Nearly 20 days before India’s 75th Independence Day, 34-year-old Bharatiya Janata Party (BJP) volunteer Vinod Kumar was called in for a meeting by his supervisor. The meeting was organized to discuss the action plan for the ambitious Har Ghar Tiranga (“tricolor on every house”) program, under which Prime Minister Narendra Modi had asked Indian citizens to hoist the tricolor flag at their homes, click a photo with it, and upload the images, with a geotag, to a privately hosted website under the banner of the Ministry of Culture, as part of the Independence Day celebrations.

Kumar, a member of the BJP IT Cell in the Mandi district of Himachal Pradesh, and whose name has been changed due to concerns about a backlash from his party, was told that he and his colleagues would have to convince residents in their area to participate. So, he spent the next several days crafting a social media policy, curating WhatsApp messages for local BJP groups, and helping party members design digital posters. He also created a tricolor frame that could be used on Facebook profile pictures. His colleagues organized Tiranga marchesin different neighborhoods, handing out free flags to citizens.

Eventually, the team convinced nearly 4,000 people in the assigned area. Kumar himself uploaded details of nearly 200 people who did not have internet access. He was just one of a vast army of BJP workers pushing the program. Mayank Goel, BJP vice president for western Uttar Pradesh, one of the largest states in India, told Rest of World that, in his region alone, 50,000 party workers were on the ground for the implementation of the scheme.

By August 15, India’s Independence Day, nearly 60 million Indian citizens had uploaded their photos with the national flag on the website. About 50 million had geotagged the locations of their houses with their photos, and also shared their phone numbers to register on the portal.

Now, digital rights activists are raising alarm bells as they believe that what seemed like an innocent voter outreach program was a scheme to collect citizens’ data, which can be misused.

The idea of the Har Ghar Tiranga program was first discussed at a BJP convention, in the southern city of Hyderabad, on July 2, 2022. The party hoped to reach 200 million people through this campaign, BJP leader Vasundhara Raje had said at the time. On July 6, the Ministry of Culture was appointed as the nodal body for its implementation, and, in the following weeks, the government aggressively publicized the program, including through changing Indian cellphone caller tunes on August 15 to a message asking people to upload photos.

“No country has ever executed such a massive scale of geotagging of its own citizens as we see in the Har Ghar Tiranga scheme,” Srinivas Kodali, a researcher with the Free Software Movement of India, told Rest of World. “Previously, some fragmented attempts have been made to geotag citizens with an intention of digital commerce; however, not at this scale with an intention of electioneering.”

“No country has ever executed such a massive scale of geotagging of its own citizens.”

The photographs, many of which were uploaded along with location information, are still publicly available on the website. While the location information is not publicly available, it is retained by the website, which could lead to theft, hacking, and stalking. When siloed information, such as phone numbers, photographs, and location, is processed with other data sets, such as constituency population and voter preferences, it can make citizens vulnerable to “geo-propaganda,” Kodali said.

“Such minute details of individuals can be used to microtarget them in a way that we cannot even anticipate its impact. For instance, such data can be used to target entire neighborhoods of Muslims or people from opposition political beliefs,” he added.

In 2015, Guyanese presidential candidate David Granger, who won the elections, used location-based ad targeting for his campaign, according to researchers at the University of Texas at Austin. The researchers also noted that geotagging was used during the 2020 U.S. presidential elections to identify Catholics who frequently attended church services. These individuals were subsequently targeted with personalized ads by the Donald Trump campaign.

Digital rights organization Internet Freedom Foundation (IFF) has raised concerns over the privacy policy of the Har Ghar Tiranga website — particularly about who owns the submitted data, and what it could be used for. “The privacy policy [of the website] seems like a collection of boilerplate clauses that have been thrown together,” Prateek Waghre, policy director at IFF, told Rest of World. “Wherever possible, the policy tries to shift responsibility away from itself.”

For instance, the privacy policy states that it will “protect [the data collected] within commercially acceptable means.” However, it does not define what these means are. Similarly, the language refers to a list of advertising partners, but their names are not disclosed. The policy also suggests that Har Ghar Tiranga’s services and products can be purchased, but nothing is listed for sale. “It seems like if anyone is harvesting data from this website, they won’t care what the privacy policy says,” Waghre said.

The website also uses cookies that track the browsing habits of users, Ayushman Kaul, a senior threat intelligence analyst with Logically, a technology company that specializes in analyzing and fighting disinformation, told Rest of World. 

“It is a clear indicator that those behind the website seek to harvest additional data from users,” he said. “Moreover, the integration of a Google sign-in with the website could also potentially allow the website creators to harvest additional personal identifiable information from Indian citizens using the website. By compiling together numerous such metadata and personal indicators, one can eventually create a comprehensive demographic and psychological profile of the entire population.”

While most Indian government websites are hosted on official servers at nic.in, the Har Ghar Tiranga portal is hosted via Amazon web servers. According to a press release published by Asian News International (ANI), Tagbin, a private company based in India, Singapore, and Dubai, is behind the website. It’s unclear where the data collected by the website is stored. The website also shares its IP address with more than 15 other websites, some with country code extensions from other parts of the world, leaving the private data of Indian citizens vulnerable to hacking. Tagbin did not respond to an email from Rest of World. 

The Har Ghar Tiranga website states that it does not knowingly collect any personally identifiable information from children under the age of 18. However, many of the photos uploaded to the portal, all publicly available, show young kids.

When asked about the potential misuse of these images, BJP’s Goel told Rest of World that people upload their photographs on Facebook or Instagram all the time without concerns over privacy. “When they upload it on the Har Ghar Tiranga website, then from where does this talk of privacy crop up? There is nothing private there. All these photographs are uploaded with consent. Modi ji gave a call and the whole nation followed him,” Goel said. 

National spokespersons from the BJP did not respond to requests for comments.

“Given the lack of a clear legal framework to safeguard personal data, this massive state-backed geotagging exercise should raise alarms.”

India currently lacks data protection laws that could safeguard its citizens against digital risks. In fact, on August 3, just days after the Har Ghar Tiranga program was launched, the Indian government unexpectedly withdrew a proposed data protection law, which had been working through parliament for almost three years. “Given the lack of a clear and comprehensive legal framework to safeguard personal data in India, the implementation of this massive state-backed geotagging exercise should raise alarms about privacy and digital rights of citizens,” Kaul of Logically added. The Ministry of Culture did not respond to an email from Rest of World.

Mamta, a 54-year-old teacher in Uttar Pradesh’s Farrukhabad district, is among the millions of Indians who geotagged themselves on the website, along with her husband, and three other members of her family. As a token of appreciation, she, like all others who registered and shared their location on the website, received a “Har Ghar Tiranga Certificate” from the Ministry of Culture.

This certificate was a big motivator for Mamta — almost as if it were proof of her nationalism. “I feel proud, as if I have won a war. This act is towards the progress of our country, even if it is a small act,” she told Rest of World. “After all, Modi ji had asked to post and participate in this movement.”

When asked about potential privacy concerns, she said, “I did not think much about it.”

Like Mamta, millions of Indians ignored privacy concerns under the pretext of nationalism — or under the influence of the massive publicity exercise where film stars and cricketers encouraged participation in the program — and willingly uploaded their personal identification details on the Har Ghar Tiranga website. 

The website claims that “once this campaign will be over, all the images and information collected will be deleted.” But, almost a month after Independence Day, the photographs were still publicly available on the website at the time of publishing.