wordpress blog stats
Connect with us

Hi, what are you looking for?

Deep Dive: Why Ola is facing criticism for publicly sharing a customer’s telemetry data

Seven key reasons why what the EV manufacturer did is problematic.

Delayed deliveries, buggy software, and scooters catching fire are just some of the many issues that Ola Electric is embroiled in, but as if this weren’t enough, the company has invited more criticism by publicly sharing the speed and braking data of a customer who alleged that his Ola scooter’s faulty braking system led to an accident.

The public sharing of this data of the customer without consent has led to a barrage of tweets criticising Ola’s privacy practices, and experts who spoke to MediaNama also explained what could possibly go wrong with Ola (and connected vehicles in general) collecting such detailed data in the absence of a data protection law.

Advertisement. Scroll to continue reading.

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.


What personal data did Ola release publicly and why?

On April 15, Balwant Singh took to Twitter to complain that his son Reetam Singh met with a serious accident because of a fault in the Ola S1 Pro’s regenerative braking system that caused a sudden acceleration while braking for a speed-breaker. The accident left his son with a fractured left hand and multiple stitches on his right hand, Singh tweeted.

Following Singh’s allegations, many on Twitter raised serious concerns about the safety of Ola scooters. This backlash prompted Ola to release a public statement on April 22 (shown below), in which the company said the accident was caused by the rider overspeeding, braking in panic, and losing control of the vehicle, and not because of faults in the scooter’s braking system as alleged by the customer. “There is nothing wrong with the vehicle,” Ola said.

To make its point, Ola shared graphs depicting various speeds at which the driver was driving for the 30 minutes leading up to the time of the accident as well as when the brakes were applied. 

How is this personal data?

“The person involved in the accident (Mr Balwant’s son) can be identified from certain publicly available communications. So if it is possible to identify who the person is, any information relating to that person is personal,” Lalit Panda, Senior Resident Fellow at Vidhi Centre for Legal Policy, told MediaNama. Moreover, Ola’s privacy policy has also classified telemetry data as personal data.

Why is Ola sharing this personal data problematic?

1. Public sharing of data without consent

Many on Twitter did not object to Ola collecting this data (as it’s common in electric/connected vehicles), as much as they objected to Ola’s decision to share it publicly without consent from the customer.

“This is remarkably poorly thought out by Ola. It seems that they’ve taken not just the right to track customers but also publicly disclose data about customer behaviour. If they haven’t taken these rights in their privacy policy then this is a violation of privacy. This disclosure basically tells customers that Ola doesn’t just track you. It also reserves the right to publish data about your riding behaviour and share it with the world. Essentially, they’re doxxing customers, and can do this to anyone,” — Nikhil Pahwa, Editor at MediaNama

“Privacy violation is not a joke. Doxxing by companies is a serious offence. If we could allow this today, what would stop Meta from sharing your WhatsApp conversations just to destroy your credibility in public so that you don’t raise your voice ever again?” Balwant Singh asked

In an email sent to Ola, Singh has threatened legal action against the company for sharing this data without consent.

“Ola and I had signed an Agreement of sharing data only for your private access. This posting of telemetry data online in public medium is breach of privacy agreement between me the User and Ola Electric, the Seller. When I had a talk with Ola Executive Mr. Chandan Kumar to share the data with me, he had insisted that this data was proprietary of Ola Electric and could not be shared to others or 3rd Parties. Yet you violated your own terms and conditions and revealed the data to all,” Singh said in his email to Ola.

Privacy researcher Anand Venkatanarayanan compared the incident to the misuse of data on smartphones by a service center:

“Now imagine you have a smartphone that overheats and you give it to the service center. And you and the smartphone company have a dispute about some aspect of the smartphone. You are angry and said some things in social media. Then the service center puts your phone pics in public domain to show, you are a drunkard (you have beer pics) using the PIN you shared. That is exactly what had happened here. EV is a big smartphone w/ battery running on wheels. It has a hard disk, OS and ideally what happens inside it should stay inside it. Kind of like Apple iPhone. “

“Vendors are permitted to store and use data only for specified purposes. Any use beyond such purposes is a violation of the terms on which the user has permitted a conditional waiver of their privacy. The public display of such data while identifying the individual user violates those terms. However, if the same data of an individual user was sought by a court of law after due process, then the revealing of such data would be legal,” Supreme Court advocate Nikhil Mehra told MediaNama.

