Delayed deliveries, buggy software, and scooters catching fire are just some of the many issues that Ola Electric is embroiled in, but as if this weren’t enough, the company has invited more criticism by publicly sharing the speed and braking data of a customer who alleged that his Ola scooter’s faulty braking system led to an accident.
The public sharing of this data of the customer without consent has led to a barrage of tweets criticising Ola’s privacy practices, and experts who spoke to MediaNama also explained what could possibly go wrong with Ola (and connected vehicles in general) collecting such detailed data in the absence of a data protection law.
What Ola thought they did: Publicly posting private data, to prove their point and absolve themselves of all blame.
What Ola actually did: Revealed they track almost everything on the scooter, in real time, making their mechanically unreliable scooter, a privacy nightmare.
— The Kaipullai (@thekaipullai) April 22, 2022
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What personal data did Ola release publicly and why?
On April 15, Balwant Singh took to Twitter to complain that his son Reetam Singh met with a serious accident because of a fault in the Ola S1 Pro’s regenerative braking system that caused a sudden acceleration while braking for a speed-breaker. The accident left his son with a fractured left hand and multiple stitches on his right hand, Singh tweeted.
Following Singh’s allegations, many on Twitter raised serious concerns about the safety of Ola scooters. This backlash prompted Ola to release a public statement on April 22 (shown below), in which the company said the accident was caused by the rider overspeeding, braking in panic, and losing control of the vehicle, and not because of faults in the scooter’s braking system as alleged by the customer. “There is nothing wrong with the vehicle,” Ola said.
To make its point, Ola shared graphs depicting various speeds at which the driver was driving for the 30 minutes leading up to the time of the accident as well as when the brakes were applied.
How is this personal data?
“The person involved in the accident (Mr Balwant’s son) can be identified from certain publicly available communications. So if it is possible to identify who the person is, any information relating to that person is personal,” Lalit Panda, Senior Resident Fellow at Vidhi Centre for Legal Policy, told MediaNama. Moreover, Ola’s privacy policy has also classified telemetry data as personal data.
Why is Ola sharing this personal data problematic?
1. Public sharing of data without consent
Many on Twitter did not object to Ola collecting this data (as it’s common in electric/connected vehicles), as much as they objected to Ola’s decision to share it publicly without consent from the customer.
Even if the charges are baseless, you should be communicating this directly to the client and family, not to the public. If this is the cavalier way you treat people’s personal data why should anyone buy your products?
— S Roy Chowdhury (@SRoyChowdhury01) April 22, 2022
This is shocking Reg privacy. 1. Are u getting explicit permission from user to track and send to your server ?
2. More importantly did you get consent from user to publically post his private data and do naming and shaming ?— Ragesh G R (@rageshgr) April 22, 2022
“This is remarkably poorly thought out by Ola. It seems that they’ve taken not just the right to track customers but also publicly disclose data about customer behaviour. If they haven’t taken these rights in their privacy policy then this is a violation of privacy. This disclosure basically tells customers that Ola doesn’t just track you. It also reserves the right to publish data about your riding behaviour and share it with the world. Essentially, they’re doxxing customers, and can do this to anyone,” — Nikhil Pahwa, Editor at MediaNama
“Privacy violation is not a joke. Doxxing by companies is a serious offence. If we could allow this today, what would stop Meta from sharing your WhatsApp conversations just to destroy your credibility in public so that you don’t raise your voice ever again?” Balwant Singh asked
In an email sent to Ola, Singh has threatened legal action against the company for sharing this data without consent.
My notice to @OlaElectric to immediately take down my telemetry data which they have published in public without my consent violating privacy laws & the graphs whose authenticity has not been verified by me/ law agencies. Failure to do so, I will take legal action against @bhash pic.twitter.com/9r3yF6zYOx
— BALWANT SINGH (@BALWANT1962) April 23, 2022
“Ola and I had signed an Agreement of sharing data only for your private access. This posting of telemetry data online in public medium is breach of privacy agreement between me the User and Ola Electric, the Seller. When I had a talk with Ola Executive Mr. Chandan Kumar to share the data with me, he had insisted that this data was proprietary of Ola Electric and could not be shared to others or 3rd Parties. Yet you violated your own terms and conditions and revealed the data to all,” Singh said in his email to Ola.
