A 30-year-old who tried to apply for the post of a librarian with the Rajasthan government this July was shocked when the state’s information technology department asked for access to his Twitter, Facebook or Gmail accounts as a pre-condition for the application. If he did not wish to share his social media information, the government’s web portal for job applications—Rajasthan Single Sign On, or RSSO—said, he would have to provide both his Aadhaar number and the biometric data registered with the Unique Identification Authority of India.
Thinking it to be the least invasive option, he gave the department access to his Twitter account. The department asked him to authorise the state government to read his tweets, follow people on his behalf, update his profile, post tweets for him and see his email address. It stopped short of seeking access to his direct messages and twitter password.
RSSO is an online platform for Rajasthan’s citizens to be able to access the services of the state’s government departments, such as applying for jobs, paying water or electricity bills, filing RTI queries, seeking an arms licence and applying for admissions to universities, among others. For a total 87 such services offered by the RSSO, the portal seeks citizens’ personal data. One can register using one of five digital identities: through Aadhaar, Twitter, Facebook, Google or the Bhamashah account—a local digital identity provided by the state government, which is linked to the citizens’ bank accounts.
Many lawyers I spoke to believe that the Rajasthan government is violating the citizens’ constitutional right to privacy. In August last year, a nine-judge bench of the Supreme Court in the Justice Puttaswamy versus Union of India case ruled that privacy is a fundamental right. It said that privacy rights included “informational privacy”—information and facts about the self of a person and their communications. The judges observed that any restrain to privacy by the state can only happen after a state legislation has already defined the purpose, proportion and reasonableness of data collection. The data collection being pursued by the state government does not seem to be following these guidelines.
The privacy rights lawyer Ujwala Uppaluri described RSSO’s requirement as “suspect.” She asked, “Is it really necessary for them to see my high school drunken pictures on Facebook to decide if I’m a good person to work in this or not?” The requirement, thus, seems far from reasonable.
The Delhi-based lawyers Apar Gupta and Amba Kak also found the RSSO’s exercise to be in violation of the privacy judgment. Both felt that the RSSO was seeking disproportionately more information than it needed.
The lawyers’ apprehensions seem legitimate. Those logging in using their Aadhaar numbers are not only asked for their username, age and address but also consent to share their biometric. A pop-up window asks the user to approve the following: “I hereby declare that I’ve no objection to subject myself to an Aadhaar-based verification system, and for Aadhaar-based verification/eKYC, I agree to give my Aadhaar number, biometric and/or OTP. I give an unambiguous consent to fetch my mobile number and email from the Aadhaar system. I already have a valid Aadhaar OTP (one time password).”
One has to consent to RSSO receiving their public profile when using Google or Facebook. Those logging in through Google are told: “Google will share your name, email address, and profile picture with rajasthan.gov.in.” Those using Facebook are told: “Rajasthan Single Sign-On will receive your public profile and email address.” For Twitter, the state government goes a step forward, seeking near complete control of the handle as the 30-year-old experienced.
Kak believes that merely asking for a person’s consent does not absolve the state government of collecting disproportionate data. She said that the consent needs to be an informed and meaningful one which “includes the capability to withdraw the consent.”
Gupta told me that the data collection for employment purpose has to be limited to the requirement of eligibility and suitability for a particular job. “Suitability can’t be tied with a person’s social media posts and their online activity,” he said. “Because a lot of correspondence a person is doing will not fall within the ambit of public expression which is prohibited by a lot of service rules on government matters.”
The nine-judge bench, while quoting a planning commission report, had observed that before seeking consent for collecting an individual’s information, the data collector should give notice to the person explaining the purpose of the exercise. I went through some of the public advertisements for present vacancies with the state government, and found that none of the advertisements mentioned the requirement of sharing of digital identities, or what purpose this information could serve for the state government.
Uppaluri also told me that the government’s attempt to access social media data and assimilate the process in the recruitment of its employees may also lead to discrimination based on a candidate’s political affiliation or social background. “You cannot force a particular ideology on applicants of a government job,” she said. “If you screen to be selective, so that you can choose upper-caste Brahmin over Dalits, that’s an anti-discrimination point.”
To find out whether the state government has drafted any law that clearly explains the legitimacy of state interest in collecting data through RSSO, its reasonableness and proportionality of the exercise, I tried to speak to all the secretaries and directors in the department of IT and communication who are responsible for the data collection, its processing and storage. But I kept being redirected to their juniors. I also looked into various recent circulars and orders issued from the IT department. I couldn’t find any document that explicitly mandated the data collection and its purpose.
RSSO is one of several other government applications developed, managed and run by a state government company named Rajcomp Info Services Limited, or RISL. The company was set up on 27 October 2010 and is the state-designated agency for implementation of projects under the national e-governance plan, a central government policy approved in 2008 to set up data centers and digitise government-to-citizen, government-to-business and government-to-government transactions.
RISL is governed by a ten-member board of directors that include six high-ranking Indian Administrative Service officers, an Indian Foreign Service officer, a finance professional and two academics. The IAS officers are Pawan Kumar Goyal, additional chief secretary to the state urban development department, Khemraj Chaudhary, additional chief secretary to fisheries department, Akhil Arora, principal secretary to IT department, Kunjilal Meena, secretary to panchayati raj department, Manju Rampal, secretary to finance department and Archana Singh, member of audit committee who is on leave. Other directors include IFS Uday Shankar, the physics professor Sudhir Raniwala, the computer science professor Rahul Banerjee, and the finance professional Neelesh Sharma.
Arora, whose department manages the website, did not respond to my calls and text messages sent to him on 28 July. But, on his behalf, a deputy director identifying herself as Vinita Srivastava called me up on the same day to tell me that Arora was in a meeting and that he had asked her to talk to me. I asked Srivastava if the state government has drafted any law or issued any order before starting to collect the data through RSSO.
Srivastava claimed that there was a state law that legitimised the data-collection exercise. When I asked her to name the specific law or guide me to find it on the ministry’s website, she said, “I will recommend officers and ask them to call you up. They can give you information in detail.” No officer called me up. My subsequent calls and text messages to her went unanswered.
When I tried to speak to the second-in-command at the IT department, officer-on-special-duty YK Maurya, he asked me to speak to his deputy Ashutosh Deshpande who in turn sent me back to Maurya. Rajeev Gujaral, the project officer, told me that he did not have the authority to answer whether any law preceded the exercise. He said the IT department only collected the name and age of an individual from her social-media profile. However, when I sent him a screenshot of the consent window over Whatsapp, he said “agreed but as clarified only name, gender and DOB (date of birth) is shared by them (social media websites).”
The two academic members told me that they were only there to give their expert opinions for various projects but did not know who collected, stored and maintained the data.
The question of the data’s security also remains as one of the RISL’s directors Archana Singh, who is supposed to handle security audits, has been on leave indefinitely. Clicking on “security audit” on the website does not link to any page. Maurya had told me that no outsider was involved in storage and maintenance of the data, though in April this year the state government issued a tender for selection of an agency for providing technical support services for Rajasthan’s Unique Identification project.
The IT department is held by Chief Minister Vasundhara Raje whose office did not respond to my queries.