But not everyone thinks Ola was wrong in sharing this data. “Should they have done it? One can assess against ideal data protection norms, under which they would have to show whether they asked for consent when collecting it, what purposes they highlighted in the consent form, and whether it includes public disclosure of such data in the case of an accident. Arguably, if a company faces allegations regarding faulty machines, there might be fair reasons to allow it to publically communicate data that contradicts the allegations,” Lalit Panda said.

2. Defamation

“If they wanted to disclose that the customer was speeding at the time that the accident happened, what’s the rationale behind disclosing that the customer was speeding prior to that as well? That’s basically a means to attack the customer’s character,” Pahwa remarked.

Advertisement. Scroll to continue reading.

3. Accuracy, validity, and completeness of data

Many people, including Reetam Singh, have raised questions about the accuracy of data provided by Ola. Some of these doubts about the numbers arise because many Ola users were not able to get the range advertised by the company. “Can’t trust Ola unless this data is independently verified. Ola lied multiple times on range etc, so can’t say if they’re lying about this,” Sreejesh Suresh tweeted.

But even more crucially, Srikanth Lakshmanan from Cashless Consumer claims that Ola’s speed estimate is not entirely accurate because the scooters use GPS for calculating the same rather than a traditional speedometer. If you’ve ever used a GPS smartphone to track runs, you will know that the speed is not entirely accurate and can be affected by tree cover or tall buildings.

Advertisement. Scroll to continue reading.

Lakshmanan shared a YouTube video that compares Ola’s displayed speed with the speed shown on GoPro’s GPS-based speedometer. Ola’s speed appears to be inflated in this case. While the GoPro’s speedometer could also be inaccurate, Lakshmanan thinks that the calibration in Ola is more likely wrong because there are several customer feedbacks on this. In its testing of the vehicle, Autocar also found discrepancies in the speed shown and actual speed observed using alternate methods. Another Twitter user pointed out that the graph shared by Ola is not accurate. “That x-axis raises more doubts than it clears,” the person said.

Furthermore, Aswin Raj pointed out on Twitter that “relying on speed data alone is absolutely absurd” and “throttle position and brake sensor data need to be included.” “There is also no reason to believe that it is the only outcome-determinative data to the entire event. There may be surrounding circumstances, of topography, of conditions of the road at relevant time that have not been accounted for in the data that they presented,” Nikhil Mehra said.


Reetam Singh told MoneyControl:

“For 10 days, the scooter was with you (Ola Electric). How do I know the data of the scooter was not tampered with during that period? Where is the opportunity to challenge this data? If this was done in my presence — like if they opened the scooter and investigated in front of me — I would not have questioned the legitimacy of the data”

4. Perverting legal proceedings

Anand Venkatanarayanan raised a different set of concerns with regard to the legal validity of such data. What evidence is there that this data is real and not made up, can Ola prove that it’s not tampered with? Venkatanarayanan asked.

He further explained how when smartphones are seized are by the police, they have to give the suspect a panchnama with cloned hard disk and hash code of the phone. “So if Ola wants to use the data to prove you oversped and hence died (and hence was denied compensation), then to prove the data is really authentic, they have to do the hash code thing,” Venkatanarayanan said.

Financial Express journalist Salman SH pointed out how aeroplane black boxes are not published in the public before being presented in a court:

In this amplification, they get a presumption of truth that they will not otherwise get in a court of law. Because in the court of law, the data, the method of recordal of the data, storage, its usage, everything will have to be approved separately. So the question of tampering can be eliminated altogether. How do we know today that they are not, in fact, tampering? What they get is the benefit of the assumption that they do, in fact, store data. And that assumption lends to them a certain authenticity and then they present the data, but we don’t actually know whether it’s tampered with or not,” Nikhil Mehra said.

