Are political parties using apps to steal citizens’ data in India.

Just days after the Cambridge Analytica (CA) voter manipulation unraveled, India's leading political parties are now caught in the eye of a data-breach storm.

On March 23, a French security researcher, who goes by the pseudonym Elliot Alderson, said that the mobile app of prime minister Narendra Modi sent user data to a third-party US-based company without their consent.

In a series of tweets, Alderson said that after a little digging he had found that mobile marketing platform CleverTap was the beneficiary of this illicit data transfer.

When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain calledhttps://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf

— Elliot Alderson (@fs0c131y) March 23, 2018

Earlier, Alderson had brought to light the loopholes in India's massive national identity card project, Aadhaar.

On March 26, television channel NDTV said it its own investigation had confirmed Alderson's claims. NDTV found that user data was being routed to a domain owned by a California-based company called WizRocket and directed to a server in Mumbai. WizRocket is a subsidiary of Clevertap, a behavioral analytics firm founded in 2013 by three Indians, Anand Jain, Sunil Thomas, and Suresh Kondamudi. It has offices in the US and India.

Neither the BJP nor Clevertap responded to emails from Quartz.

Meanwhile, With INC, the app of the opposition Indian National Congress party, disappeared from the app store around noon on March 26, probably out of fear of being scrutinised next.

I found something interesting on the With INC #android app, details will be published tomorrow 

— Elliot Alderson (@fs0c131y) March 25, 2018

Indian apps seek way too many dangerous permissions, but not collecting consent is a different risk altogether.

What are these app?

The Narendra Modi app and With INC gained popularity in the run-up to the 2012 election.

The first makes users privy to instant updates and conveys "messages and emails directly from the prime minister," its Google Play Store description reads. Users can also read the PM's blogs and listen to his radio show, Mann Ki Baat, on the platform. It has been downloaded over five million times on Android. This includes over 1.3 million cadets from the National Cadet Corps (NCC), who were recently asked by the government to download it.

While its Andriod Play Store description reads "official app of (the) prime minister of India, Narendra Modi," it is not affiliated with the government and is owned by Modi in his private capacity. The app's registered developer address is that of the BJP's Delhi headquarters.

With INC, on the other hand, allows users to "connect with the Congress by receiving regular updates from various social media and news channels." It also lets users apply for party membership. Quartz could not gather further  details, including the number of app downloads, as it is no longer available.

The uproar

The Modi app team responded to Alderson via direct message on Twitter on March 23 itself, saying it uses CleverTap as an analytical solution, à la Google Analytics, to tailor user experiences on the app. It emphasised that all the data is owned by the authorities and stored in India, and that there has been no data breach.

However, the Congress has already alleged that the BJP plays a part in the Facebook-Cambridge Analytica controversy, citing the landslide victory of the BJP's ally, Janata Dal United (JDU), in the 2010 Bihar assembly elections in which CA was active.

Congress chief Rahul Gandhi has even launched a Twitter campaign called #DeleteNamoApp.

Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies.

Ps. Thanks mainstream media, you're doing a great job of burying this critical story, as always.https://t.co/IZYzkuH1ZH

— Rahul Gandhi (@RahulGandhi) March 25, 2018

The BJP has, however, called Gandhi's claims misplaced and accused the Congress of data theft.

Rahul Gandhi truly shows why he and his party have zero knowledge of technology. All they can do is scare the masses about technology while they continue to steal data using his ‘Brahmastra’ of Cambridge Analytica.

— BJP (@BJP4India) March 25, 2018

Amit Malviya, who heads the BJP's national IT cell, tweeted that the Congress app sends information to sources in Singapore. However, the Congress's social media head Divya Spandana denied storing or sharing any data, even calling Malviya a "dimwit" on the micro-blogging platform.

Amid all this mud-slinging, the Narendra Modi app quietly reworked its privacy policy. Earlier, the it promised that data would not be provided to "third parties in any manner" without users' consent. Following the scandal, as of March 26, the updated guidelines now say that a user's name, email, mobile phone number, device information, location, and network carrier may be processed by third-party services.