Prime Minister Narendra Modi’s official app, which has been downloaded over five million times on Android devices, have been found sending user data to a US-based company without taking the user’s consent explicitly, according to The French security researcher, who goes by the alias Elliot Alderson, who highlighted the vulnerability on Twitter.
In a series of tweets, the security researcher highlighted that the NaMo app was sending personal user data to a third-party domain that was traced to an American company. He later tweeted that the app had “quietly” updated its privacy policy after his tweets.
NDTV claims to have verified Alderson’s claims by consulting experts who found that the app is indeed sending user data to a website called in.wzrkt.com. The app was sending information such as the name, email address, gender and city. The app asks for 22 permissions to access highly personal data including contacts, photographs, location, microphone and camera. In comparison Amazon Shopping app asks for only 17 permissions.
The domain name was found to have belonged to a company called WizRocket Inc, which NDTV claims, is registered in California. A quick Google search shows WizRocket is a data analytics platform developed by another US-based firm called CleverTap.
CleverTap was founded by three Indians in 2013 and has offices in several cities across the United States and in India including New Delhi, Mumbai and Bengaluru. According to CleverTap’s website, it is a mobile marketing platform that “visually builds and delivers omnichannel campaigns based on user behaviour, location and lifecycle stage.”
BJP later admitted to the app sharing user data and came on the record to state that "analytics and processing on the user data is done for offering users the most contextual content...It also enables a unique, personalised experience according to a person’s interests." Party spokesperson Sambit Patra held a press conference to state "analytics does not equate to spying or snooping."
The data breach is alarming, especially in the context of the ongoing Facebook scandal where data on 50 million users were harvested by a seemingly harmless quiz app and sold to Cambridge Analytica, a firm specialising in using psychographic information to boost election campaigns.