Data generated by mass campaigns
The case of a public consultation around “over‐the‐top services” and net neutrality in India.
Context
In April 2015, the Telecom Regulatory Authority of India (TRAI) launched a public consultation around “over-the-top services” and net neutrality in India. In response, a group of net neutrality activists started a campaign - Save the Internet, to mobilise the public to respond to this consultation, and advocate for net neutrality in India. The campaign was far-reaching, and managed to engage large groups of people in caring about net neutrality, through light-hearted posts like “Why does #SavetheInternet hate free?”, and using innovative campaigning tactics like gathering memes for others to use, and funny videos explaining net neutrality. As a result, the campaign resulted in over 1 million emails sent in response to the public consultation in just 12 days- far surpassing the number of emails ever received by the TRAI previously. They reached their advocacy aim, mobilised a massive population to speak out against suggested proposals that would have violated net neutrality, and made their opinions strongly known to the TRAI, the group that would be deciding upon the future of the internet in India.the challenge
But unfortunately the campaign took an unexpected turn. After receiving over 1 million emails, the TRAI took the decision to publish all names and email addresses of the people who had written to them as part of the campaign, on their website, organised by date sent.
In one single PDF file, they published in cleartext, personal details of all of the engaged citizens who had chosen to take part in the public consultation. They also published the content of the emails they had received – so people emailing them with personal information in their email signature, also had that published online.
As a result, over 1 million email addresses, together with associated names, and the dates they emailed the TRAI, were made available on their site. Essentially, the TRAI created a treasure trove for spammers or those interested for whatever reason in harvesting large datasets of people’s names and details.
In response to this, a group identifying as an Indian spinoff of Anonymous, AnonOpsIndia, carried out a DDOS attack against the TRAI site, managing to bring it down for two days, though the TRAI denied any such hack, and said the site was down due to ‘technical glitches’.
lessons learned
The volunteer-based group coordinating the Save the Internet campaign could not have known that the TRAI – a government entity charged with protecting consumer interests – would have taken the bizarre, and dangerous, move of publishing the emails they received. The public responded to the decision online, and TRAI faced huge criticism for publishing the information.
In response to the backlash they received for publishing the data, the Indian Express then reported the TRAI as saying:
Their attitude towards publishing personal information, then, seemed to be that of an ‘opt-out’ of publishing, rather than opt-in. In the absence of more technically literate policies and responses from government agencies, it’s difficult to envision what could have been done differently in this case.
For future campaigns, Save the Internet advise people to do as the TRAI says, and ‘opt-out’ in their emails responding to public consultations – but a consultation has not yet been completed since then, so there’s no proof that they will indeed take note of those who choose to opt-out.