Ayushi Sahu was ambushed. One evening in 2018, five months after her wedding, the 21-year-old college student was visiting her parents in the central Indian state of Chhattisgarh, when her husband showed up unannounced, his father and uncle in tow.
As the men settled in the living room, her husband said he had something he wanted them to hear. He took out his mobile phone and pressed “play.” The audio was loud and clear: private conversations between Sahu and her friends and family, which had been recorded without her permission. And it wasn’t only audio: “call logs, SMS, and WhatsApp messages, each photo and video, recordings of my video calls — he claimed to have accessed everything,” Sahu said. That was when she realized that her husband had, for months, been spying on her.
This was also how Sahu learned of certain things he had been holding against her. (Her name has been changed to protect against retaliation.) He had been offended to hear her complaining to her mother about problems with her in-laws. And he objected to her talking to a male friend. “He made a scene as if he was ‘exposing’ me,” Sahu recalled. “I was just sharing my concerns. That’s normal.”
Her husband played several more recordings, until his father eventually intervened. “I don’t want to listen to any more of this. You have heard it all? Okay, then,” he said, before reaching out to comfort Sahu, who was still in shock.
After processing the experience, Sahu decided she was willing to shrug it off, apologize, and move on, but her new husband continued to behave strangely. Eventually, she felt she had no choice but to end the marriage. “I don’t understand why he had to take this spying route,” she reflected. “He could have just asked. You know, in India, men can scold their wives, right? He could have done that. What was the need to go so deep into my phone and record my conversations?”
Sahu has no idea how her phone was bugged or for how long she was surveilled. But she has one clue: Her Vivo smartphone was an engagement gift from her husband.
It is likely that Sahu’s phone had off-the-shelf spyware on it. Her husband may have installed it himself or even consulted a private detective before marrying her, who provided him with the phone. In either case, he would have been part of a growing trend of individuals — often, jealous lovers — making use of personal surveillance technology.
According to Kunwar Vikram Singh, the chairman of the Association of Private Detectives and Investigators in India, it’s now common for wealthy families to assess the suitability of a potential bride or groom by hiring a private detective, a vetting that usually costs around $500. He attributes this to India’s changing social mores, especially among urban elites. “Work culture has changed. Values have changed,” Singh reflected, citing the influx of women into the workforce as one contributing factor. “We tell people, ‘You spend lakhs and crores on marital ceremonies; spend a few thousand on investigators’,” he said.
Whatever the reason, India’s private-detective services have been growing over the past decade. Singh estimates that the sector is now worth roughly $1.2 billion nationally. But because of the sensitive nature of the field, it’s impossible to know for sure: There are no official statistics, and many clients still pay in cash. “They don’t want to leave any footprint,” he noted.
The services offered by the detectives mainly fall into two categories: corporate and personal. The corporate investigations often involve banks hiring investigators to get information on shifty borrowers and financial firms looking for background checks on employees. The personal services range from child monitoring to matrimonial background checks. Every agency has its own specialization. Karnam Choudhary, a Jaipur-based detective who operates the Siyol Detective Network, which has around 1,500 freelance private investigators across the country, says that “since 2016, personal cases make up almost 70%.”
The boom in business has coincided with a growing reliance on consumer-grade spyware. These are mostly smartphone apps that cannot easily be detected, secretly record all of a device’s activity, and route that data to a third-party dashboard. A private investigator’s first move used to be shadowing somebody in person; today, many of them begin by advising the client to present the object of their suspicion with a malware-infected smartphone.
Growing demand for spyware first caught the attention of India’s software engineers several years ago, long before the coronavirus pandemic led to a spike. In 2013, while researching viruses and cybersecurity for his final-year engineering project, Gujarat-based coder Tushar Mepani began meeting parents who wanted to keep closer tabs on their teenagers’ whereabouts. “I could not sleep at night when these millionaires told me about their kids’ behavior,” he said, apparently in earnest. The initial prototype of what became his first app for tracking children, EasySpyPhone, was restricted to recording calls and collecting text messages and location data, but more recent iterations can spy on social media platforms like Facebook and WhatsApp, secretly turn on a phone’s microphone to record calls and video, and capture screenshots, all for around $20 or $40 per month. “Parents were very happy,” Mepani reflected. “They learned who their kids are friends with — and who is diverting them. The app has saved kids from being spoiled.”
Mepani doesn’t sell only one or two products, however; through his Android spyware company, Convants Information Security, he licenses surveillance software to multiple vendors, who repackage it under different names. He won’t reveal the details of these arrangements, calling them “internal business,” but he claims to have made more than 20,000 sales. In 2014, Choudhary, the Jaipur-based detective, used Mepani’s software to launch his agency’s own app, Spy Mobile Process. Instead of paying for a full investigation, those who buy Choudhary’s app may use it to conduct their own inquiries, with guidance from detectives. “We had no idea at the time whether people would be interested in this,” he said. “But it clicked with users.”
