Data breach is the new term that’s on everyone’s lips, and now after the Facebook - Cambridge Analytica scandal, the Bharatiya Janata Party and Indian National Congress are embroiled in data breach controversies of their own.
A French security researcher, who goes by the moniker Elliot Alderson, put out a tweet on Saturday, highlighting how if one creates a profile on the Narendra Modi app, the user’s personal data and device info was being sent to a third party without the consent of the user themselves. The information was being sent to a company called CleverTap, who, by their own admission, “enables marketers to identify, engage and retain users and provides developers”.
The data that was being sent to CleverTap included the person’s name, phone number, email, gender and so on.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers" pic.twitter.com/Ikqp9GbCDm
— Elliot Alderson (@fs0c131y) March 23, 2018
CleverTap was found to be registered in the USA. What’s worse, however, is that the Privacy Policy of the app explicitly stated that the information of the users would not be shared with a third party. Once Elliott’s tweet was widely reported, a quiet change was made to the app’s Privacy Policy, which stated that some information was being shared with a third party to “offer you the most contextual content”, among other reasons.
After the NaMo #android app exposé yesterday, the privacy policy of @narendramodi has been change quietly. The cached version is accessible here https://t.co/K7Uz5mUsR1
— Elliot Alderson (@fs0c131y) March 25, 2018
Someone from the team also got in touch with Elliot, saying that they used CleverTap only for analytics.
One minute after my post on @narendramodi's #android app, the "App team" created a new Twitter profile to discuss with me. We had a nice discussion. In order to be fair, here their first answer. pic.twitter.com/4JbdoSefpt
— Elliot Alderson (@fs0c131y) March 24, 2018
This entire exchange, however, set the cat among the pigeons, with the Congress swooping in on the opportunity.
Congress President Rahul Gandhi started a campaign to delete the app.
Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies.
— Rahul Gandhi (@RahulGandhi) March 25, 2018
Ps. Thanks mainstream media, you're doing a great job of burying this critical story, as always.https://t.co/IZYzkuH1ZH
Modi’s NaMo App secretly records audio, video, contacts of your friends & family and even tracks your location via GPS.
— Rahul Gandhi (@RahulGandhi) March 26, 2018
He’s the Big Boss who likes to spy on Indians.
Now he wants data on our children. 13 lakh NCC cadets are being forced to download the APP.#DeleteNaMoApp
Modi misusing PM position to build personal database with data on millions of Indians via the NaMo App promoted by Govt.
— Rahul Gandhi (@RahulGandhi) March 26, 2018
If as PM he wants to use tech to communicate with India, no problem. But use the official PMO APP for it.
This data belongs to India, not Modi.
Modi misusing PM position to build personal database with data on millions of Indians via the NaMo App promoted by Govt.
— Rahul Gandhi (@RahulGandhi) March 26, 2018
If as PM he wants to use tech to communicate with India, no problem. But use the official PMO APP for it.
This data belongs to India, not Modi.
In response, the BJP’s official Twitter handle also put out a tweet, reiterating the same point they had made in the conversation with Elliot.
Contrary to Rahul’s lies, fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content.
— BJP (@BJP4India) March 25, 2018
On the Google Play Store, the Narendra Modi app, which currently has over 5 million downloads, was launched as a way to directly interact with the Prime Minister. It’s also where users listen to Mann Ki Baat.
Although the dust around the NaMo app had not begun to settle on Sunday, Elliot announced that he would be looking for loopholes in the Indian National Congress app.
On Monday, Elliott put out a series of tweets highlighting the basic levels of encryption the app had, and that the app’s servers were in Singapore.
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR
— Elliot Alderson (@fs0c131y) March 26, 2018
The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
However, on the very day that the Congress called for the NaMo app to be deleted, they ended up deleting their own – With INC.
The BJP wasn’t one to back down, and were swift to point out the hands of the Congress -- who had gone all guns blazing at the BJP -- weren’t clean themselves.
Hi! My name is Rahul Gandhi. I am the President of India’s oldest political party. When you sign up for our official App, I give all your data to my friends in Singapore. pic.twitter.com/ceCTkod17D
— Amit Malviya (@malviyamit) March 26, 2018
Full marks to @INCIndia for stating upfront that they'll give your data to **practically anyone** - undisclosed vendors, unknown volunteers, even 'groups with similar causes'. In theft of all forms, Congress has never been discreet! pic.twitter.com/FCSIv6nPMn
— Amit Malviya (@malviyamit) March 26, 2018
Now that we're talking tech, would you care to answer @RahulGandhi ji why Congress sends data to Singapore Servers which can be accessed by any Tom, Dick and Analytica? pic.twitter.com/U5YLTckBsf
— Smriti Z Irani (@smritiirani) March 26, 2018
Ye kya @RahulGandhi ji it seems your team is doing the opposite of what you asked for. Instead of #DeleteNaMoApp, they have deleted the Congress App itself pic.twitter.com/NrbMxz57gs
— Smriti Z Irani (@smritiirani) March 26, 2018
Congress social media head Divya Spandana and the Congress’s official handle, in a clarification, said that they were not collecting data through the app, and the link provided through app was defunct and was hence taken down from the Play Store.
Clarification: We don’t drive membership through the app, it’s done through our website https://t.co/eVPYDG34Yf
— Divya Spandana/Ramya (@divyaspandana) March 26, 2018
Servers for these are based in Mumbai.
As you may have noticed, the link on the app is broken. https://t.co/Y57aAxhcjh
We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates.
— Divya Spandana/Ramya (@divyaspandana) March 26, 2018
We collect data for membership and this is through our website https://t.co/Mi3BWOK9Z0, this is encrypted. https://t.co/9r0EXWwU4Z
The URL for membership on the INC app has been defunct for a while now. Our membership is through the INC website. How difficult is that to understand- https://t.co/UbS5vrTcNL
— Divya Spandana/Ramya (@divyaspandana) March 26, 2018
The WithINC app is a membership app & has not been in use for over 5 months since we moved membership to https://t.co/HkouqDJ8hN from 16th Nov 2017.
— Congress (@INCIndia) March 26, 2018
The URL (https://t.co/s6EcGp0Oet) quoted by the media is the defunct URL from the app. The actual membership URL can be seen below pic.twitter.com/bXFXBEdcUg
WithINC app was being used for Social Media updates alone since transitioning the membership to the website. This morning we were forced to remove the app from the Playstore as the wrong URL was being circulated & people were being misled.
— Congress (@INCIndia) March 26, 2018
In the wake of Cambridge Analytica and multiple Aadhaar leaks, the fight over privacy policies between the two major political parties just got interesting.