Indian Prime Minister Narendra Modi’s Android app is allegedly collecting your personal data and sharing it with a third party without your consent. This claim has been made by the French security expert who goes by the name Elliot Anderson on Twitter.
Elliot made this revelation is a series of tweets and detailed how Narendra Modi Android app starts collecting private data and device information as soon as a user profile is created. The collected data includes your phone operating system, network type, carrier, email, photo, gender, name, etc.
Moreover, the third party domain with which the data is shared is classified as a phishing link by G-Data. The domain was further found to belong to an Americal company CleverTap, which calls itself “the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers.” It’s a popular marketing SDK for getting insights about app usage, user retention, and running different app-related campaigns.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
As spotted by us in the FAQ section, the app even claims that it doesn’t share the data. It is private and isn’t passed on to anyone else. If the claims made by Elliot are correct, the developers of the app should be rightly held responsible.
While collecting user data for analytics purposes is a common practice in the mobile development world, sharing it with third parties without user consent is unethical. Moreover, as Elliot says, it’s even against Google Play Store’s terms of conditions.
When you sign up, you give the permissions to access your data, and you see a popup. However, it doesn’t show any prompt or terms and conditions link that would detail its policies regarding sharing the data with the third party.
This screen is not a T&Cs screen. It only ask you to give the permissions to the app. This is different
— Elliot Alderson (@fs0c131y) March 24, 2018
While the app is focused on Indian users, it’s also available in Europe. So, in a way, it’s violating the General Data Protection Law followed by the European Union as well.
The app has been under scrutiny in the past as well for running poorly executed surveys during demonetization and collecting information about students enrolled with NCC.
In the wake of the recent Facebook and Cambridge Analytica breach, sharing data with third parties–that too without user consent–is troublesome. It becomes even more critical when the app is continuously pushed by PM Modi, and government and its agencies are being asked to install it.