OYO's Plan to Digitise and Share Guest Data With Authorities Raises Privacy Concerns

OYO's Plan to Digitise and Share Guest Data With Authorities Raises Privacy Concerns

OYO Rooms' decision to digitise user logs and share with state government authorities has sparked data privacy security concerns.

Rakhi Bose
  • News18.com
  • Last Updated: January 27, 2019, 9:18 AM IST
Share this:

New Delhi: For many secret couples, an OYO room is one of the few chances of getting some private, alone-time with their partners. But with OYO's move to digitise and share guest check ins and check outs with state authorities, some are now rethinking the choice.

OYO Rooms, touted as India's largest hospitality company at present, has faced some flak after it announced its plan to digitise data of guests staying in its hotels and sharing it with state authorities when needed.

The announcement was made by the start-up unicorn's India and South Asia CEO Aditya Ghosh in Kolkata recently during an event.

"The Digital arrival and departure register aims to maintain a real-time record of guest entries and update the respective governments on who's checking in and checking out, when presented with an information order for an investigation, making this a more secure, efficient and transparent process as compared to the manual version," Verma stated at the event.

He also added that so far the company had been in talks with the state governments of Haryana, Rajasthan and Telangana for the same.

The move sparked concerns regarding data security and breach of privacy as many were not sure if the data would be shared with authorities in real time or not.

The fact that hotels are legally obliged to maintain guest registers to share with authorities in case of a threat to national security or in the course of an investigation is common knowledge.

"Every city has a Local Intelligence Unit that keeps tabs on whether hotels, internet cafes are maintaining these records. It is legally mandated for them to do so in case the data is required to be furnished for an investigation," cyber security expert Rakshit Tandon told News18.

According to a statement released by Aditya Ghosh, OYO will follow pre-existing protocol and only share details with authorities in case an information order is furnished. "We share any limited information only when required by law and only when we are duty-bound or permitted to disclose personal information through orders or directions of government/regulatory bodies, law enforcement officials and court orders etc," read the statement.

However, the devil may be in the proper implementation of protocol.

According to Gurugram Police PRO Subhash Bokan, it was routine for beat cops to keep a track of activities of local hotels in their area.

"We do not usually need any paperwork, at least in the initial stages of an investigation. Officers can at anytime go and check hotel registers and they do so in case of any suspicion," Bokan said.

He said that the move to digitise records may help simplify and increase the speed of the investigation process.

An official from Telangana Police confirmed on condition of anonymity that a local could at any time go to a hotel and make routine inquiries.

"I think it helps in better storage of data. Over the years, manual paper logs can get destroyed. Digitising will help keep an infinite store of this data," the officer said. However, they added that it could pose a threat to the privacy of guests.

The concern was raised by legal experts as soon as OYO made the announcement. India at present has no data privacy laws and according to security and legal experts, collecting such large pools of data without proper legislation to defend it was problematic.

Internet Freedom Foundation, a forum that fights for defending freedom of expression in online spaces, tweeted that the move would make it easier to 'force' data sharing.

"Well, because we do not have any meaningful legislative framework informational privacy law in India. In its absence even distant legality (local laws) is used to force data sharing," they wrote on Twitter.

In July last year, the Justice BN Srikrishna committee submitted the first draft of the Personal Data Protection Bill, 2018, to the Ministry of Electronics and Information Technology (MeiTY). However, according to a report in Economic Times in January, the Bill will only be presented in the June session of Parliament once the elections are over and a new government is in place.

Speaking to News18, lawyer and digital privacy expert Apar Gupta said that the absense of laws made it imperative for OYO to make the specifications of the digital register clear, especially since many were under the confusion that data from the register will be shared with authorities in real time.

"If it is the product that they have created, they need to share the specifications of that product with users and stakeholders," Gupta said. He stressed that the absence of data and privacy protection regulations meant that the data such pools of data could be exploited by anyone without hesitation, which brings us to the next problem - data theft and harvesting.

However, sources within OYO have confirmed that it was not planning to share live data with authorities and would be doing so only when legally bound. Even then, the source confirmed, the data of only the person(s) being investigated shall be shared, not the entire register.

The company refused to share any images of the product at this point as only a pilot of it has so far been implemented in Jaipur.

Apart from 'forced' sharing of data, theft was also one of security concerns that could result from digitisation of guest logs.

According to Rakshit Tandon, who is also a cyber security consultant, the bigger threat was data theft by third party hackers. "If they are going to be collecting data, they need to be storing it in highly secure servers. Data is like oil today and in the wrong hands, a data pool like that could be highly dangerous," Tandon said.

However, he also added that most information of users was already out on the internet in some way or the other.

In an official statement to News18, OYO Rooms said, "With the Digital Departure and Arrival Register, we aim to add a stronger data security net to the entire booking process by ensuring transparency, digitisation and improved efficiency of operations for the hotels."

With over 125,000 rooms to its name, OYO has become the largest hotel group in India. With Aditya Ghosh's entry as the new CEO nearing the end of last year, the company is now looking to become the largest hospitality chain in the world with over a million rooms.

Digitisation may help save them cumbersome logistics and remove human error from the process. It is also in keeping with the current government's push toward digitisation.

However, Apar Gupta, who is also the executive director of IFF and is at the forefront of the reform petition #SaveOurPrivacy, felt that lack of requisite cyber security or privacy laws in the wake of the internationally debated Facebook data hack and Cambridge Analytica scandal casts a deep dispersion over the real time advantages of aggressive digitisation.

Share this:
Next Story
corona virus btn
corona virus btn