All of this exists in a legal gray area. As of now, there are no laws in India regulating the selling or purchasing of so-called stalkerware. Nor is there much clarity about the privacy laws currently on the books. In India, it is not illegal to physically surveil a target, for instance, but things get fuzzier when it comes to tracking somebody’s location via mobile phone. Courts have been forced to establish statutes, case by case. In 2018, for instance, a family court in Delhi admitted evidence collected from spyware in a case concerning a marital dispute, stating that the right to a fair trial outweighed privacy protections.
But staying on the right side of the law doesn’t seem to trouble many spyware vendors. Insofar as they are concerned about legal exposure, most will simply add disclaimers that place the onus on the user. Before installing software, the customer should get “proper written consent to do so by the owner of the smartphone” and understand that it is the “responsibility of the buyer to obey all laws of their country.”
In August 2020, Google introduced a new Ads Policy imposing restrictions on advertising for spyware and surveillance technology. “The updated policy will prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization,” the company wrote in its updated policy. However, Google made two exceptions: “private investigation services,” like Choudhary’s, and “products or services designed for parents to track or monitor their underage children,” like Mepani’s.
Private detectives who admit to using spyware almost universally insist that any problems stemming from it are the result of abuse. But what they say publicly is one thing, and how they market their services is another. While Choudhary claims his app is not intended for spying on spouses, a November 2015 tweet from his company’s official account said just the opposite. In a series of phone interviews, Mepani also denied marketing his product to jealous husbands and wives, even as his website made clear that these are target demographics. “But you know,” he added, “it is like a knife. You can cut fruits, or you can cut someone’s head.”
However unsettling, the spyware sector is only one small part of a much vaster infrastructure. More than 500 million people in India use the internet every month, creating troves of private information with every click, scroll, swipe, and download. What they watch, how they date, whom they work for, and where they spend their money is constantly being captured and monetized. All this has given rise to a multimillion-dollar dark data economy, in which no piece of information is too personal to trade.
The black market for data, as it exists online in India, resembles those for wholesale vegetables or smuggled goods. Customers are encouraged to buy in bulk, and the variety of what’s on offer is mind-boggling: There are databases about parents, cable customers, pregnant women, pizza eaters, mutual funds investors, and almost any niche group one can imagine. A typical database consists of a spreadsheet with row after row of names and key details: Sheila Gupta, 35, lives in Kolkata, runs a travel agency, and owns a BMW; Irfaan Khan, 52, lives in Greater Noida, and has a son who just applied to engineering college. The databases are usually updated every three months (the older one is, the less it is worth), and if you buy several at the same time, you’ll get a discount. Business is always brisk, and transactions are conducted quickly. No one will ask you for your name, let alone inquire why you want the phone numbers of five million people who have applied for bank loans.
There isn’t a reliable estimate of the size of India’s data economy or of how much money it generates annually. Regarding the former, each broker we spoke to had a different guess: One said only about one or two hundred professionals make up the top tier, another that every big Indian city has at least a thousand people trading data. To find them, potential customers need only look for their ads on social media or run searches with industry keywords and hashtags — “data,” “leads,” “database” — combined with detailed information about the kind of data they want and the city they want it from.
Privacy experts believe that the data-brokering industry has existed since the early days of the internet’s arrival in India. “Databases have been bought and sold in India for at least 15 years now. I remember a case from way back in 2006 of leaked employee data from Naukri.com (one of India’s first online job portals) being sold on CDs,” says Nikhil Pahwa, the editor and publisher of MediaNama, which covers technology policy. By 2009, data brokers were running SMS-marketing companies that offered complementary services: procuring targeted data and sending text messages in bulk. Back then, there was simply less data, “and those who had it could sell it at whatever price,” says Himanshu Bhatt, a data broker who claims to be retired. That is no longer the case: “Today, everyone has every kind of data,” he said.
No broker we contacted would openly discuss their methods of hunting, harvesting, and selling data. But the day-to-day work generally consists of following the trails that people leave during their travels around the internet. Brokers trawl data storage websites armed with a digital fishing net. “I was shocked when I was surfing [cloud-hosted data sites] one day and came across Aadhaar cards,” Bhatt remarked, referring to India’s state-issued biometric ID cards. Images of them were available to download in bulk, alongside completed loan applications and salary sheets.
