Opinion | Signatures Of Surveillance: Online Petitions Imperilling India’s Cybersecurity

In recent years, the trend of online petitions has increased manifold, with websites like the US-based organisation Change.org having 56.5 million registered users worldwide and approximately 7-8 million registered users in India

since 2011. The number has continued to increase since the launch of its Hindi edition a decade ago. By 2022, the platform claimed to have hosted approximately 520,000 petitions. Similarly, another online petition platform registered in India has data on 1,805 petitions from the last nine months of 2025. A US-based platform, Avaaz, had nine crore members in 193 countries by April 2025. Most of these have been found to have run online campaigns on election protests, climate change, human rights, and religious issues.

In today’s digital age, online petitions have emerged as powerful tools for civic engagement, enabling individuals to voice their concerns and advocate for change. This practice of running and supporting online petitions has also been nicknamed “slacktivism”, which involves very little commitment or effort. However, beneath their seemingly innocuous interface lies a complex web of data collection practices that pose significant threats to personal privacy and societal cohesion.

While these platforms purport to champion democratic participation, they often serve as conduits for harvesting sensitive personal information, including political and religious affiliations, without the informed consent of the users and petitioners. This data is subsequently utilised to tailor algorithmic feeds, subtly influencing individuals’ perceptions and behaviours. Such practices not only compromise data privacy but also have profound implications for national security, potentially facilitating radicalisation and recruitment by malicious actors. Consequently, this trend of online petitions and slacktivism has emerged as another threat vector impacting India’s national security.

Petitions and Perils

At first glance, online petitions seem to be the epitome of digital democracy. They promise a voice to the voiceless, a platform to rally behind causes, and a mechanism to hold governments and institutions accountable. The endeavour comes across as harmless, even noble. However, behind the click lies a dark side that most people never see: a world of data mining, profiling, and, in some cases, outright scams.

When a person signs an online petition, they don’t just express support. Unlike its physical counterpart, the process of signing an online petition involves the users voluntarily providing their personal details, including name, email address, Aadhaar number, PAN, phone number, and location. In fact, most online petitions collect far more data than is necessary. The convenience and moral pull of signing distract most of these vigilant citizens from the next, more complicated question: where does that data go, who can see it, and what can they do with it? Even the most reputable platforms acknowledge the obvious: running a global website requires a web of third-party services, including analytics, email providers, ad networks, and payment processors. Handing data to those helpers is part of what keeps the site online.

Political operatives, in their quest for hyper-personalised political campaigns, spend time learning how to turn fragments, such as a cause an individual has signed for, a town they live in, and the kind of comment they make, into an inferential profile of their beliefs, fears, and likely actions. This technique, known as microtargeting, is not hypothetical; it forms the foundation of modern political persuasion. Academics and watchdogs have documented the mechanics: collect identifiers, append other demographic or behavioural signals, then craft hyper-personalised messages that land in the quiet spaces of the person’s inbox or social feed. The signed petition becomes raw material for an algorithm that can refine who hears what and when.

Cyber Threat Scenarios

Such data can be easily exploited in phishing attacks through fake emails that appear genuine, designed to trick individuals into clicking a link, entering their bank details, or downloading malware. Because attackers already know the cause one supports, their emails sound convincing: “Confirm your support”, “Donate now”, or “Verify your signature”. One careless click, and the computer could be infected, passwords stolen, or a person’s identity compromised. It is noteworthy that India ranks among the top five most breached countries, with recent notable incidents including the ICMR Data Breach of 2023, affecting 8.15 crore Indian citizens, when their data was sold on the dark web, and a 2024 incident impacting three crore Star Health Insurance customers.

Once inside, it can steal files, lock the system for ransom, or secretly spy on the targeted individuals. All it takes is the right petition list in the hands of a malicious actor. In addition, non-state actors and even state actors may seize the opportunity to shape the way individuals think, influencing their gullibility, and then engage in structured information and disinformation warfare. They cultivate these individuals to raise their voices and, in some cases, resort to violence against their countries. In today’s age of hybrid warfare and grey-zone tactics, it is one of the most potent ways to influence citizens.

There is also the risk of data leakage and resale. Petition platforms insist they don’t “sell” personal data, but many do share it with third-party partners for advertising or analytics. In practice, that means the signature can be fed into larger systems that predict individuals’ behaviour, shape the news and customised ads they post, and push these people towards a particular side of a debate or cause.

Conclusion

Given these dynamics, Indian citizens should approach online petitions as not just civic actions but also data requests. They need to exercise caution and discretion in revealing their political preferences. Petition platforms, meanwhile, must adopt strict data minimisation, collecting only essential information such as name and email. They must make consent explicit, granular, and separate from marketing or political use. Given the evolving threat landscape and cybersecurity implications, India’s regulatory framework should explicitly cover online petition platforms, requiring mandatory privacy disclosures and standardised short notices. Breach reporting must be immediate, with penalties for non-compliance.

What appears as harmless civic activism can become a pipeline for profiling, polarisation, and even recruitment into extremist networks, if not adequately regulated. Protecting Indians requires joint action: smarter citizens, accountable platforms, stronger regulations, and sustained public education.

Soumya Awasthi is Fellow, Centre for Security, Strategy and Technology (CSST), Observer Research Foundation (ORF). Sameer Patil is Director, CSST, ORF. Views expressed in the above piece are personal and solely those of the authors. They do not necessarily reflect News18’s views.