Why the Uber-IAF deal is problematic
On October 17, the Indian Air Force (IAF) signed an MoU with Uber to “provide reliable, convenient, and safe transportation services for IAF personnel, veterans and families.” The services provided would be for official travel and daily commutes. In September 2023, the Indian Navy had signed a similar MoU with Uber. Service members must provide their names, email IDs and mobile numbers and similar details of their family members to avail themselves of Uber’s services.
Many cybersecurity experts have raised serious concerns over the potential risks of entrusting sensitive data of military movements to a private, foreign company. Beyond basic personal details, over a period of time, the data could reveal travel patterns, place of posting, real-time geolocations, family and dependents’ place of work and routines. There are major security repercussions when a single company holds personally identifiable information of thousands of military personnel.
The Indian Air Force has sought to justify the signing of the MoU. The Sunday Guardian has reported that highly placed sources have stated that such agreements with foreign-based entities are planned in a holistic manner, ensuring that no data breach could happen while the data is being stored using Advanced Encryption Standard (AES)-256-bit encryption. Arguments have also been made that the personal data of military persons is already held with a host of companies like Amazon, Zomato, Blinkit, etc, and, therefore, there is no additional risk with Uber.
In analysing this dispassionately, two key questions must be answered. First, what is the link between personal data and national security? Second, what do we know about how private companies handle personal data?
We often look at personal data from the lens of privacy, but it has significant national security implications. Every click, search, purchase and social media post creates personal data. The smartphone is a repository of biometrics, health data, real-time location, financial transactions and secret conversations. All of this data is analysed to create a psychographic profile of individuals, with deep insights into people’s personalities, values, beliefs, ideologies and emotional triggers.
Technology companies monetise this data by using it to create detailed profiles that enhance ad targeting, personalise services and improve product offerings. Hostile powers use this data to design highly effective disinformation and influence campaigns.
At an individual level, adversaries could mount psychological operations harassing specific military personnel and their families to sow fear or create stress within the ranks, potentially undermining morale and operational readiness. Collectively, specific demographics and ideologies could be targeted to develop tailored messages that resonate with particular groups, turning small societal divides into chasms.
In the 2016 US elections, Russia’s Internet Research Agency used Facebook and other social media to target specific groups, exploiting data to craft divisive messages on sensitive topics like race, gun rights and immigration. Personalised ads reached susceptible individuals, amplifying divisions and swaying public sentiment.
Similar tactics have been observed in events worldwide, such as during Brexit, the incitement of violence against the Rohingya in Myanmar in 2017, misinformation on vaccines during the Covid-19 pandemic and the Hong Kong protests of 2019. According to experts surveyed for the World Economic Forum’s 2024 Global Risk Report, the number one risk identified for India was misinformation and disinformation.
We now turn to the second question on data handling. Data breaches are common. Uber has suffered data breaches in 2014, 2016, 2020, 2022 and 2023. While encryption is essential to protect data, it does not provide fail-safe security. According to Verizon’s 2023 Data Breach Investigations Report, 74 per cent of the breaches involved the human element, which includes social-engineering attacks. Social-engineering in hacking refers to the use of psychological manipulation to trick individuals into revealing sensitive information, granting access to restricted systems and encrypted data.
Another critical issue is the storage location of the data and who has access to it. India passed the Digital Personal Data Protection Act in August 2023. The Act stipulates that the Central Government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be so notified. The rules have not yet been notified and, currently, there is no restriction on transferring personal data abroad except in some sectors like finance and insurance.
Foreign companies are bound by the laws of their home country, which means that they could be compelled to give data of Indians held by them to their government. For instance, China’s National Intelligence Law of 2017 requires any organisation or citizen to support, assist and cooperate with state intelligence work. This law effectively requires companies to provide access to data, technology or any resources necessary for national intelligence operations.
Similarly, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in 2018, stipulates that US law enforcement agencies can access data stored by US-based companies, even if that data is held on servers outside the United States.
The commercial practices of tech companies further exacerbate these risks. Personal data held by companies is often sold to other companies and data brokers. For example, Meta (formerly Facebook) has faced multiple fines for privacy violations. In the shadowy world of data brokers, personal information is aggregated from various sources and freely traded. US intelligence agencies have admitted to buying personal data from brokers to assist in surveillance efforts.
Against this backdrop, the military must regard personal data with a level of seriousness and responsibility far exceeding that of private companies, which often view data as a mere asset for profit generation. The core mission of the military is to safeguard India from threats across all fronts — land, sea, air and, increasingly, the digital domain. Consequently, it is imperative that the military takes the lead in establishing and enforcing the highest standards for data-handling, prioritising security and confidentiality above all else. This is where the Uber MoU is problematic.