How the Rajasthan Govt Briefly Accessed Citizens' Twitter Accounts via RajSSO

Jaipur: Last week, the Caravan magazine reported that the Rajasthan government was seeking access to citizens' social media accounts and Aadhaar details through its digital platform, Rajasthan Single Sign On (RajSSO), meant to deliver numerous services of the state government.

The report stated that citizens could register on the portal using any one of the five digital identities: Aadhaar, Facebook, Google, Twitter or Bhamashah account and in return, the application would seek the citizens’ personal data. Before signing in to the application, the users are required to consent to RajSSO for accessing their account’s information.

When signing in with Google, it displays: “Google will share your name, email address, and profile picture with rajasthan.gov.in.” With Facebook, it displays: “Rajasthan Single Sign-On will receive your public profile and email address.”

When signing in with Aadhaar, users are asked to consent to share their biometric. To capture the user’s biometric, RajSSO provides for registered devices services – Cogent, Digital Persona, Mantra, Morpho and others with an option to install the biometric devices.

But if users opt to sign in using Twitter, this is the message they were met with, "This application will be able to: Read Tweets from your timeline; See who you follow, and follow new people; Update your profile; Post tweets for you [and] Will not be able to: Access your direct messages; See your Twitter password."

Interestingly, the state government was quick to fix the scope of its access it had previously on substantial part of citizens’ Twitter accounts who opted to register themselves with Twitter. Scope is an app’s access to user data; in other words, what the applications are allowed to do on behalf of a user.

Now, the scope of the application on Twitter is cut short to – ‘read tweets from your timeline’, ‘see who you follow’ and ‘see your email address.’ As per the information displayed on the authorisation interface now, RajSSO cannot follow new people, update user’s profile, post tweets for them, access their direct messages and see their Twitter password.

However, the authorities at the Department of Information Technology and Communication in Rajasthan were clueless about the changes. Speaking to The Wire, Rajeev Gujral, RajSSO project officer, said, “As soon as the users click the link to sign in with Twitter, they are directed to Twitter’s API page which is customised for all the third parties using that functionality. They cannot make crores of pages for different clients. So is the case with RajSSO. We only use the basic information of a user like name, email, address and photo which they will have to anyway upload to their profile to use various services of the state government.”

When The Wire looked for such a customised authorisation page, it found the sample on Twitter’s guide for developers which had pre-defined scope of access as RajSSO was displaying. Even the new scope of access, now changed by the application, was found on Twitter’s support for developers.

Not only this, the 'read and write' permission given to this application on the user’s Twitter account also got transformed to ‘read-only’ permission.

‘Read and write’ permits "access to Twitter resources, including, the ability to read a user’s tweet, home timeline, and profile information; and to post tweets, follow users, or update elements of a user’s profile information. It also allows write access to send direct messages on behalf of a user but doesn’t provide the ability to read or delete direct messages."

Whereas, ‘read-only’ permits "read access to Twitter resources, including a user’s tweets, home timeline, and profile information. It doesn’t allow access to read a user’s direct messages".

When asked about the sudden overhaul in the scope of RajSSO, Gujral replied, “Is it changed? We have no idea about it. Will have to check.”

Working of the APIs

To register citizens on RajSSO, the Rajasthan government uses the Application Programming Interface (API) of Twitter, Facebook and Google.

OAuth is used to provide authorised access to these APIs. OAuth is an authentication protocol that allows users to approve an application to act on their behalf without sharing their password. When a developer implements OAuth server, "they allow applications to access and potentially modify private user content, or act on behalf of the users."

RajSSO renders a sign in with Twitter/Facebook/Google link on its website. When the user clicks the sign in button, the app requests authorisation from the user. If the user authorises, the app uses the authentication code to get an ‘access token’ from the authorisation server which typically represents a user’s permission to share access to their account with the application.

Access tokens expire when a user explicitly revokes access to the application in their Twitter/Facebook/Google settings or when the service is suspended.

Sharing of data with third-party

Twitter approves of sharing of user’s data with third-parties as mentioned in its privacy policy: “In addition to providing your public information to the world directly on Twitter, we also use technology like APIs and embeds to make that information available to websites, apps and others for their use – for example, analysing what people say on Twitter. We generally make this content available in limited quantities for free and charge licensing for large-scale access.”

In its developer policy, Twitter mandates to get the user’s express consent before taking any action on their behalf including "posting Twitter content, following/unfollowing other users, modifying profile information, starting a Periscope broadcast or adding hashtags or other data to the user’s tweets".

It clearly says: “We share or disclose your personal data with your consent or at your direction, such as when you authorise a third-party web client or application to access your account. By submitting, posting or displaying content on or through the services you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such content in any and all media and distribution methods.”

Twitter tells its developers to “never derive or infer, or store derived or inferred, information about a Twitter user’s health, negative financial status, political affiliation, racial or ethnic origin, religious or philosophical affiliation, sexual orientation, trade union membership, alleged or actual commission of crime.”

However, those who use their developer platform are permitted for aggregate analysis of Twitter content that does not store any personal data (username, user IDs).

"Not only does this show a near-complete disregard for citizen privacy, it also shows how the government increasingly thinks of its role akin to a commercial service provider and to consider the citizenry as a "user base" or a "customer base" that need to be acquired, retained and monetised, either directly or indirectly," said Prasanna S., a Delhi-based lawyer who assisted the petitioners' side in right to privacy/Aadhaar cases in the Supreme Court. "And that is certainly not what the Constitution meant it to be," he added.

India has no data protection law in place, and the existing legislations do not adequately protect data. In August last year, the court in the K. Puttaswamy vs Union of India case made several observations about privacy in the "digital economy, dangers of data mining, and the need for a data protection law". It restricted the state from unfairly interfering in the privacy of the individuals and obliges it to put in place a legislative framework to restrict others from doing so.

While the Rajasthan government is consistent with the policies of Twitter on seeking consent from users to access their accounts and data, it was, until a few days ago, violating the right to privacy – simply because to access the state’s digital governance platform, people are pre-conditioned to give their consent to share their private data and even modify their data.

All screenshots by Shruti Jain.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.