NaMo App: Narendra Modi App Sends User Data To US Firm. Congress App Too, Says BJP

The Narendra Modi app is promoted by the BJP as a one-stop channel for government achievements.

Highlights

Security researcher said app was sharing user data without consent
NDTV verifies claim, finds data being sent to servers run by US firm
Privacy policy of app updated, BJP says Congress app shares data too

New Delhi: The official mobile app of Prime Minister Narendra Modi, downloaded over five million times on Android alone, sent user data to a US-based company without consent, security researchers have found in claims that were verified by NDTV. Allegations against the Narendra Modi app, which have sparked a furore on social media and biting criticism from Congress President Rahul Gandhi, come at a time of heightened sensitivity around the alleged misuse of personal data amid the unfolding Facebook-Cambridge Analytica controversy.

The ruling BJP has denied the allegations and said the data was being used only for analytics to offer all users the "most contextual content". It also hit out at the Congress, saying the opposition party's app shared data with third parties without consent.

It was a security researcher, who has previously highlighted vulnerabilities in India's national identity card project Aadhaar and who tweets under the pseudonym Elliot Alderson, who first posted a series of messages on Twitter on Saturday stating the Narendra Modi app was sending personal user data to a third-party domain that was traced to an American company.

Alderson, who initially pointed out that the application, popularly known as NaMo app in India, was sharing data with a third party without the consent of users, earlier on Sunday posted a new tweet saying the app had "quietly" updated its privacy policy after his previous tweets.

NDTV checked the claims, consulting experts and using a popular tool called Burp Suite. The findings showed that as a user kept entering personal information such as name, email address, gender and city, the data was being shared with the website in.wzrkt.com.

The email address "hello@world.com" entered during registration was sent to in.wzrkt.com

During the entire process of registration the user is never informed or asked permission for sending data to a third party - a procedure which is usually followed by most apps.

NDTV found that the domain in.wzrkt.com belonged to a company called WizRocket Inc which is registered in California and the data is being sent to a server in Mumbai. WizRocket is a data analytics platform developed by a US-based company called CleverTap.

The Narendra Modi app shares user with a server registered to WizRocket Inc. in California.

CleverTap's website says it is as a mobile marketing platform that "visually builds and delivers omnichannel campaigns based on user behavior, location and lifecycle stage". The company was founded in 2013 by three Indians and has offices in several cities in USA and Indian offices are in Mumbai, New Delhi and Bengaluru.

The link, earlier pointed out by Alderson and fact-checking website AltNews, sponsored an attack by Rahul Gandhi who tweeted, "Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies. Ps. Thanks mainstream media, you're doing a great job of burying this critical story, as always."

Stung by mounting criticism on social media, the BJP admitted that it was sharing information but that this was par for the course. The BJP's official Twitter handle tweeted, "Contrary to Rahul's lies , fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering the most contextual content."

Amit Malviya, the chief of BJP's IT operations, also attacked Rahul Gandhi and Congress, alleging similar privacy and consent conflicts.

Full marks to @INCIndia for stating upfront that they'll give your data to **practically anyone** - undisclosed vendors, unknown volunteers, even 'groups with similar causes'. In theft of all forms, Congress has never been discreet! pic.twitter.com/FCSIv6nPMn
- Amit Malviya (@malviyamit) March 26, 2018

The Congress, however, countered the claim.

We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates.
We collect data for membership and this is through our website https://t.co/Mi3BWOK9Z0, this is encrypted. https://t.co/9r0EXWwU4Z
- Divya Spandana/Ramya (@divyaspandana) March 26, 2018

Experts say that data shared with political parties is prone to misuse. Srinivas Kodali, a cybersecurity expert said, "It can be misused by sharing with private companies like Cambridge Analytica which could build voter profiles of volunteers who are active through the Narendra Modi application."

The BJP's response, however, did not appear to address the crucial issue of consent. The privacy policy for the NaMo app, posted on the website narendramodi.in, until yesterday, read, "Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent."

The backlash was also compounded by criticism over 13 lakh cadets of India's National Cadet Corps being asked to install the app and share phone numbers and email addresses with the Prime Minister's office.

As the controversy swelled, that policy was changed to say, "The following information may be processed by third party services to offer you a better experience as stated above: name, email, mobile phone number, device information, location and network carrier."

NDTV has contacted both the BJP IT cell as well as CleverTap for their responses and is yet to receive them. The story shall be updated once a response is received.

(With inputs from Reuters)