Privacy researcher Anand Venkatanarayanan compared the incident to the misuse of data on smartphones by a service center:
“Now imagine you have a smartphone that overheats and you give it to the service center. And you and the smartphone company have a dispute about some aspect of the smartphone. You are angry and said some things in social media. Then the service center puts your phone pics in public domain to show, you are a drunkard (you have beer pics) using the PIN you shared. That is exactly what had happened here. EV is a big smartphone w/ battery running on wheels. It has a hard disk, OS and ideally what happens inside it should stay inside it. Kind of like Apple iPhone. “
“Vendors are permitted to store and use data only for specified purposes. Any use beyond such purposes is a violation of the terms on which the user has permitted a conditional waiver of their privacy. The public display of such data while identifying the individual user violates those terms. However, if the same data of an individual user was sought by a court of law after due process, then the revealing of such data would be legal,” Supreme Court advocate Nikhil Mehra told MediaNama.
But not everyone thinks Ola was wrong in sharing this data. “Should they have done it? One can assess against ideal data protection norms, under which they would have to show whether they asked for consent when collecting it, what purposes they highlighted in the consent form, and whether it includes public disclosure of such data in the case of an accident. Arguably, if a company faces allegations regarding faulty machines, there might be fair reasons to allow it to publically communicate data that contradicts the allegations,” Lalit Panda said.
2. Defamation
“If they wanted to disclose that the customer was speeding at the time that the accident happened, what’s the rationale behind disclosing that the customer was speeding prior to that as well? That’s basically a means to attack the customer’s character,” Pahwa remarked.
There is no way in living hell you could know that the brake was applied in panic. Hard braking and fast driving do not necessarily mean rash driving. If it was so, then why does your vehicle travel that fast ? Finally, data privacy. Well, there is no such thing in India. I
— Naveen Sodem (@nisar_naveen) April 25, 2022
3. Accuracy, validity, and completeness of data
Many people, including Reetam Singh, have raised questions about the accuracy of data provided by Ola. Some of these doubts about the numbers arise because many Ola users were not able to get the range advertised by the company. “Can’t trust Ola unless this data is independently verified. Ola lied multiple times on range etc, so can’t say if they’re lying about this,” Sreejesh Suresh tweeted.
But even more crucially, Srikanth Lakshmanan from Cashless Consumer claims that Ola’s speed estimate is not entirely accurate because the scooters use GPS for calculating the same rather than a traditional speedometer. If you’ve ever used a GPS smartphone to track runs, you will know that the speed is not entirely accurate and can be affected by tree cover or tall buildings.
Fun fact – Speeds displayed on Ola are not actual speeds that match with traditional odometer. Probably because they use poor GPS. So datapoints on the fancy diagram are imaginery numbers having its own scale to begin and the axis doesn’t have a SI unit.
— Srikanth.CashlessConsumer | ஸ்ரீகாந்த் (@logic) April 25, 2022
Lakshmanan shared a YouTube video that compares Ola’s displayed speed with the speed shown on GoPro’s GPS-based speedometer. Ola’s speed appears to be inflated in this case. While the GoPro’s speedometer could also be inaccurate, Lakshmanan thinks that the calibration in Ola is more likely wrong because there are several customer feedbacks on this. In its testing of the vehicle, Autocar also found discrepancies in the speed shown and actual speed observed using alternate methods. Another Twitter user pointed out that the graph shared by Ola is not accurate. “That x-axis raises more doubts than it clears,” the person said.
