Congress, BJP’s app battle: Timeline of events from NaMo app’s alleged violation to INC app’s deletion
The events were triggered after Anderson scrutinised the NaMo app and shared his findings
If the struggle for political supremacy wasn’t enough, the country’s biggest political parties and rivals Congress and BJP have been embroiled in a battle over user’s privacy, with each accusing the other of misusing people’s personal data.
Timeline of events:
March 23: NaMo app’s permissions under scanner
The series of events were triggered after media reports quoted French security researcher Baptiste Robert, also known by his Twitter username Elliot Alderson, claiming that the Narendra Modi app sent all the device info and personal data including email IDs, photos, gender and names of the users without consent to a third-party domain ‘wzrkt.com’ belonging to an American company, CleverTap.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
The allegations, pertaining to Prime Minister Narendra Modi’s official mobile application, caused a furor on social media.
The app has over 5 million downloads on the Google Android Play Store.
March 23: Congress sees an opening
Even as BJP’s IT cell was working on verifying the claims made by the researcher, its counterpart in Congress had a field day by tweeting away his findings and urging users to #DeleteNaMoApp.
Divya Spandana, Congress’ Social Media and Digital Communications head, tweeted:
If there’s one thing you do today, let it be this- #DeleteNaMoApp
— Divya Spandana/Ramya (@divyaspandana) March 23, 2018
March 23: BJP’s IT cell responds with ‘5-star rating’
In response to the #DeleteNaMoApp trend, hundreds of Twitter users – mostly from the BJP’s IT cell – started responding to Spandana’s tweet with messages on the lines of ‘installing now’, ‘installed and rated 5 stars’ among others.
BJP’s IT cell tried to counter the deletion trend with their own
The concerns over privacy, however, remained.
The app requires 22 different permissions from users, which incidentally is higher than most apps. In comparison, only PayTM – which is used for a number of financial transactions, needs more permissions.
Meanwhile, AltNews independently confirmed that the NaMo app was sharing personal data with a third party without the user’s consent.
March 24: Rahul Gandhi takes a dig at PM
As concerns over the alleged security breach mount, Congress President Rahul Gandhi took to Twitter to take a dig at PM Modi.
Hi! My name is Narendra Modi. I am India’s Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies.
Ps. Thanks mainstream media, you’re doing a great job of burying this critical story, as always.https://t.co/IZYzkuH1ZH
— Rahul Gandhi (@RahulGandhi) March 25, 2018
The tweet even got a thumbs up from Anderon, who quoted it and said, “I love the tone of this tweet”.
March 25: BJP’s meek clarification
On Sunday, BJP refuted privacy concerns and clarified that the data on the app was being sent to an analytics platform similar to Google Analytics.
The data, it said, allowed them to offer a ‘better user experience’ and most ‘contextual content and updates’.
Contrary to Rahul’s lies, fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content.
— BJP (@BJP4India) March 25, 2018
It added that users could browse the app in guest mode, which did not require them to grant any permissions.
It further asserted that Gandhi was simply trying to divert attention from Congress-Cambridge Analytica link, a charge that the latter has vehemently denied.
March 26: Scrutinising Congress’ app
In the interest of keeping things balanced, Anderson evaluated Congress’ official Android app and took to his micro-blogging account to share the findings.
The researcher cited that the app was encoding personal data through HTTP request, instead of the de-facto HTTPS.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd
— Elliot Alderson (@fs0c131y) March 26, 2018
He also showed how easy it was to decode personal data from the app and highlighted the fact that the ‘With INC’ app was hosted on a server in Singapore instead of India.
The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
March 26: BJP hits back
The BJP’s IT cell went into overdrive after Anderson’s expose, with its IT cell head Amit Malviya hitting back at Gandhi and accusing him of sharing users’ data from his party’s official app with a Singapore firm.
Hi! My name is Rahul Gandhi. I am the President of India’s oldest political party. When you sign up for our official App, I give all your data to my friends in Singapore. pic.twitter.com/ceCTkod17D
— Amit Malviya (@malviyamit) March 26, 2018
Further targeting UPA chief Sonia Gandhi, Malviya accused the Congress party of following ‘all power no accountability’ dictum and linking the development to Congress’ alleged hiring of the tainted firm, Cambridge Analytica.
Inspired by Sonia Gandhi’s ‘all power no accountability’ dictum, Congress will take all your data, even share it worldwide with orgs like Cambridge Analytica but will not take responsibility of it! Their own policy says so. pic.twitter.com/Vj2WH5UbVr
— Amit Malviya (@malviyamit) March 26, 2018
By morning, #DataChorCongress started trending on Twitter.
March 26: Congress deletes its official app
The INC deleted its app hours after Anderson tweeted about its lax security protocols
In the backdrop of Anderson’s tweet, Congress deleted its app from the Android store, a fact that the researcher was more than happy to highlight.
Did @INCIndia removed their #android #app from the PlayStore just before my tweet?
— Elliot Alderson (@fs0c131y) March 26, 2018
A little later, Spandana, while refraining from admitting if and why the app was deleted, issued a clarification about the app’s actual usage.
Clarification: We don’t drive membership through the app, it’s done through our website https://t.co/eVPYDG34Yf
Servers for these are based in Mumbai.
As you may have noticed, the link on the app is broken. https://t.co/Y57aAxhcjh— Divya Spandana/Ramya (@divyaspandana) March 26, 2018
The party’s statement following the expose was on the same lines.
“With INC app was being used for Social Media updates alone since transitioning the membership to the website. This morning we were forced to remove the app from the Playstore as the wrong URL was being circulated & people were being misled,” Congress said.
The battle for user’s privacy takes precedence in the backdrop of the Cambridge Analytica data leak controversy, wherein Facebook user data was misused to influence the 2016 US elections.
