At the start of each day, we all have to waste a good amount of time just filtering out spam. Tomorrow, this process might take even longer than usual, because there is a pretty good chance that the Telecom Regulatory Authority of India (Trai) just published your email address along with your name.
A month ago, Trai released a draft consultation paper on the issue of regulations for Over The Top (OTT) services - what we'd call apps and websites - and sought feedback from the various stakeholders including individuals. It received responses from the various service providers (such as BSNL, Airtel, and Vodafone) and associations (such as Assocham, COAI, and Nasscom), along with over a million responses from individuals. Unfortunately, in showing us these responses, Trai also published the name and email address of all the million plus individuals who responded.
Trai is now looking for counter-comments to these responses from the different stakeholders, which will be accepted on email@example.com until May 8. After that, the regulator will be presenting its recommendations to the government, and then it is up to the Department of Telecom to decide what to implement.
For now though, Trai's decision to publish the email addresses of all the individual respondents is a privacy nightmare. These are over a million verified email addresses, often with the name of the sender also present in clear text. For email marketers, this kind of database is worth a lot of money, and you can be certain that by the time you read this, the PDFs published by Trai have already been scanned and all the details saved by various unscrupulous companies, and everyone on that list can expect a barrage of spam.
Understandably, Trai needed to show the authenticity of the emails it was displaying as feedback, and needed to make the list searchable by individuals so you can find your own mail amongst the million plus letters that Trai received. However, the company could have shared only names and not email addresses, or used software to mask the email address partially, or done any number of things to prove the authenticity without broadcasting our email addresses.
Another issue is that since Trai is reproducing the emails in full, if your email signature includes a phone number or address, this will also be visible on Trai's site. This isn't precisely the regulator's fault - it had stated that it would publish responses, but it is a privacy concern nonetheless.
It's ironic that while companies contact details have not been shared, those of individuals are being given out freely - and while spam is a very visible manifestation of why this is a problem, the issue is more serious than that. Over a million people have already had their privacy violated. Hypothetically, these individuals could also now be targeted by companies, particularly if they sent the email to Trai from the same address they used to register with their ISP. Imagine if Airtel decided to deny Internet access to people who have spoken out against Airtel Zero?
That is of course a very unlikely hypothetical scenario, but the fact that something like this is at all possible should have you concerned, and the only reason it has happened is because Trai has not taken proper precautions with the data it gathered.
For now however, the Trai website is currently inaccessible, and the hacker group Anonymous is claiming credit for this on Twitter, though there is no way to verify who, exactly, is responsible. The site appears to be under a denial of service attack, where you flood a website with a lot of random requests data so it can't answer requests from others. On Twitter, the group also asserted that it will hack Trai soon.