Are Indian political parties using apps to steal citizens’ data?

Doing without asking.
Doing without asking.
Image: Reuters/Babu
We may earn a commission from links on this page.

Just days after the Cambridge Analytica (CA) voter manipulation scandal unravelled, India’s leading political parties are now caught in the eye of a data-breach storm.

On March 23, a French security researcher, who goes by the pseudonym Elliot Alderson, said that the mobile app of prime minister Narendra Modi sent users’ data to a third-party US-based company without their consent.

In a series of tweets, Alderson said that after a little digging he had found that mobile marketing platform CleverTap was the beneficiary of this illicit data transfer.

Earlier, Alderson had brought to light the loopholes in India’s massive national identity card project, Aadhaar.

On March 26, television channel NDTV said its own investigation had confirmed Alderson’s claims. NDTV found that user data was being routed to a domain owned by a California-based company called WizRocket and directed to a server in Mumbai. WizRocket is a subsidiary of Clevertap, a behavioral analytics firm founded in 2013 by three Indians, Anand Jain, Sunil Thomas, and Suresh Kondamudi. It has offices in the US and India.

Neither the Bharatiya Janata Party (BJP) nor Clevertap responded to emails from Quartz.

Meanwhile, With INC, the app of the opposition Indian National Congress party, disappeared from the Google app store around noon on March 26, probably out of the party’s fear of being scrutinised next.

Indian apps seek way too many dangerous permissions, but not collecting consent is a different risk altogether.

What are these apps?

The Narendra Modi app and With INC gained popularity in the run-up to the 2014 elections.

The first makes users privy to instant updates and conveys “messages and emails directly from the prime minister,” its Google Play Store description reads. Users can also read the PM’s blogs and listen to his radio show, Mann Ki Baat, on the platform. It has been downloaded over five million times on Android devices. Recently, over 1.3 million cadets from the National Cadet Corps were also asked by the government to download it.

While its Andriod Play Store description reads “official app of (the) prime minister of India, Narendra Modi,” it is not affiliated with the government and is owned by Modi in his private capacity. The app’s registered developer address is that of the BJP’s Delhi headquarters.

With INC, on the other hand, allows users to “connect with the Congress by receiving regular updates from various social media and news channels.” It also lets users apply for party membership. Quartz could not gather further  details, including the number of app downloads, as it is no longer available.

The uproar

The Modi app team responded to Alderson via direct message on Twitter on March 23 itself, saying it uses CleverTap as an analytical solution, à la Google Analytics, to tailor user experiences on the app. It emphasised that all the data is owned by the authorities and stored in India, and that there has been no data breach.

However, the Congress has already alleged that the BJP plays a part in the Facebook-Cambridge Analytica controversy, citing the landslide victory of the BJP’s ally, the Janata Dal United (JDU), in the 2010 Bihar assembly elections in which CA was active.

Congress chief Rahul Gandhi has even launched a Twitter campaign called #DeleteNamoApp.

The BJP has, however, called Gandhi’s claims misplaced and accused the Congress of data theft.

Amit Malviya, who heads the BJP’s national IT cell, tweeted that the Congress app sends information to sources in Singapore. However, the Congress’s social media head, Divya Spandana, denied storing or sharing any data, even calling Malviya a “dimwit” on the micro-blogging platform.

Amid all this mud-slinging, the Narendra Modi app quietly reworked its privacy policy. Earlier, it promised that data would not be provided to “third parties in any manner” without users’ consent. Following the scandal, as of March 26, the updated guidelines now say that a user’s name, email, mobile phone number, device information, location, and network carrier may be processed by third-party services.