Here is the problem. The 4 min interval looks visibly smaller than the 3 min interval afterwards. If any analytics/plotting software has such a big, it should be named immediately so that we can all junk it. Big q why a tech co cant plot a basic graph in critical communication pic.twitter.com/eFrZpIeugd
— peeleraja (@peeleraja) April 22, 2022
Furthermore, Aswin Raj pointed out on Twitter that “relying on speed data alone is absolutely absurd” and “throttle position and brake sensor data need to be included.” “There is also no reason to believe that it is the only outcome-determinative data to the entire event. There may be surrounding circumstances, of topography, of conditions of the road at relevant time that have not been accounted for in the data that they presented,” Nikhil Mehra said.
Funny part is, given their reputation nowadays, nobody is going to trust their data anyway.
And if the data is inaccurate or there is some mistake, then in addition to inefficient and dangerous, the word callous will be forever associated with them.
— The Kaipullai (@thekaipullai) April 22, 2022
Horrifying Ola electric scooter accidents. What prevents Ola from doctoring the data to escape liability. @thej @akhilkv https://t.co/i4uNY5WAE3
— Ved Varma (@vedvarma) April 22, 2022
Reetam Singh told MoneyControl:
“For 10 days, the scooter was with you (Ola Electric). How do I know the data of the scooter was not tampered with during that period? Where is the opportunity to challenge this data? If this was done in my presence — like if they opened the scooter and investigated in front of me — I would not have questioned the legitimacy of the data”
4. Perverting legal proceedings
Anand Venkatanarayanan raised a different set of concerns with regard to the legal validity of such data. What evidence is there that this data is real and not made up, can Ola prove that it’s not tampered with? Venkatanarayanan asked.
He further explained how when smartphones are seized are by the police, they have to give the suspect a panchnama with cloned hard disk and hash code of the phone. “So if Ola wants to use the data to prove you oversped and hence died (and hence was denied compensation), then to prove the data is really authentic, they have to do the hash code thing,” Venkatanarayanan said.
13. It is impossible for Ola to prove that their chart and graph is *not a lie*, but it is quite a walk in the park for a lawyer for the customer to put them in mat. Hell, If I were a lawyer, I would ask the customer to sue and make it a PR disaster for Ola in discovery.
— V. Anand | வெ. ஆனந்த் (@iam_anandv) April 25, 2022
Financial Express journalist Salman SH pointed out how aeroplane black boxes are not published in the public before being presented in a court:
The data with in a black box isn’t published in the public, without a court appointed jury or a court appointed investigation. The rider in this case blames the accident on the scooter malfunctioning, while Ola claims otherwise.
— Salman SH (@salmnsh11) April 22, 2022
“In this amplification, they get a presumption of truth that they will not otherwise get in a court of law. Because in the court of law, the data, the method of recordal of the data, storage, its usage, everything will have to be approved separately. So the question of tampering can be eliminated altogether. How do we know today that they are not, in fact, tampering? What they get is the benefit of the assumption that they do, in fact, store data. And that assumption lends to them a certain authenticity and then they present the data, but we don’t actually know whether it’s tampered with or not,” Nikhil Mehra said.
5. Data not shared with the customer
Even though Ola shared the telemetry data publicly, it has still not provided the concerned customer with a copy of the data despite multiple requests. This has raised questions about who actually owns the data— the data principal or Ola? By getting access to the data, the customer could hire independent investigators to verify
@bhash @OlaElectric I am still awaiting Investigation Report of you Ola Team alongwith datasets for the date of accident which ur Executive told was recorded in the scooter but was hesitant to share. Can’t we customer’s have access to our own ride data? Please share via email!
— BALWANT SINGH (@BALWANT1962) April 21, 2022
Scooter is owned by @BALWANT1962 but he doesn’t own data that it generates, why? u r the owner of the data, right? FYI Ola uses data that is generated by vehicle & app to improve their services, nd they can share data to associates of ola (i.e. 3rd parties) without owners consent
— Somesh D. Kumar (@IamSomeshDKumar) April 25, 2022
“So this is a misuse of the data that they’ve got. At the very least, it creates an abusive position of disparity between them and others, like normal citizens, who lack the capacity to either verify such data or to equally effectively present their own data. Because there is this disparity it is never to be abused against an ordinary citizen. If this was a court-based matter it will be a different thing,” Nikhil Mehra said.
