Innocuous-looking on-line petitions can imperil India’s cybersecurity

Soumya Awasthi and Sameer Patil

In current years, the pattern of on-line petitions has elevated manifold, with web sites just like the US-based organisation Change.org having 56.5 million registered customers worldwide and roughly 7-8 million registered customers in India since 2011.

The quantity has continued to extend for the reason that launch of its Hindi version a decade in the past. By 2022, the platform claimed to have hosted roughly 520,000 petitions. Similarly, one other on-line petition platform registered in India has knowledge on 1,805 petitions from the final 9 months of 2025. A US-based platform, Avaaz, had 9 crore members in 193 international locations by April 2025.

Most of those have been discovered to have run on-line campaigns on election protests, local weather change, human rights, and non secular points.

In at this time’s digital age, on-line petitions have emerged as highly effective instruments for civic engagement, enabling people to voice their issues and advocate for change. This apply of working and supporting on-line petitions and social media has additionally been nicknamed as slacktivism, which includes little or no dedication or effort. However, beneath their seemingly innocuous interface lies a posh net of knowledge assortment practices that pose vital threats to non-public privateness and societal cohesion.

While these platforms purport to champion democratic participation, they typically function conduits for harvesting delicate private data, together with political and non secular affiliations, with out the knowledgeable consent of the customers and petitioners.

This knowledge is subsequently utilised to tailor algorithmic feeds, subtly influencing people’ perceptions and behaviours. Such practices not solely compromise knowledge privateness but additionally have profound implications for nationwide safety, doubtlessly facilitating radicalisation and recruitment by malicious actors.

Consequently, this pattern of on-line petitions and slacktivism has emerged as one other menace vector impacting India’s nationwide safety.

At first look, on-line petitions appear to be the epitome of digital democracy. They promise a voice to the unvoiced, a platform to rally behind causes, and a mechanism to carry governments and establishments accountable. The endeavour comes throughout as innocent, even noble. However, behind the clicking lies a darkish aspect which most individuals by no means see: a world of knowledge mining, profiling, and in some instances, outright scams.

When an individual indicators an internet petition, they don’t simply categorical help. Unlike its bodily counterpart, the method of signing an internet petition includes the customers voluntarily offering their private particulars, together with title, e-mail tackle, Aadhaar quantity, PAN card, telephone quantity, and site. In reality, most on-line petitions gather way more knowledge than is critical. The comfort and ethical pull of signing distract most of those vigilant residents from the following, extra sophisticated query: the place does that knowledge go, who can see it, and what can they do with it? Even probably the most respected platforms acknowledge the plain: working a world web site requires an online of third-party companies, together with analytics, e-mail suppliers, advert networks, and fee processors. Handing knowledge to these helpers is a part of what retains the positioning on-line.

Political operatives, of their quest for hyper-personalised political campaigns, spend time studying the best way to flip fragments, comparable to a trigger a person has signed for, a city they dwell in, and the sort of remark they make, into an inferential profile of their beliefs, fears, and sure actions.

This approach, often called microtargeting, shouldn’t be hypothetical; it types the muse of recent political persuasion. Academics and watchdogs have documented the mechanics: gather identifiers, append different demographic or behavioural alerts, then craft hyper-personalised messages that land within the quiet areas of the individual’s inbox or social feed. The petition signed turns into uncooked materials for an algorithm that may refine who hears what and when.

Cyber Threat Scenarios

Such knowledge may be simply exploited in phishing assaults by faux emails that seem real, designed to trick people into clicking a hyperlink, getting into their financial institution particulars, or downloading malware. Because attackers already know the trigger one helps, their emails sound convincing: “Confirm your support,” “Donate now,” or “Verify your signature.”

One careless click on, and the pc might be contaminated, passwords stolen, or an individual’s identification compromised. It is noteworthy that India ranks among the many prime 5 most breached international locations. Recently, the 2023 ICMR Data Breach, by which knowledge of 8.15 crore Indians was bought on the darkish net, and the 2024 Star Health Insurance knowledge breach.

Once inside, it may steal information, lock the system for ransom, or secretly spy on the focused people. All it takes is the appropriate petition checklist within the palms of a malicious actor. In addition, non-state actors and even state actors could seize the chance to form the best way people assume, influencing their gullibility, after which have interaction in structured data and disinformation warfare. They domesticate these people to boost their voices and, in some instances, resort to violence towards their international locations. In at this time’s age of hybrid warfare and grey-zone techniques,  it is without doubt one of the potent methods to affect residents.

There can also be the chance of knowledge leakage and resale. Petition platforms insist they don’t “sell” private knowledge, however many do share it with third-party companions for promoting or analytics. In apply, which means the signature may be fed into bigger methods that predict people’ behaviour, form the information and customised advertisements they publish, and push these folks in the direction of a selected aspect of a debate or trigger.  

Given these dynamics, Indian residents ought to method on-line petitions as not simply civic actions, but additionally knowledge requests. They have to train warning and discretion in revealing their political preferences. Petition platforms, in the meantime, should undertake strict knowledge minimisation, accumulating solely important data comparable to title and e-mail. They should make consent express, granular, and separate from advertising or political use. Given the evolving menace panorama and cybersecurity implications, India’s regulatory framework ought to explicitly cowl on-line petition platforms, requiring necessary privateness disclosures and standardised quick notices. Breach reporting should be speedy, with penalties for non-compliance.

ALSO READ: Mohsin Ali Suhail’s journalism has led to optimistic change

What seems as innocent civic activism can turn out to be a pipeline for profiling, polarisation, and even recruitment into extremist networks, if not adequately regulated. Protecting Indians requires joint motion: smarter residents, accountable platforms, stronger laws, and sustained public schooling.

Soumya Awasthi is a Fellow, Centre for Security, Strategy and Technology (CSST), Observer Research Foundation (ORF). Sameer Patil is Director, CSST, ORF.