5. Data not shared with the customer

Even though Ola shared the telemetry data publicly, it has still not provided the concerned customer with a copy of the data despite multiple requests. This has raised questions about who actually owns the data— the data principal or Ola? By getting access to the data, the customer could hire independent investigators to verify

Advertisement. Scroll to continue reading.

“So this is a misuse of the data that they’ve got. At the very least, it creates an abusive position of disparity between them and others, like normal citizens, who lack the capacity to either verify such data or to equally effectively present their own data. Because there is this disparity it is never to be abused against an ordinary citizen. If this was a court-based matter it will be a different thing,” Nikhil Mehra said.

6. Undesirable sharing with third-parties

By publicly revealing the amount of data that Ola collects and the granularity and the real-time nature of it, the company has spooked potential buyers who worry about how else this data can be used. While in this case, Ola used the data to defend its reputation, the same data can be shared with insurers or traffic police to the detriment of customers.

Advertisement. Scroll to continue reading.

“This is really terrifying from user’s POV. What if these details are shared with the RTO office and then users have to bear a humongous fine. Users need privacy and we don’t want us to be tracked,” Kishlai Kumar said on Twitter.

“What I am curious about is does this put us customers in a distinct disadvantage considering that the incident report is out in the open. Can this affect the customers insurance claim ability?Karthikeyan Balasubramanian asked. “In the future, Ola’s insurance provider will use this to reject accidental claims,” Anjul Sahu tweeted.

“Imagine a 3rd party, such as a lending company, being able to intelligently guess daily habits of an individual or office and home locations of an individual, based on his/her dwell time at these locations. […] Well, as they say, data is the new oil, customer data can be misused or even compromised leading to all kinds of cyber frauds,” Prashant Jhingran wrote in a Linkedin post.

7. Will Ola share data on other incidents?

Similar to how Ola shared data here to argue that its vehicle was not at fault, will the company also share data in other cases reported on scooters malfunctioning or catching fire unexpectedly, some users asked.

Advertisement. Scroll to continue reading.

The legality of the data sharing

“Currently, we don’t have a data protection law since the [Data Protection] Bill has not been passed. The rules under the IT Act are not being enforced and on top of that only apply to sensitive personal data. The vehicle speed and brake data available don’t fall under sensitive personal data. There may be some interplay with profiling but this is again not covered yet. So I don’t think there is much of a question of legality right now,” Lalit Panda explained.

Apart from this, Ola’s collection and use of data are guided by its privacy policy which as you will read below has enough provisions that allow it to collect and disclose telemetry data. And since the customer agrees to this privacy policy at the time of purchase, there is not much room to challenge the company legally for sharing this data. However, there might be other grounds for challenging Ola such as defamation or even taking the company to court for the accident itself, in which case the accuracy of the data will likely be examined.

How could Ola have handled it better?

“To use such data to disprove a customer in public, this is almost like saying you are wrong, we are right, here is the data. They are probably entitled to do this because their corporate reputation is at stake here, but it would have better served from a consumer trust point of view if they would directly have taken it to law enforcement instead of taking it public,” communications consultant Karthik Srinivasan told MediaNama.

“Even if a brand wants to go against the customer this is not the right time to do it either because this is a trust-building phase and more like a user education. Just imagine, say Flipkart in 2011-13, they were trying to build the e-commerce industry in India and they were investing in terms of user education, which is where they were trying to help people understand that you can order online, you can pay offline, and that you can just give it back and there is no question on returns, and all those things. So imagine at that stage if there was a problem and they just blamed the user, people would be slightly less interested in e-commerce. Now Ola is not doing any favour for the category benefit and category level user education by blaming the customer in this case,” Srinivasan added.

Advertisement. Scroll to continue reading.

How will the Data Protection Bill have addressed this incident?