6. Undesirable sharing with third-parties
By publicly revealing the amount of data that Ola collects and the granularity and the real-time nature of it, the company has spooked potential buyers who worry about how else this data can be used. While in this case, Ola used the data to defend its reputation, the same data can be shared with insurers or traffic police to the detriment of customers.
“This is really terrifying from user’s POV. What if these details are shared with the RTO office and then users have to bear a humongous fine. Users need privacy and we don’t want us to be tracked,” Kishlai Kumar said on Twitter.
“What I am curious about is does this put us customers in a distinct disadvantage considering that the incident report is out in the open. Can this affect the customers insurance claim ability?” Karthikeyan Balasubramanian asked. “In the future, Ola’s insurance provider will use this to reject accidental claims,” Anjul Sahu tweeted.
“Imagine a 3rd party, such as a lending company, being able to intelligently guess daily habits of an individual or office and home locations of an individual, based on his/her dwell time at these locations. […] Well, as they say, data is the new oil, customer data can be misused or even compromised leading to all kinds of cyber frauds,” Prashant Jhingran wrote in a Linkedin post.
7. Will Ola share data on other incidents?
Similar to how Ola shared data here to argue that its vehicle was not at fault, will the company also share data in other cases reported on scooters malfunctioning or catching fire unexpectedly, some users asked.
@bhash This is good part from ola side to give explanation and the way how the vehicles are tracked.But the same way we are expecting the explanation for the fire incident which not received till https://t.co/igoQde67Ui should be fair enough to explain that too.
— Karthik rajasekaran (@karthikrajasekr) April 22, 2022
Raising few Qs to @bhash :
1) What data is captured by OLA? Is it with informed consent of buyers
2) What’s Ola’s approach on data integrity and data protection?
3) Chart doesn’t explains 8 min stop with a kink in speed. Why?
4) Share similar data for other incidents as well.— Sumit Sharma (@Sumitkrsharma) April 22, 2022
The legality of the data sharing
“Currently, we don’t have a data protection law since the [Data Protection] Bill has not been passed. The rules under the IT Act are not being enforced and on top of that only apply to sensitive personal data. The vehicle speed and brake data available don’t fall under sensitive personal data. There may be some interplay with profiling but this is again not covered yet. So I don’t think there is much of a question of legality right now,” Lalit Panda explained.
Apart from this, Ola’s collection and use of data are guided by its privacy policy which as you will read below has enough provisions that allow it to collect and disclose telemetry data. And since the customer agrees to this privacy policy at the time of purchase, there is not much room to challenge the company legally for sharing this data. However, there might be other grounds for challenging Ola such as defamation or even taking the company to court for the accident itself, in which case the accuracy of the data will likely be examined.
How could Ola have handled it better?
“To use such data to disprove a customer in public, this is almost like saying you are wrong, we are right, here is the data. They are probably entitled to do this because their corporate reputation is at stake here, but it would have better served from a consumer trust point of view if they would directly have taken it to law enforcement instead of taking it public,” communications consultant Karthik Srinivasan told MediaNama.
“Even if a brand wants to go against the customer this is not the right time to do it either because this is a trust-building phase and more like a user education. Just imagine, say Flipkart in 2011-13, they were trying to build the e-commerce industry in India and they were investing in terms of user education, which is where they were trying to help people understand that you can order online, you can pay offline, and that you can just give it back and there is no question on returns, and all those things. So imagine at that stage if there was a problem and they just blamed the user, people would be slightly less interested in e-commerce. Now Ola is not doing any favour for the category benefit and category level user education by blaming the customer in this case,” Srinivasan added.
How will the Data Protection Bill have addressed this incident?
