A report indicates the extent to which Indian apps are silently accumulating tremendous amounts of personal information from millions of phones across the nation.

In busy digital India, more than 750 million Indians have smartphones and numerous apps for easy tasks like ordering food and managing finances. But a chilling truth lies beneath the ease. Your phone, on which you look more than 100 times a day, is a smart monitoring device, and Indian startup companies are driving it.

The revelation is astounding and systematic. Big Indian apps are not merely collecting the data you willingly provide when you sign up or purchase items. They are peering into the deep crevices of your online life, recording every other app you ever downloaded, monitoring your behavioral patterns, and building psychological profiles so complete they are coveted even by the most sophisticated intelligence agencies. This is not the surveillance capitalism nightmare; this is happening now, on millions of Indian phones.

The Swiggy Revelation: 154 Digital Fingerprints

This online monitoring was exposed because of the tireless work of a software developer named Pea Bee. In March 2024, Pea Bee heard about a bulk harvesting of information. What Pea Bee found regarding Swiggy, the food delivery company of India, should be a matter of concern for all smartphone users in the country.

Swiggy is an app through which a lot of Indians have evening meals delivered. It is quietly gathering 154 various pieces of information from each Android phone. That is several more pieces than anyone would expect from a meal delivery company. The firm desires more than your meal preferences or where you are. It is tracking a full history of other apps on your phone, revealing personal aspects of your life.

The apps that are being monitored can be dating apps that can display your relationship status and sexual orientation, banking apps that display your financial institutions and economic standing, news apps that infer your political leanings, religious apps that display your spiritual affiliations, and even pregnancy tracking apps that may signal family planning decisions. This level of spying transforms a straightforward food delivery app into an entire surveillance device that knows more about your life than your best friends or relatives.

This data collection has a very specific business motive. The apps uses this data to segment users into specific groups. The company can then provide special offers and, more importantly, sell these very segmented audience groups to high-paying advertisers who want to target consumers. When an advertiser wants to target young professionals who have high-end banking apps and read business news, Swiggy can provide that very group. The more segmented the data, the more they charge for advertising.

But Swiggy is not singular. The study found that the same practices are common in India’s startup ecosystem. Swiggy’s rival, Zomato, also uses the same methods to collect information. Quick delivery startups like Blinkit and Zepto are also intrusive. Fintech companies like Kreditbee and Paytm have created their business models to collect a great deal of information that is more than what they mainly offer.

The Technical Workaround: Getting Around Google’s Rules

What is particularly troubling in this case, though, is the way these companies are receiving such broad access to data. Google Play Store, the authentic Android app store, has distinct policies designed to safeguard user privacy and limit abusive data collection. These policies are designed to precisely stay away from the sort of intrusive tracking that Indian startups are engaging in.

But the firms have found technical ways to circumvent these protections. With the help of certain permissions and sophisticated programming techniques, they can examine the names and usage patterns of other programs on people’s phones in real time. This demonstrates a clear effort to bypass the privacy protections that Google has put in place to safeguard users.

The extent of technological sophistication that goes into such workarounds suggests that this is not by accident or happenstance data collection. Such companies have put a lot of resources into creating platforms through which they can harvest as much information as possible from user devices. They have built complete technical architectures based on surveillance, with data processing infrastructure that can process and monetize the data harvested. 

Remember when Aadit palicha, the Zepto founder said “Consumer internet companies drive the innovation because they have the best data, talent, and capital to put behind it”, perhaps this was the ‘need of data’ he was talking about!

The Human Cost: Sharda’s Story

To see how this surveillance affects daily life, think of Sharda. She is a normal smartphone user in an Indian city. Her phone looks normal to start with, with the usual apps that millions of Indians use each day. She has some shopping apps for easy shopping, some fintech apps to manage her money, some games for leisure, Slack for office chats, WhatsApp to stay in touch with friends and relatives, and Instagram for social networking.

Similar to most Indians, Sharda keeps her phone busy with a minimum of 100 activities every day. She considers it a virtual diary with the personal details of her life. She believes that these apps are trustworthy with her personal details since she thinks she understands the deal, and she inputs some basic details to get useful services.

Sharda is not aware of the fact that Swiggy, Zepto, and Cred can see data from at least 150 apps on her phone. They see when she’s on her banking apps and gauge how worried she is about money based on how often she’s on them. They track her use of her dating app and guess about her relationship status. They track what news she reads and create profiles of her political leanings. They track her health and fitness apps and learn about her illnesses.

They keep Sharda under close observation, knowing her better than she knows herself in so many ways. They can predict what she will do next, know what she requires, and control her choices with specific actions. The assistive food delivery app is a clever way to modify her behavior, and Sharda herself doesn’t realize that this modification is taking place.

The Consent Illusion: How Indians Give Away Their Privacy

The most appalling aspect of this scenario is the readiness with which Indians forfeit their privacy. The statistics indicate a worrying trend of not bothering to safeguard private information. According to an Indian deeptech investor, it ought not come as any surprise that apps are given complete access to user data at this point. The cultural acceptance of monitoring is so endemic that invasive data collection is simply taken for granted.

The financial services firm Cred is a typical case in point. 10 to 15 percent of the Cred users opt to share access to their email inboxes with the firm. This allows Cred to read, process, and sort their account statements and financial messages. People feel they are receiving a valuable service in exchange, but they do not usually stop to consider the wider implications of providing such total access to their online lives.

This trend is also not restricted to personal requests to state infrastructure. Digi Yatra air travel verification system uses facial recognition in airports. It has attracted close to nine million users who have voluntarily provided their biometric data to expedite airport screening. Despite serious privacy concerns and reports of passengers being coerced or tricked into using the system, millions of Indians continue to provide their biological data for minor conveniences.

