A French security researcher, who is in limelight for keeping UIDAI on its toes by exposing in the Aadhaar infrastructure’s diverse security holes, has claimed in a series of tweets that Prime Minister Narendra Modi’s application is showing all the personal information of its users to a third party website called in.wzrkt.com and that too without the consent of the users.
He did all it’s investigation and found that some personal details such as name, gender, e-mail, telecom operator type and more was indeed being shared with the website in.wzrkt.com.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
After privacy breaches of the app was found true, the privacy policy on PM Modi’s website quietly changed to accommodate for this lapse.
A night before the expose took place, this was what the application’s privacy policy said (cached versions saved by Alt News):
This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden. pic.twitter.com/dRUx0fuZ38
— Elliot Alderson (@fs0c131y) March 23, 2018
The alterations made to the privacy policy have been made surreptitiously since neither the verified Twitter account of the Prime Minister nor the verified account narendramodi_in which claims to be the “Twitter account of http://www.narendramodi.in – Shri Narendra Modi’s personal website & the Narendra Modi Mobile App.” acknowledged the issue. The NaMo APP has also not followed the standard practice to let the users know about the changes and when and why were the changes made to the privacy policy, a practice that most major apps and websites follow.
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers" pic.twitter.com/Ikqp9GbCDm
— Elliot Alderson (@fs0c131y) March 23, 2018
According to an independent investigation conducted they found that the official mobile application of PM Narendra Modi, downloaded over five million times on Android alone, sent user data to the US-based company, WizRocket Inc, without consent.
WizRocket is a data analytics platform developed by a US-based company called CleverTap. CleverTap’s website says it is as a mobile marketing platform that “visually builds and delivers omnichannel campaigns based on user behaviour, location and lifecycle stage”. The company was founded in 2013 by three Indians and has offices in several cities in USA and Indian offices are in Mumbai, New Delhi and Bengaluru.
BJP the ruling Party has denied the allegations and said the data was being used only for analytics to offer all users the “most contextual content”.
Data is being used for analytics using third-party service, similar to Google Analytics. The data in no way is stored or used by the third party services,” one of the sources from BJP said.
Rahul Gandhi also took to Twitter to express his condemnation against the privacy breach.
Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies.
Ps. Thanks mainstream media, you're doing a great job of burying this critical story, as always.https://t.co/IZYzkuH1ZH
— Rahul Gandhi (@RahulGandhi) March 25, 2018
This was followed by a war of words between the two national parties, claiming that Rahul Gandhi’s tweet has only helped NaMo App gain more popularity.
Modi’s NaMo App secretly records audio, video, contacts of your friends & family and even tracks your location via GPS.
He’s the Big Boss who likes to spy on Indians.
Now he wants data on our children. 13 lakh NCC cadets are being forced to download the APP.#DeleteNaMoApp
— Rahul Gandhi (@RahulGandhi) March 26, 2018
BJP went ahead to accuse Congress of data breach.
IT Minister will not do a press conference on the NaMo App on these allegations of Data Chori!
Will the media dare to question Modi ji on the functioning of his App? Will the brain behind this "Data Usurpation" be summoned?
What about the 15 Lakh NCC cadets & their privacy? https://t.co/unLi2Sj2AW
— Randeep Singh Surjewala (@rssurjewala) March 24, 2018
Hi! My name is Rahul Gandhi. I am the President of India’s oldest political party. When you sign up for our official App, I give all your data to my friends in Singapore. pic.twitter.com/ceCTkod17D
— Amit Malviya (@amitmalviya) March 26, 2018
Soon after, Congress deleted its official mobile application.
Congress’s social media head Divya Spandana took to Twitter to clarify the party’s decision to delete the app from Google’s Play Store. “The URL for membership on the INC app has been defunct for a while now. Our membership is through the INC website. How difficult is that to understand,” tweets Divya.