Many on Twitter called for the Data Protection Bill to be introduced soon to prevent such data sharing. The Data Protection Bill does have significantly more stringent consent requirements than the current regime and there is also the requirement to specify the purpose of use. There are also consequences for any violation in terms of fines. But there’s no clarity on if the Bill would have made any big difference in this case. “If the law were in place, Ola would have been required by law to ask for consent as the other non-consensual grounds may not have applied. The DPA may also have notified profiling from machine usage or location data to be a form of sensitive data (under s.22) or may have notified public disclosure of accident data to be a “reasonable purpose” (under s.17). Either of these could change the course of the case,” Lalit Panda said. But we’re entering into speculation here, Panda added.
What does Ola’s privacy policy say?
What personal data is collected?
According to Ola’s privacy policy, in addition to data like name, address, mobile, financial information, etc, Ola collects the following that stands out:
- Telemetry data such as performance, operations, usage of Products
- Location information, including the GPS location of
- any person placing an order through the Ola Electric website or mobile application or any other mode
- while using location-based services through Products and Services
- addresses provided for providing the Products or Services by us
- Details of the vehicle purchased, e.g., vehicle license number, VIN, etc.
“To further improve your Product and safety, to facilitate the (helpdesk) servicing of your Product and to give you insight on your driving behaviour, we will collect certain telematics data from the vehicle. This may include personal information, such as vehicle identification number, and other device related information, such as performance, usage, operation, condition of your vehicle, etc. We collect such information either in person (such as during a service appointment), or via remote access or through App.” – Ola privacy policy
When is telemetry data collected?
Ola collects data when the user sets up and drives the scooter. “Our operating system tracks various vehicle sensor data which we receive real-time in our cloud,” Ola said in its statement on the Guwahati accident.
Why does Ola collect telemetry data?
Among the many reasons, Ola collects telemetry data for the following reasons:
- To provide vehicle support and servicing in an efficient and timely manner
- For product development purposes, for example to improve vehicle performance, quality and safety
- To comply with legal requirements or lawful authority requests
Ola’s right to use personal data WITHOUT consent
In its privacy policy, Ola states that “where reasonably practical or as required by applicable law,” it will obtain user consent prior to collecting or using your personal Information,” but that it may use personal data even without consent when there is a legitimate interest or for other reasonable purposes. One of the cases that satisfies these criteria is:
“To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings.”
Ola also has another provision in the privacy policy which states:
“We may also disclose personal information if we determine in good faith that disclosure is necessary to protect our rights, resolve legal conflict, enforce our terms and conditions, investigate fraud or protect our users.” (emphasis ours)
These two provisions might have been invoked in the Guwahati case as the company can claim that it disclosed personal information to protect its rights or investigate fraud.
What rights do users have over their data?
- Accessing the personal data: According to the policy, users have the right to access a copy of their personal information that Ola holds in a standard form that will be easy and understandable. However, in the Guwahati case, Ola refused to give the customer his personal data. “Generally, we can only deny you your right of access if it concerns the right of other individuals or we have another lawful reason to withhold that information and not otherwise,” Ola’s policy states.
- Withdrawing consent: Users can withdraw their consent anytime. “We will be bound to stop collecting or processing your data we collect from you solely on basis of your consent. For instance, there are certain data points for which we take your explicit consent like GPS tracking. You can withdraw from GPS tracking anytime by using the App. However, we will accordingly be unable to offer you other services that are dependent on GPS tracking like navigation. Also, we are legally permitted to continue collecting or processing your personal data if we can rely on grounds other than consent to process your information,” Ola’s privacy policy states.
Any Govt, which wants to spy on the Indian citizens, needn’t use some complicated spyware, or waste resources of our intelligence agents.
They just have to gift them an Ola Scooter
— The Kaipullai (@thekaipullai) April 22, 2022
MediaNama reached out to Ola Electric on April 26 for a statement and with a list of questions, but the company has not responded yet.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Deep Dive: Tata Neu’s Customer Data Aggregation Raises Privacy Concerns
- When An Indigo Flyer “Hacked” His Way To Retrieve Lost Baggage, He Found A Privacy Risk That Plagues The Entire Airline Industry
- Amex Pauses Plan To Share Credit Card Data With NeSL After Customers Flag Privacy Concerns
Have something to add? Subscribe to MediaNama here and post your comment.