The Digi Yatra system also reveals a larger issue with the way India addresses digital privacy. The system was introduced with minimal public debate, inadequate privacy safeguards, and unclear guidelines on how long they retain data. Accounts indicate that tourists are sometimes coerced into the system without being fully aware of what it is and without actual options. Nevertheless, the system continues to expand, and tens of millions more Indians will be required to provide their biometric information in the following years.

The Regulatory Vacuum: When the Law Lags Behind Technology

The regulatory apparatus to safeguard the consumer has been left far behind the technical scale and intensity of data scraping by Indian startups. Though India has just recently enacted the Digital Personal Data Protection Act (DPDPA), which imposes huge fines on data protection abuse, the enforcing machinery is still very much on paper.

The DPDPA makes provisions for fines of up to 250 crores (approximately 30 million USD) for egregious errors on the part of data fiduciaries. The legislation is a critical step towards privacy protection in India. Whether the legislation is effective or not is entirely a matter of effective enforcement. There are ominous indications that the regulatory machinery is not equal to coping with the scale and complexity of the surveillance machinery already entrenched.

There is a massive gap between the law as it is written and how business actually operates in granting permission to harvest data. Indian apps predominantly present individuals with long terms of service documents that nobody reads and comprehends. The majority of these documents have broad permissions that allow businesses to harvest a massive amount of data, but the language is so technical and cryptic that individuals are unable to comprehend what they are consenting to.

Also, meaningful consent is unclear if customers must decide between consenting to complete surveillance or not being able to use critical services. When giving up much of an individual’s personal data is what ordering food, receiving money, or chatting with friends entails, the concept of freely giving consent is more a legal narrative than a true scenario.

The Economic Incentives: Why Surveillance Pays

In order to comprehend why Indian startups gather so much information, we have to consider the economic motivations for their behavior. In the competitive Indian economy, where the firms are fighting for customers and investors, information is a valuable asset and a source of revenues.

For Swiggy and Zomato, though, generating revenue from ads is particularly crucial because they are attempting to turn a profit on their core food delivery business. Having the ability to provide advertisers with specific sets of people to target allows them to charge more. A restaurant group that will pay normal rates to target all Swiggy users may pay much more to target precisely “rich professionals aged 25-35 who use high-end banking and fitness tracking apps.”

This business model incentivizes businesses to know more about users. The more detailed and precise the user profiles, the more valuable they will be to advertisers. Businesses that can demonstrate that they have lots of knowledge about user behavior, preferences, and lifestyle can command higher ad rates and create more profitable business models.

The venture capital ecosystem that invests in most Indian startups also aligns these incentives. Investors tend to assess businesses on the basis of their data assets and user engagement metrics. A startup that is able to show end-to-end user understanding and high-quality data collection capabilities is likely to attract investors and command higher valuations.

The Security Dimension: When Data Breaches Transcend to National Security Matters

The volume of data that Indian startups amass is critical security threats beyond mere personal privacy concerns. As companies possess enormous amounts of information regarding millions of users, including their financial situation, political leaning, medical record, and social connections, they are major targets for nefarious actors.

Leaks of data here are not just embarrassing situations that need the intervention of public relations specialists. They are potentially serious national security concerns that can jeopardize the privacy and security of tens of millions of Indians. The leaks can be used by foreign spooks, criminal gangs, and other malicious actors for blackmail, social engineering, or other nefarious ends.

The Indian startup ecosystem is highly interlinked, and hence such threats are more serious. Various companies exchange data with partners, advertisers, and service providers, forming complex data webs that are difficult to protect and monitor. If any company is breached, it may leak data gathered by numerous organizations, and the effect of security breaches is hence all the more severe.

The Psychological Effect: Living Under Digital Surveillance

The psychological effects of living under complete digital surveillance are only just starting to manifest, but initial findings point to dire negative effects on personal freedom and social growth. When people understand that they are under surveillance and observation, they will change their conduct to the point of limiting imagination, spontaneity, and authentic self-expression.

As far as Indian startup tracking goes, the users might not even realize they are being tracked so intensely, but the implied knowledge of online tracking will still influence them. The realization that each download of an application, each usage pattern, and each online decision adds up to an all-encompassing behavioral record can lead to subliminal forms of self-censorship and pressure towards conformity.

This psychological aspect is especially relevant to young Indians growing up in a society where people-watching and monitoring is the rule. When it becomes the norm to gather vast amounts of information, a whole generation can have a different understanding of liberty and privacy. The long-term consequences of this change could be very dire and irreversible.

The current state of affairs is not inevitable or irreversible. Indians can insist on greater safeguards of their privacy and more dignified handling of their personal data. It will take individual action and collective pressure for tougher legislation.

Users must begin by taking a close look at the permissions they give on applications and being more judicious in what services they choose to employ. While it may be difficult to decide between being spied on and foregoing a certain service, users can still make intelligent decisions about what corporations they would like to give their data to and what kind of data collection they are comfortable with.

At The End.

The expense of this surveillance is not merely privacy concerns; it also entails threats to national security, damage to psychological health, and deprivation of individual freedom online. When the citizens are not able to avail basic digital services without surrendering a significant amount of personal information, the equilibrium between society and technology is lost.

Food being delivered to your doorstep or accepting your money through a smartphone application should not equate to losing your privacy to big corporations watching over you. Indians deserve digital services that are respectful of their privacy, protect their data, and treat them with respect as customers and not as objects to be used and traded.

The moment for action is now, before the surveillance apparatus gets too mainstream and normalized to allow actual change. The option is simple: embrace a future of total digital surveillance or fight for a digital future that is human-centric and upholds human dignity. The choice is that of every Indian smartphone user who is concerned for their privacy, freedom, and digital rights.