On October 17, the Indian Air Force (IAF) formalized a Memorandum of Understanding (MoU) with Uber, aiming to enhance transportation options for IAF personnel, veterans, and their families. This agreement is designed to facilitate reliable, convenient, and safe transportation for official travel and daily commutes. The initiative mirrors a similar agreement made by the Indian Navy with Uber in September 2023.
Under this MoU, service members and their families will need to share personal information, including names, email addresses, and mobile numbers, to utilize Uber’s services. However, this development has raised red flags among cybersecurity experts, who express serious concerns about the implications of sharing sensitive data related to military movements with a private, foreign-owned company. Such data, they argue, could expose travel patterns, assignments, real-time locations, and even the daily routines of military personnel and their families, potentially compromising national security and operational integrity.
While the Indian Air Force has defended the MoU, sources cited by The Sunday Guardian claim that these agreements with foreign entities are executed with extreme caution, utilizing Advanced Encryption Standard (AES)-256-bit encryption to protect the data. Proponents argue that since personal data from military personnel is already shared with various other companies, the risk associated with Uber is not significantly greater.
In assessing the implications of this agreement, two major questions emerge: the connection between data privacy and national security, and the reliability of how private companies manage personal data. On one hand, personal data holds substantial national security relevance. Data generated from individuals’ online activities, smartphones, and digital interactions can build detailed profiles that reveal much about a person’s identity, beliefs, and behaviors. Hostile entities can exploit this information to conduct psychological operations against military personnel, creating stress and fear within ranks, thereby undermining morale and operational readiness.
The misuse of personal data for disinformation campaigns is not a new phenomenon. Historical examples include Russia’s Internet Research Agency’s tactics during the 2016 U.S. elections, where targeted social media ads contributed to societal divisions. Similar strategies have emerged globally, influencing significant events such as Brexit, the Rohingya crisis in Myanmar, misinformation about vaccines during the COVID-19 pandemic, and protests in Hong Kong. Experts have indicated that misinformation remains a major risk for India, highlighting the importance of protecting personal data.
The second question focuses on the handling of personal data by private companies. Data breaches have become alarmingly common, with Uber experiencing multiple significant breaches over the years. While encryption technologies like AES are critical for safeguarding data, they do not eliminate all risks. Reports indicate that a vast majority of data breaches involve human factors, including social engineering attacks that manipulate individuals into divulging sensitive information or unwittingly breaching security protocols.
Another crucial aspect involves the geographical location of data storage and the access rights of different entities. India has recently instituted the Digital Personal Data Protection Act, which may eventually restrict the transfer of personal data to foreign jurisdictions. Nevertheless, the rules surrounding this Act have yet to be fully implemented, leaving the possibility for personal data to be transferred abroad. Foreign companies operating under their national laws may be compelled to share data with their governments. For example, China’s National Intelligence Law implies mandatory compliance for companies to aid state intelligence operations, while U.S. laws may allow enforcement agencies to access data from U.S.-based companies regardless of where the data is stored.
Moreover, the commercial practices of technology firms often involve selling personal data to third parties, thereby complicating data security concerns. Intelligence agencies in the U.S. have acknowledged purchasing personal information from brokers to facilitate surveillance, raising further alarms over privacy.
In light of these considerations, the military must treat personal data management with heightened seriousness, distinguishing its imperative to safeguard national security from the profit-driven motives of private enterprises. The responsibilities of protecting sensitive information and ensuring operational integrity should remain a top priority for the military, particularly in a landscape where digital threats are increasingly prevalent. The MoU with Uber could potentially undermine these critical security standards, warranting careful scrutiny and consideration.