Many on Twitter called for the Data Protection Bill to be introduced soon to prevent such data sharing. The Data Protection Bill does have significantly more stringent consent requirements than the current regime and there is also the requirement to specify the purpose of use. There are also consequences for any violation in terms of fines. But there’s no clarity on if the Bill would have made any big difference in this case. “If the law were in place, Ola would have been required by law to ask for consent as the other non-consensual grounds may not have applied. The DPA may also have notified profiling from machine usage or location data to be a form of sensitive data (under s.22) or may have notified public disclosure of accident data to be a “reasonable purpose” (under s.17). Either of these could change the course of the case,” Lalit Panda said. But we’re entering into speculation here, Panda added.

What does Ola’s privacy policy say?

What personal data is collected?

According to Ola’s privacy policy, in addition to data like name, address, mobile, financial information, etc, Ola collects the following that stands out:

  1. Telemetry data such as performance, operations, usage of Products
  2. Location information, including the GPS location of
    • any person placing an order through the Ola Electric website or mobile application or any other mode
    • while using location-based services through Products and Services
    • addresses provided for providing the Products or Services by us
  3. Details of the vehicle purchased, e.g., vehicle license number, VIN, etc.

“To further improve your Product and safety, to facilitate the (helpdesk) servicing of your Product and to give you insight on your driving behaviour, we will collect certain telematics data from the vehicle. This may include personal information, such as vehicle identification number, and other device related information, such as performance, usage, operation, condition of your vehicle, etc. We collect such information either in person (such as during a service appointment), or via remote access or through App.” – Ola privacy policy

When is telemetry data collected?

Ola collects data when the user sets up and drives the scooter. “Our operating system tracks various vehicle sensor data which we receive real-time in our cloud,” Ola said in its statement on the Guwahati accident.

Why does Ola collect telemetry data?

Among the many reasons, Ola collects telemetry data for the following reasons:

  1. To provide vehicle support and servicing in an efficient and timely manner
  2. For product development purposes, for example to improve vehicle performance, quality and safety
  3. To comply with legal requirements or lawful authority requests

Ola’s right to use personal data WITHOUT consent

In its privacy policy, Ola states that “where reasonably practical or as required by applicable law,” it will obtain user consent prior to collecting or using your personal Information,” but that it may use personal data even without consent when there is a legitimate interest or for other reasonable purposes. One of the cases that satisfies these criteria is:

“To enforce or protect our contractual or other legal rights or to bring or defend legal proceedings.”

Ola also has another provision in the privacy policy which states:

“We may also disclose personal information if we determine in good faith that disclosure is necessary to protect our rights, resolve legal conflict, enforce our terms and conditions, investigate fraud or protect our users.” (emphasis ours)

These two provisions might have been invoked in the Guwahati case as the company can claim that it disclosed personal information to protect its rights or investigate fraud.

Advertisement. Scroll to continue reading.

What rights do users have over their data?

  • Accessing the personal data: According to the policy, users have the right to access a copy of their personal information that Ola holds in a standard form that will be easy and understandable. However, in the Guwahati case, Ola refused to give the customer his personal data. “Generally, we can only deny you your right of access if it concerns the right of other individuals or we have another lawful reason to withhold that information and not otherwise,” Ola’s policy states.
  • Withdrawing consent: Users can withdraw their consent anytime. “We will be bound to stop collecting or processing your data we collect from you solely on basis of your consent. For instance, there are certain data points for which we take your explicit consent like GPS tracking. You can withdraw from GPS tracking anytime by using the App. However, we will accordingly be unable to offer you other services that are dependent on GPS tracking like navigation. Also, we are legally permitted to continue collecting or processing your personal data if we can rely on grounds other than consent to process your information,” Ola’s privacy policy states.

MediaNama reached out to Ola Electric on April 26 for a statement and with a list of questions, but the company has not responded yet.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Advertisement. Scroll to continue reading.

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

News

The industry's growth is being weighed down by taxation and legal uncertainty.

News

Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.

News

Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