devices and this threat was expected to grow to 60-65 per cent by 2017. Facebook founder and CEO Mark Zuckerberg had to appear before a United States Congressional Committee and apologise for failing to stop data mining firm Cambridge Analytica, said to be affiliated to Donald Trump’s presidential campaign, from accessing the personal data of 87 million people in a bid to influence elections. “That is the kind of challenge we are up against today,” said cyber security expert Rakshit Tandon to Frontline.

The European Union recently introduced a forward-looking law on data privacy, known as GDPR (General Data Protection Regulation). It applies to all companies processing the personal data of data subjects residing in the E.U., regardless of the company’s location. It recommends a fine of up to 4 per cent of the annual global turnover or €20 million (whichever is greater) on organisations that breach GDPR. It strengthened the conditions for consent, making it easy to access and withdraw, and introduced a slew of data subject rights. Indian Information Technology (IT) and IT Enabled Services (ITES) companies operating in the EU will have to become GDPR-compliant.

It remains to be seen if companies such as Twitter and Facebook will introduce some of the measures from EU to other markets such as India. “A digital India should first and foremost have a digital data privacy law in place,” said Tandon, adding that India should also think of emulating such a law. The existing IT Act is not adequate to address the concerns in a digital payments ecosystem. A white paper on a data protection law, prepared by a committee under the chairmanship of former Supreme Court Justice B.N. Srikrishna, was posted on the website of the Ministry of Electronics and Information Technology until January 31 for public comments. The law is under way and expected to be taken up by Parliament in its next session.

Providing a technological perspective, Ajith, an IT professional from Bengaluru, said that there could always be a back door through which data are leaked. “The system is as good as you want it to be,” he said. One could always defend the circumvention of a law by stating it was for the purpose of national security. While digitising transactions was good, a service such as Aadhaar had the potential to create a surveillance state, he said. “Since every transaction you do through credit cards, Paytm or Airtel Money or a minor traffic violation after consumption of liquor is connected to Aadhaar, it becomes easy to create a surveillance state just like Foucault’s panopticon. It’s not a dystopian future but current reality.” China already has a rating system where the day-to-day activities of citizens is observed and tracked, creating a profile for each person. “All your data, including personality traits, are stored and if the system is formalised or institutionalised the way it is in China, then it would become difficult for an ordinary citizen to voice his/her opinion. If I sign a small petition today, it will go into the database and affect my life in extraordinary ways, so I will stop signing anything at all,” Ajith said. Data collection by the PMO or a political party could violate the democratic processes and have much wider ramifications. “Since the digital payments system is still outside the purview of laws in India, it could be misused during election time to circulate large sums of money within the political system,” said a digital securities expert on condition of anonymity.

The Ministry of Information and Broadcasting (MIB) recently invited bids for a controversial project for “creating a social media analytical tool... to collect digital media chatter”. In what is seen as the Indian version of Cambridge Analytica before the 2019 elections, the government bid document appears like an invitation to create the most winnable formula for the ruling party using government resources. “The tool should have the capability to trawl the World Wide Web and social media to monitor and analyse various trends emerging as well as to gauge the sentiments amongst netizens....The tool should act as the guiding tool for MIB to understand the impact of various social media campaigns conducted on various schemes run by the Government of India. In addition, the tool should have the capacity to provide inputs to the Ministry on how to improve the reach of various social media campaigns, how to make a particular topic trending....” It should support several Indian and foreign languages and be able to extract sentiment along with context from the content. A team of 20 social media executives would engage and monitor social media 24x7 while one executive in each of the 716 districts would be deputed to collect regional media and local event data. The platform should have “listening and responding capabilities” to 15 platforms including Twitter, Facebook, LinkedIn, Playstore and even emails.

While dismissing fears that the government was trying to act “big brotherly”, Saket Modi, CEO and co-founder of Lucideus, a cybersecurity services company that also works with the government, said that there was no way that large Internet companies such as Facebook, Google and Twitter were going to give the government blanket approval to be able to see the private data of their users. “Whoever mentioned emails in the bid document, according to me, doesn’t understand the intricacies behind the way this works. Any traffic between your browser and the website is encrypted and cannot be viewed by others. This auction is only for public posts on various social media platforms where the individuals have already consented to a few posts to be open to public viewing. I don’t see a problem in that. However, it would be a problem if it included private posts, which I don’t think it does,” he told Frontline.

But it does not seem as if the idea that it does not include private data mining is clear through the bid document. According to a senior data analytics personnel, who requested anonymity, Indian tech firms might have kept away from the bidding process as they were apprehensive about its snooping and hacking implications: “The government had to repeatedly extend the deadline for the bids as it did not even receive the minimum three bids from the Indian firms and it has now opened up the auction for foreign firms. Indian tech companies are thinking, what the government wants is not only illegal but also impossible. So no surprises as to why nobody came forward,”he said.

A letter from the Editor


Dear reader,

The COVID-19-induced lockdown and the absolute necessity for human beings to maintain a physical distance from one another in order to contain the pandemic has changed our lives in unimaginable ways. The print medium all over the world is no exception.

As the distribution of printed copies is unlikely to resume any time soon, Frontline will come to you only through the digital platform until the return of normality. The resources needed to keep up the good work that Frontline has been doing for the past 35 years and more are immense. It is a long journey indeed. Readers who have been part of this journey are our source of strength.

Subscribing to the online edition, I am confident, will make it mutually beneficial.

Sincerely,

R. Vijaya Sankar

Editor, Frontline

Support Quality Journalism
This article is closed for comments.
Please Email the Editor
×