French vigilante hacker reveals NaMo app shares its data with third party illegally

NEW DELHI: Already in the line of fire for collecting people’s data for Aadhaar, the Narendra Modi government is now facing the ire of privacy vigilantes for illegally sharing data from the “official app of the Prime Minister of India” with a third party company in the US.

While the FAQ section of the Narendra Modi app promises that the data that users provide on the app is strictly “private”, housed safely and not passed on to anyone else, a French vigilante hacker in a series of tweets alleged that the personal data including email IDs, photos, gender and names of the users of Modi’s mobile app were being sent to a third party domain without their consent.

“When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are sent without your consent to a third-party domain called (in.wzrkt.com),” the privacy vigilante who goes by the name Elliot Alderson tweeted on March 23.

Alderson wrote, “This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden.”

He wrote, ” @narendramodi, I know privacy is not your thing but any thoughts about sharing the personal data of your users without their consent to a third-party company?”

Fact-checking website Alt News later backed up Alderson’s finding.

Alderson claimed that this domain belongs to a US-based company called CleverTap, a mobile marketing solution provider with offices in San Francisco, New York, Los Angeles, Mumbai and Bengaluru.

Co-founded by entrepreneurs Sunil Thomas, Anand Jain and Suresh Kondamudi in 2013, CleverTap says that it provides insights that their clients need to keep users engaged and drive long-term retention and growth.

The BJP responded to the allegations by saying that the data is being used for analytics using third party service, similar to Google Analytics.

While saying that using an analytics solution is standard in the mobile development world, Alderson pointed out that sharing personal data without consent of the users “is illegal”.

Moreover, collecting personal data of users “without their consent is against the TOS (Terms of Service) of Google Play Store.”

“I only believe in the technical truth. Don’t trust political speeches from both sides. Thing is, @narendramodi’s app is sending personal data to a third party company without user consent. The rest are just suppositions,” Alderson said in another tweet on Sunday.

The NaMo app mentions “exclusive opportunity to receive e-mails and messages directly from the PM” and receiving “personalised birthday greetings from the PM” among its highlights.

Interestingly, at the Google Play Store, the NaMo app describes itself as the “official app of the Prime Minister of India”. However, the app — or the website “narendramodi.in” — is not owned by or affiliated to the government, which generally uses the domain “nic.in” or “gov.in”.

The website is hosted by a US-based company Akamai, headquartered in Massachusetts and the app is owned by Modi in his private capacity, not by the Prime Minister’s office, and he has provided 11, Ashok Road, New Delhi — BJP’s headquarter till a few months back — as the registered address.

The domain “narendramodi.in” was created on February 28, 2005 (around a decade before he became the Prime Minister) and is scheduled to expire on February 28, 2019.

However, the app was launched in June 2015. It has had over five million downloads on the Google Play Store so far.

The app compulsorily asks for a user’s name and email ID when registering on it.

The app, however, also allows people to access it even as a guest without entering their personal details.

Emails seeking responses from Akamai and CleverTap did not elicit any response.

IANS