The French cyber security expert who goes by the name Elliot Alderson on social media and has been exposing loopholes in the Aadhaar security system since January claimed on Friday that Narendra Modi Android application shares private information of its users with third party companies without their consent.

Alderson’s claim follows the revelation that the British company Cambridge Analytica illegally used private data of over five crore Facebook users to influence the 2016 American presidential election in favour of Donald Trump. The exposé brought the Indian prime minister’s mobile app under scrutiny, with opposition parties and civil rights activists launching the social media campaign “DeleteNaMoApp”. Alderson’s claim is a shot in the arm for the campaigners.

In a series of tweets, Alderson, an Android developer, claimed that the app collects extensive information about its user’s device, including the type of operating system and network, as well as personal details such as name, gender, pictures and email address, and sends it to a third party domain without the user’s consent.

This domain is classified as a phishing link by G-Data, a Germany-based software firm that focuses on computer security solutions. A phishing link leads to websites that extract confidential information from users by tricking them into believing they are on a legitimate website.

According to Alderson, the domain belongs to an American company that develops “application engagement platforms” that enable marketers to identify, engage and retain users. The company, though, has concealed its ownership of the domain.

In another thread of tweets on Saturday, Alderson posted what he said were messages from a team looking after the app. The team admitted using the services of a third party company for analytical solutions. They also told Alderson that the same data is stored in Indian servers and is secured for access by the Narendra Modi app alone.

Alderson replied that while it is common practice to use analytical solutions for Android development, the problem lies in collecting data without the user’s consent. This, he said, violated the General Data Protection Law followed by the European Union. The other party did dot respond to this.

Under scrutiny for long

The Narendra Modi app was launched in June 2015 to extend the prime minister’s reach on social media and update users about his initiatives such as the International Yoga Day as well as blog posts, speeches and interviews. It was downloaded by over 50 lakh users until March 24.

The app was ridiculed when it conducted a “badly executed survey” to show overwhelming support for demonetisation, announced by Modi in November 2016, and when it repeated the exercise in November 2017. It was again in the news earlier this week, when it was reported that the Prime Minister’s Office was collecting information about 15 lakh students enrolled with the National Cadets Corps and had asked them to install the app on their phones.

‘Question of accountability’

While third party involvement is not unusual in application development, what is worrying in this case is the nature of information they get access to, said Kislay Chaudhary, a cyber security expert who is consulted by several government agencies. “It is a question of accountability,” he said. “It is clear that there is a third party involved but who will be held responsible if the data available with them is misused? When any third party has access to demographic details and device details, it can be put into analytics in numerous ways, both ethical and unethical.”

This calls for immediate audit of all government websites and applications, he argued. “And this audit has to be done more frequently than most government agencies currently do,” he said.

Another cyber security expert, Vineet Kumar, suggested that the revelation should be seen in the light of the Cambridge Analytica expose and the Narendra Modi app should be immediately assessed “by multiple parties” to reduce possible vulnerabilities. “This case highlights the importance of dynamic situational awareness of cyber infrastructure for government agencies,” he said. “Government websites and applications should go for more frequent audits that should be done at least by one internal agency and one external agency. It is high time for agencies to start with cyber security mock drills too.”

Scroll.in emailed the Prime Minister’s Office for clarification about Alderson’s claims but did not receive a response until the time of publication.