BJP, Congress apps in data privacy row: All you need to know about the debate
A security researcher said BJP’s NaMo app and Congress’ With INC app was sending personal user data to a third-party domain.india Updated: Mar 27, 2018 12:23 IST
The security researcher, who has borrowed his Twitter name from the lead character of popular television show Mr Robot, said in a series of tweets that the NaMo Android app was sending personal user data to a third-party domain based in the US. He also pointed out that the server for a Congress membership app was situated in Singapore.
Here, we answer a few questions that will help you understand the debate around data privacy concerns:
What is the issue with the NaMo app?
A Twitter profile that goes by the name Elliot Alderson has described the issue with the NaMo Android app as follows:
*When creating a profile in the NaMo Android app, device information including OS, network type and carrier, and personal data such as name, photo, gender and email are sent to a third-party domain -- in.wzrkt.com -- without asking for the user’s permission.
*The domain is hosted by GoDaddy and the Whois.com info is hidden. Whois.com is a web service that can be used to find out the registration details of a domain.
*The domain belongs to a US company called CleverTap. The company describes itself as an engagement platform that “enables marketers to identify, engage and retain users and provides developers”
Who is ‘Elliot Alderson’?
Several reports have identified the man behind the Twitter profile as Robert Baptiste, a 28-year-old French security researcher and telecommunications engineer. He has refused any audio/video interviews but told a publication in a Twitter interaction that he was a freelance Android app developer.
The Twitter profile borrows its name from the lead character in the popular television show, Mr Robot. The handle name – @fs0c131y – is inspired by the name of a group of hackers in the TV show who take on big corporates.
What data does the NaMo app collect?
The NaMo app asks for 22 permissions including access to location data, microphone and taking photos and videos. According to an analysis by The Indian Express, the PMO India App asks users for access to 14 data points. Amazon India asks for 17 permissions and PayTM requires 26 data points. The Delhi Police’s app asks for access to 25 services.
While the apps declare that they need permission for the mentioned services to perform their functions and it is normal for them to ask for access to a host of services, security experts say the issue with the NaMo app is that it shares data with a third party without asking for users’ permission.
What does the BJP say?
The BJP says “the permissions required are all contextual and cause-specific” and that the “data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content.”
What do the NaMo app terms declare?
Has the Congress app been deleted?
‘Alderson’ says he has found ‘something interesting’ in the Congress’ membership app, too.
He says when you apply membership in the Android app, your personal data is sent through an HTTP request to membership.inc.in. The data is encoded with “base 64” that is “very easy” to decode. HTTP, as indicated by ‘Alderson’, is a predecessor to HTTPS, a more secure protocol to keep data secure from hackers.
‘Alderson’ adds that IP address of membership.inc.in is 188.8.131.52. It is a server located in Singapore.
BJP’s IT cell in-charge Amit Malviya tweeted that the INC membership website is no longer available.
“Message you will get ‘We are incorporating minor changes to the website. Please visit us again in a while to access the INC membership process...’ What is the Congress party trying to hide? http://membership.inc.in,” Malviya tweeted.
What is the Congress’ take?
The Congress says “there is no truth to this allegation. There has been NO breach of Data whatsoever.” The party says the portal has not been used in over five months “since we moved membership to http://www.inc.in”
“WithINC app was being used for Social Media updates alone since transitioning the membership to the website. This morning we were forced to remove the app from the Playstore as the wrong URL was being circulated & people were being misled.”
Should you be alarmed?
Sivarama Krishnan, an analyst at PwC India, says users should not be worried. “If I download an application on somebody’s platform, and that platform provides me a service, and uses it for my purpose then they’re my part of my value chain so the whole consent comes in only when you share the information outside of the value chain,” he said.
“Any application that you take in the internet space is using somebody’s technology and third-party platform. We don’t have any public cloud which is outside of the government so would that mean that it’s a risk? It isn’t.”
Bangalore-based developer Harsha Halvi believes the problem lies with Android ecosystem that he says is vulnerable and comes with a thin blanket of security.