A little over a year after it was reported that the Narendra Modi (NaMo) app was leaking the data of its users, the famed application is back in the spotlight again over controversial privacy issues.
The app itself was designed to be an online platform for the prime minister’s followers to engage and work for various political and social causes.
It is now being called out by security researchers for the amount of data it collects from users installing it and how it is apparently sharing data with third-party foreign analytics companies who also are experts in consumer and user psychology. A foreign researcher, who goes by the pseudonym Elliot Anderson, has looked at the application programming interface (API) requests being made by the application and has documented how data is being shared with a domain owned by a private firm named Clevertap.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
The NaMo app is not too different from Facebook and for all purposes needs to be viewed as a social media platform. While the primary purposes of Modi’s app may centre around feedback and e-governance, it directly and indirectly involves the mass collection of personal data that could be used for electoral campaigning and voter profiling.
In the wake of the Facebook-Cambridge Analytica controversy, it is clear that the Indian electorate needs to be on guard for the absolute worst-case scenario. One should not be surprised if the data collected from the app will also be used by allied organisations for promoting so-called social causes in the name of participative governance.
A Twitter trend, #DeleteNaMoApp, has started circulating, requesting people to delete the Modi’s personal app. This has been sparked, in no small measure, after the prime minister’s office instructed that every cadet of the National Cadet Corps (NCC) install the application. The stated reason for this outreach was that “the Honourable PM Narendra Modi has desired a direct interaction with maximum cadets of NCC”. This amounts to the personal data of over 15 lakh students, most of whom will likely be new voters.
It’s unclear whether #DeleteNaMoApp will ultimately help anymore than the #DeleteFacebook trend. Deleting these political apps and Facebook will not help us when poor privacy standards and corporate greed incentivises the collection of personal information through invasive techniques. After all, Facebook tracks you even if you aren’t registered with it.
However, this debate should give us pause and make us question the manner in which e-governance apps with poor security standards collect voter information. During a recent panel TV discussion that I was a part of, one of my co-panelists suggested that data collection by political parties through mobile apps was completely fine. The idea being that users and volunteers are aware that they are giving out their personal information, sometimes their most intimate thoughts, so that the party can use it to win elections.
While this is worth debating, it is unacceptable for any political party, let alone the prime minister, to collect the personal data of people through a feedback platform and not properly safeguard this information. India’s public and private private and public sector has a rotten information security culture and one can be assured that when the government says something is secure, it is highly likely that data is leaking everywhere through broken IT pipelines. Why look across the Atlantic ocean, when there are hundreds of potential Cambridge Analyticas blooming right here?
Other important questions include the lack of an opt-out clause: if political alliances change, is there an option to exit this programme, and demand that your data is no longer used?
Me on how it's not ok for political parties to collect data without opt out clause and how #DeleteNamoApp is a issue, along with facebook's business model of surveillance capitalism pic.twitter.com/SaJU81GXbX
— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) March 24, 2018
The business models of new-age, social media companies like Facebook are broadly referred to now as surveillance capitalism – where they collect, trick or steal the data you generate and sell it to businesses paying them for the data. Surveillance capitalism is particularly toxic when it is transformed by political parties and governments through models like the NaMo app or Aadhaar.
The 360-degree profiles being built on top of Aadhaar through state resident data hubs (SRDH) are erasing the thin line between surveillance capitalism and state surveillance.
Surveillance capitalism works for a few. A great example of it is Google Maps collecting you location data via your phone and giving you back traffic information. The problem which most people have is when this data is abused by third parties; that is when people feel threatened and shocked that so much of their information is available to all. The probability of such harm is much higher when information is concentrated or linked to other sources of data through models like Aadhaar or Facebook.
The BJP’s stated vision of a Congress-mukt Bharat is about having no opposition. Think of a scenario where the political party in power uses its 360 degree profile system through Aadhaar to spy upon and if needed, to silence and influence the electorate. There is an urgent need to erect a data firewall between political parties and the government.
After all, if there is one take-away from the Cambridge Analytica controversy, it is that political parties, governments and corporations are all trying to amass power over voters, citizens and consumers to make money and remain in the centre of power. Whatever form of data protection and privacy regulation that is eventually passed in India needs to make sure it is applicable to everyone equally; governments and political parties shouldn’t get a free pass. Even then, it is likely that it will take a social movement to bring about accountability, re-take control of our information and make sure that these data collection entities are accountable to us.
If the BJP and the Modi government are serious about protecting the information and privacy of citizens, they must use this opportunity to introspect, to desperately boost India’s institutional capacity when it comes to information security and suspend the Aadhaar project till a probe ascertains that its security loopholes are plugged.
Political parties should lead the way in adopting strict privacy standards and policies for their e-governance tools. While this may be asking too much of a government that has argued in the Supreme Court that its citizens do not enjoy a fundamental right to privacy, one can and must hope.
Srinivas Kodali is an interdisciplinary researcher working on issues of cities, data and internet. He volunteers with internet movements and communities.