The BJP’s online showcase for Prime Minister Narendra Modi, the NaMo App, which is under the spotlight in the wake of the debate over data privacy in social media, asks users to provide access to as many as 22 personal features on their devices, including location, photographs and contacts, microphone and camera.
A comparative analysis by The Indian Express shows that this is more than what the official app of the Prime Minister’s Office, PMO India App, asks users to volunteer — access to 14 data points. The Ministry of Electronics & Information Technology’s citizen-engagement app, MyGov app, asks for permission to access nine data points.
Amazon India’s app needs 17 permissions on various counts from users. PayTM’s app demands access to 26 data points, and Delhi Police’s app asks for access to 25 tracks but they provide a wider range of services.
The NaMo app updates users about achievements of the BJP government, and provides access to the audio of Prime Minister’s ‘Mann Ki Baat’.
On Saturday, the user of Twitter handle @fs0c131y, described on the account as a “French security expert” and who identified himself to The Indian Express as Robert Baptiste, said the app may be providing personal user data to a third party without the users’ consent. He identified the company as US-based Clever Tap.
The information shared with third parties included, it says, name, email, mobile phone number, device information, location and network carrier.
The policy earlier stated: “Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent.”
When contacted by The Indian Express for comment, the BJP IT Cell chief Amit Malviya did not respond to a specific question on whether this information was shared with a third party without the users’ consent.
Responding to a detailed questionnaire sent Saturday, Malviya said Sunday that data from the app is shared with a “third party service” for analytics, similar to Google Analytics. “The data in no way is stored or used by the third party services. Analytics and processing on the user data is done for offering users the most contextual content… It also enables a unique, personalised experience according to a person’s interests,” he said.
Described on PlayStore as the Official App of Prime Minister Narendra Modi, the NaMo App mentions “Bharatiya Janata Party, 11 Ashoka Road, New Delhi-110001”, which used to be BJP headquarters till early last month, as the address of the developer.
Other political parties, too, use apps to connect to the electorate. The Congress party’s ‘With INC’ App demands access to ten data tracks. The SP App published by Anil Yadav, who describes himself as “Media Spokesperson, Samajwadi Party” on his verified Twitter account, requires three data access points.
The NaMo App is promoted through official government channels. Exam Warriors, Modi’s recently launched book aimed at the students preparing for the annual school exams, encourages readers to download the NaMo app. The book was launched by External Affairs Minister Sushma Swaraj and Minister for Human Resource Development Prakash Javadekar in English, and Uttar Pradesh Chief Minister Yogi Adityanath in Hindi.
On March 23, The Indian Express reported that personal data of nearly 13 lakh NCC cadets was being collected so that the Prime Minister could interact with them. In a letter sent on February 23, the Director General of NCC told state directorates that the collection of data will facilitate this interaction “…by downloading ‘Narendra Modi App’ in the cell phones of the cadets”.
According to NaMo App’s description, “it brings to you the latest information, instant updates & helps you contribute towards various tasks. It provides a unique opportunity to receive messages and emails directly from the Prime Minister.”
Under details, the app specifies that “no permission is compulsory on the NM app” and has the facility that the user can disable the access for these permissions in settings. However, when it is downloaded, most of the permissions are given by default. It also mentions that the app can be accessed without registering with an email address or phone.
According to the Supreme Court’s ruling on privacy in August 2017, informed consent is important for data protection and data privacy. The fact that permissions for the NaMo app are not compulsory can only be found if one goes through the Read More section of the app — users are not informed of it when downloading the app.
Malviya said, “Each function asks for the specific permission when access is required. The app does not ask for blanket permissions when the app is started.”
When the app is downloaded, it asks for access to the media stored on the phone, which can be denied. It does allow use of the app without registering, but a lot of the app’s features do not function in guest mode, or without allowing all the permissions sought. Malviya said that “unlike most Apps” the NaMo app allows users access in guest mode without “any permission or data”. The permissions required for the app, he added, “are all contextual and cause-specific”.
On Saturday, Baptiste had tweeted: “When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier .) and personal data (email, photo, gender, name, .) are send without your consent to a third-party domain called http://in.wzrkt.com.”
Baptiste said that wzrkt.com was a property of a company named Clever Tap. Actually, Clever Tap is a company owned by Wizrocket, which is a data analytics start-up founded in Mumbai in May 2013, and is now headquartered in California. On its website, Clever Tap mentions that it helps organisations analyse data for stronger engagement with their users. It helps its clients, it says on its website under user segmentation to “influence” app users’ “behaviour” by uncovering key insights across various dimensions.
The NaMo App does not have any specific option of users consenting to their data being shared with Clever Tap.
Speaking to The Indian Express, Baptiste said, “the main issue” is that “personal” information of users is “shared without the consent of the user” with a third-party company. “These data can be used for a lot of things after that (sic),” he said. “Like they did for Cambridge Analytica for example.”
He was referring to the UK-based political consultancy Cambridge Analytica, which is at the centre of a worldwide storm over its role in illegally using private information of Facebook users to influence election campaigns.
Baptiste said the NaMo App does not share all the data that it has access to on users’ phones with Clever Tap, but only information gathered at the time of registration. It means though the app continues to hold access to photographs, location, microphone, camera, identity, contacts, etc., it only shares information like the mobile operating system, telecom carrier, email, gender, name and photograph used for app registration.
In his response, Malviya said the app “provides a platform for millions of his fans and party cadre to connect directly with the Prime Minister”. Calling it “one of its kind”, he said the app “enables unprecedented engagement and interactivity”, and is “way different” from apps of other parties and their leaders, which are “one-way” flow. He mentioned various “path-breaking engagement activities”, including the exam warrior module, of the app.
Regarding Baptiste’s claims, Malviya said the user was only sharing his or her own data. “This is not a security breach. The person does not have access to any data apart from his own data,” he said.
What the rest ask for
PMO India: Set wallpaper
MyGov: Read/receive SMS
Amazon India app: Connect/disconnect from WiFi, install shortcuts,read/receive SMS
PayTM: Connect/disconnect from WiFi, install shortcuts, read sync settings, toggle sync on & off, run at startup, read calendar events/confidential information, add/modify calendar events and send emails to guests without user knowledge, read/receive/send SMS
Indian Express News App: Control vibration, run at startup
Delhi Police App: Modify your contacts, access extra location provider commands, access approx. location (network-based), read call log, reroute outgoing calls, Android permission: write_SMS, run at startup etc
Common user cases: photo sharing, QR/barcode scan, social media; phone caller social network; maps and navigation; location-based services like cab booking, local delivery. Audio assistant, voice recorder, games, device tracking and identification, caller, read SMS (OTP autofill), financial tracker, choosing between WiFi/cellular for big downloads/uploads, Media watching, flashlight (taking photos)