Again, the legal boundaries here are far from clear. Anybody who has ever filled out a form on a coupon website or requested a refund for a movie ticket has effectively entered their information into a database that can be sold without their consent by the company it belongs to. A neighborhood cell phone store can sell demographic information to a political party for hyperlocal campaigning, and a fintech company can stealthily transfer an individual’s details from an astrology app onto its own server, to gauge that person’s creditworthiness. When somebody shares employment history on LinkedIn or contact details on a public directory, brokers can use basic software such as web scrapers to extract that data.
But why bother hacking into a database when you can buy it outright? More often, “brokers will directly approach a bank employee and tell them, ‘I need the high-end database’,” Bhatt said. And as demand for information increases, so, too, does data vulnerability. A 2019 survey found that 69% of Indian companies haven’t set up reliable data security systems; 44% have experienced at least one breach already. “In the past 12 months, we have seen an increasing trend of Indians’ data [appearing] on the dark web,” says Beenu Arora, the CEO of the global cyberintelligence firm Cyble.
When contacted about providing a sample database, Amresh, the owner of e-commercedatabase.in, would not reveal the source of his data, nor did he ask any questions of us. All he wanted in exchange was our email addresses and phone numbers. The database arrived instantly, containing information that would make most online shoppers shudder: not only the names, email addresses, phone numbers, and states of residence of thousands of people but also what they bought and how much they paid for it, from cotton pajamas ($27) to noise-cancelling headphones ($408). For $20, we could purchase the full stash, containing the personal details of 14 million people.
The question, once a buyer has this data, then, is how to monetize it.
Scams are one of the easiest ways to turn data into cash. Loan scammers lap up bank customers’ personal details, refund scammers cash in on e-commerce histories, and job scammers do anything they can to get their hands on information from employment portals. Within this economy, some databases are more prized than others. A set featuring high-net-worth individuals costs more than one featuring entry-level employees. Value also goes up and down depending on the season; a shoppers’ database is hotter before a major Indian festival than after it. But there is one kind worth far more than any other. “Right now,” Bhatt said, “the student database is a gold mine.”
The competition for a place in India’s top professional colleges is cutthroat, and the hustle for admission begins early. By the time a student enters high school, they have already taken a few preparatory tests, and their academic information is likely stored in more than one database. Toward the end of high school, many students will be busy preparing for either the Joint Entrance Exam (JEE), for engineering colleges, or the National Eligibility Entrance Test (NEET), for medical colleges — the results of which are also available in the databases, along with grades, application numbers, and the names and phone numbers of students and parents. These are, in effect, elaborate, detailed listings for thousands of people desperate enough to spend tens of thousands of dollars for any possible educational advantage.
To buy a dataset from sites like mobiledatabase.com, which has since shuttered but was one of many websites of its kind, interested parties must contact the mobile number flashing on the homepage. That number belongs to Harry Singh (not his real name), who insists on communicating only through WhatsApp. So that’s how we strike a deal — 2020 NEET data for $20. He suggests payment via a digital wallet and, after the money is transferred, sends over the database as a Google sheet. Asked if the data is trustworthy, he confirms that “these databases are leaked by NEET employees.”
Who would buy this data, aside from curious journalists? Admissions fixers. At the end of the JEE and NEET application process every year, fixers, armed with data leaked by insiders and sold by brokers, reach out to thousands of prospective applicants with offers to guarantee their admission to medical and engineering colleges. Which, of course, they almost never can. Anwar Hussain, a Delhi-based doctor, was the victim of one of these scams. In May 2019, his son, Dilkash, took the NEET exam in the hopes of entering his father’s profession. “On 7 June,” Husain recalled, “results came in. Even before we checked the website, I received a call from a fixer. She knew my son’s registration number. She told me he had passed the test, but his rank was low. Admission to a reputed college would be tough, but it could be managed, I was told. She said I should speak to her boss — someone called Bhushan.”
Husain visited the fixers’ office in Delhi, where they asked for a $6,600 advance and told Husain to arrange to pay several times that amount in tuition fees. Over the following weeks, Husain sold the house he had bought with his life’s savings, asked his brothers to sell his share of the family land in their ancestral village, and filled three envelopes with cash. He paid the $6,600 to Bhushan and his associates and an additional $27,000 to an admissions officer at a medical college in the neighboring state of Uttar Pradesh.
Husain’s family was driven back to Delhi by the fixers, and for several weeks, he didn’t hear anything from either the brokers or college authorities. He began to worry. “By September 20,” he said, “we knew we had been scammed.” The following March, the ringleader of the scam was arrested by Delhi police after an interstate chase. Luckily for Husain, he was ultimately repaid the amount he had been defrauded of.
