- Security researcher said app was sharing user data without consent
- NDTV verifies claim, finds data being sent to servers run by US firm
The ruling BJP has denied the allegations and said the data was being used only for analytics to offer all users the "most contextual content". It also hit out at the Congress, saying the opposition party's app shared data with third parties without consent.
It was a security researcher, who has previously highlighted vulnerabilities in India's national identity card project Aadhaar and who tweets under the pseudonym Elliot Alderson, who first posted a series of messages on Twitter on Saturday stating the Narendra Modi app was sending personal user data to a third-party domain that was traced to an American company.
NDTV checked the claims, consulting experts and using a popular tool called Burp Suite. The findings showed that as a user kept entering personal information such as name, email address, gender and city, the data was being shared with the website in.wzrkt.com.
NDTV found that the domain in.wzrkt.com belonged to a company called WizRocket Inc which is registered in California and the data is being sent to a server in Mumbai. WizRocket is a data analytics platform developed by a US-based company called CleverTap.
The link, earlier pointed out by Alderson and fact-checking website AltNews, sponsored an attack by Rahul Gandhi who tweeted, "Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies. Ps. Thanks mainstream media, you're doing a great job of burying this critical story, as always."
Stung by mounting criticism on social media, the BJP admitted that it was sharing information but that this was par for the course. The BJP's official Twitter handle tweeted, "Contrary to Rahul's lies , fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering the most contextual content."
The Congress, however, countered the claim.
Full marks to @INCIndia for stating upfront that they'll give your data to **practically anyone** - undisclosed vendors, unknown volunteers, even 'groups with similar causes'. In theft of all forms, Congress has never been discreet! pic.twitter.com/FCSIv6nPMn- Amit Malviya (@malviyamit) March 26, 2018
Experts say that data shared with political parties is prone to misuse. Srinivas Kodali, a cybersecurity expert said, "It can be misused by sharing with private companies like Cambridge Analytica which could build voter profiles of volunteers who are active through the Narendra Modi application."
We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates.- Divya Spandana/Ramya (@divyaspandana) March 26, 2018
We collect data for membership and this is through our website https://t.co/Mi3BWOK9Z0, this is encrypted. https://t.co/9r0EXWwU4Z
The backlash was also compounded by criticism over 13 lakh cadets of India's National Cadet Corps being asked to install the app and share phone numbers and email addresses with the Prime Minister's office.
As the controversy swelled, that policy was changed to say, "The following information may be processed by third party services to offer you a better experience as stated above: name, email, mobile phone number, device information, location and network carrier."
NDTV has contacted both the BJP IT cell as well as CleverTap for their responses and is yet to receive them. The story shall be updated once a response is received.
(With inputs from Reuters)