India’s ruling party is scrambling to defend its use of followers’ data after a pseudonymous security researcher accused PM Narendra Modi of snooping on citizens with his personal app, which has been installed by around five million users.
As a result of the row, parliamentarian Shri Husain Dalwai has asked the country’s minister for electronics and information technology Shri KJ Aphons whether the reports amounted to a breach of government computers.
Modi was first taken to task over the weekend by a Twitter user named @fs0c131y that uses the handle “Elliot Alderson” in tribute to a character from Mr Robot. “Alderson” issued a series of Tweets describing his discoveries about the app.
“Alderson“ said the privacy violations he found included the app sending user IP address and phone identifier (without user consent) back to Modi’s Website, narendramodi.in, which in spite of its domain is hosted in the USA.
The phone identifier, he claimed, was a composite of several details about the user’s device:
5/ The unique phone identifier send by the @narendramodi‘s #Android #application is composed of multiple device specific information: board, brand, name of the instruction set, name of the industrial design, manufacturer, model, name of the product pic.twitter.com/kO33eeFjGN
— Elliot Alderson (@fs0c131y) March 26, 2018
As this information appears to have been gathered without consent, “Alderson” said the collection violates the General Data Protection Regulation (GDPR), seeing as the app is available to people in Europe, and also breaches Google’s data collection policies.
Modi’s Bharatiya Janata Party denied any privacy violation, saying the data was collected for analytical purposes, to personalise content:
Contrary to Rahul’s lies, fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content.
— BJP (@BJP4India) March 25, 2018
The incident reached parliament in the form of a question posted by “Alderson”:
— Elliot Alderson (@fs0c131y) March 27, 2018
In response to the question, tech minister Aphons replied that no breach of Indian government Websites has been reported to the ministry, nor to CERT-in.
The lesson for Modi and his government, Vulture South suspects, is to check exactly what resources contracted developers choose to use, the better to consider the privacy implications of their work. ®