Data privacy cases rarely make headlines in India. News of the NEET scams first broke in 2018 when a student sent evidence of the leaks to media outlets. “I tried to find out where the fixers got our numbers and, searching online, came across around 30 websites trading students’ data,” says student activist Vivek Pandey, who provided evidence of the scam. “Ninety percent of these calls end up in fraud.” The matter was discussed in Parliament and handed over to India’s Central Bureau of Investigation. The sites were eventually shut down, Pandey said, “but the next year, they came back with different names. I could spot at least four or five websites that looked exactly the same.” Pandey estimates that between 100 and 150 student-data leaks are reported every year across India, and the scams flare up again and again with remarkable regularity.
For now, police are focusing on the scammers who orchestrate these frauds and ignoring the data brokers who provide them with material. In the authorities’ view, one party is committing a clearly defined crime, while another is simply trading an Excel sheet. Prosecution is especially difficult, given that many victims often have no idea how their data was leaked in the first place. But if they do find out, “it’s necessary for people to sue data brokers for violation of their privacy,” said Pahwa from MediaNama. “They should be arrested for putting people at risk and being an accessory to fraud. Otherwise, with the kind of information that’s on sale, from home address to spouse’s name, it becomes very easy to harm someone.”
There have been several instances of brokers ending up in court in recent years. In 2017, the telecom Reliance Jio filed a data-theft complaint with Mumbai police after a trove of customer data was put up for sale on a suspicious website. It turned out that the data had been stolen from its servers by a computer-science dropout from a small city in Rajasthan. The following year, Chennai city police arrested the owners of three data firms for selling information leaked from the state education department about 800,000 students. They were clued into the scandal after parents who had been bombarded with college-admission offers began to complain. These cases have hardly changed anything.
Stronger laws would be more effective in clamping down on the black market for data than the occasional arrest. In 2019, the Indian Parliament introduced a personal-data-protection bill, designed along the lines of the European Union’s General Data Protection Regulation, that would give users more control over their digital information. The proposed law would require companies to appoint “consent managers” to secure “explicit” user buy-in; to disclose their reasons for collecting, processing, and sharing that data with third parties; to inform customers of potential risks; and to offer them means of withdrawing their consent and filing complaints. If companies fail to meet any of those requirements, users may appeal to the data-protection authority the law would establish.
Yet one important actor would be exempted from this framework: the government. Under the data-protection bill, government agencies could demand access to any kind of personal data deemed of national security interest, without specifying what it would be used for, and force private companies to hand it over. This is especially important because the Indian government collects each citizen’s personal details, along with information about every significant aspect of their lives, from the moment they are born: education, income, caste, land and property ownership, relationship and citizenship status, children … the list goes on. The Indian state is among the most data-rich in the world. The government regularly launches wide-ranging sweeps to collect even more data about the country’s 1.3 billion people. Sometimes, these happen for legitimate governance reasons; other times, they are advancing a political agenda. In a sense, when it comes to data, the private sector is simply following the state’s lead.
Critics have expressed concern about the legal implications. Smriti Parsheera, a lawyer and policy researcher at the National Institute of Public Finance and Policy, worries that the bill contains broad exemptions for the government. The Data Protection Authority “is supposed to be an all-encompassing body with unprecedented regulatory powers,” Parsheera emphasized. “There are fears about its accountability and the scope for its independence.” Pro-privacy activists also fear that the government won’t effectively enforce any regulations they pass. “The (official) privacy and security practices are abysmal,” said Pahwa of MediaNama. “The focus is completely on collection and not on putting protections in place.”
There is very little information about what most Indians think of the legislation — or even, for that matter, how they understand privacy in the first place. In a 2012 report, researchers Ponnurangam Kumaraguru and Niharika Sachdeva found that, although people were more concerned about invasions of their digital lives than they were about real-world privacy, most were ignorant of any precautionary measures they could take to protect their privacy online. And among the survey’s more than 10,000 participants, a common anxiety emerged: in the future, privacy would erode to the point of completely disappearing. As one student put it, “It is a scary thought for me that, 10 years down the line, there will be no concept of the personal; everywhere, some form of information will be available about you.”
Yet Parsheera, the lawyer, is optimistic that, at the very least, the current bill will advance the conversation about the future of data privacy in India. “People have an inherent need to protect information about themselves,” she remarked. “In India,” she added, people “do that in ways that are different from those prioritized in a policy framework.”
Being more cautious about technology use may be the simplest way to protect individual privacy. Before her husband violated her trust, Sahu had never been paranoid about her devices being compromised. “I didn’t even use a screen lock,” she reflected. “I didn’t care if my husband was checking my phone.” But since the end of her marriage, she has become a little more careful. “Now, when I go out, I at least set a password to unlock the screen.”