 Hello and welcome to NewsClick. The official Narendra Modi app has come under the scanner lately for sharing user data without their permission with the U.S.-based form. This app can access 22 personal features on your phone, including the contents of your memory card, your photos, and your contacts, amongst other things. So today we have with us Bappa Sena, who is from the Free Software Movement of India to discuss what this app can do and how serious this data leak is. Welcome Bappa to NewsClick. First question is, do we know how this data is being used and where it was being sent? Yeah, so the app is actually sending data to two places. So, see every app is hosted on a backend server and in case of the Narendra Modi app, the backend website is api.narendramodi.in, which is a website which happens to be hosted in the U.S. So clearly all the information that the app was collecting was being sent to that website. But the app was also sending the data to a third-party website. And this third-party website is owned by a company called Clevert App, which is a company incorporated in the U.S. So both the real site, the api.narendramodi.in is hosted in the U.S. And the company which owns the third-party site that is incorporated in the U.S. So the issue is, there are two separate issues which are related, but they're separate issues. The first issue is that the privacy policy of the app explicitly said that none of your information, personal information that the app is collecting will be shared by a third-party. But they were clearly violating their own privacy policy. And once the story broke and it became big news, they quietly went ahead and changed the privacy policy. And now it says that your information will be shared with third parties. So that is one issue. The second issue is that the app, like you said, is collecting all kinds of information, which a regular app which is pushing campaign material for Narendra Modi, publicity material for Narendra Modi, or BJP doesn't need access to. So they have access to your phone make and model, your contact list, your call logs. Even if you're on a live call, then who you are talking to and for how long? Your photos, videos, access to your camera and microphone. So effectively, the app can track your every activity. It can snoop on you. It was collecting information which could be used to hack your phone. So there is really no reason why a campaign app should be collecting all this information. So the BJP IT head, I mean, Malware has claimed that all this information was just being used for analytical purposes. Can we really then, you know, stand by his claims? That is really laughable, right? So what is analytical purposes? Even Cambridge Analytica is doing analytics, right? So you have to understand, first you have to understand what Cambridge Analytica was doing and what these guys could potentially be doing. So Cambridge Analytica was collecting Facebook information for people who had downloaded their apps and not just the people who had actually downloaded their apps, but it was walking through their friend list and then collecting information from the friends and friends of friends of people who had downloaded the app and without their permission. And then they were collecting this information to create psychographic profiles for individuals, right? Which then could be used for sending targeted ads, right? And Cambridge Analytica was doing much more than just targeted ads is innocent looking term, but they were using that to send hate messages, they were using that to send fake news. Now in that context, all this is analytics, right? They're collecting your data, they are doing analytics on this, slotting you into different psychological profiles and then sending you targeted campaign ads. And BJP, the information they're collecting is far more than what Cambridge Analytica was collecting. And if you look at it, Cambridge Analytica app was only downloaded by 270,000 people. And from those 270,000 people by walking their friend list, Cambridge Analytica managed to create or psychographic profiles of 50 million Americans, which was then used by the Trump campaign. BJP, this Narendra Modi app, has been downloaded by 5 million people. And so, and given that they have access to your contact list, so then we are looking at something of the scale of Cambridge Analytica, probably even bigger. And given that they're collecting far more information than what Cambridge Analytica was collecting, they have the potential of creating exactly what Cambridge Analytica was doing. And then Amit Malwa has defended this app in different ways, a lot of different ways. I think yesterday he wrote a column in Indian Express saying, this information is being used for good purposes and can also give you customized birthday messages from Narendra Modi. And he's also said that all the permissions on the app are actually optional and you can use the app in the guest mode as well, do those features really work in the guest mode? No, no, see these are all flimsy references. First of all, most people, when you download an app, you initially get a list of permissions the app asked for, right? And if you accept that, there are very few people who then go to your security settings for a particular app and turn off features. Like, what is the percentage of people who actually do that? I mean, I think less than 1% of people would be doing that. Even tech savvy people I don't think ever go back to an app and change its permission. So saying that you can potentially turn off those permissions is very flimsy. The other excuse is that this information was been collected to give you a better user experience, right, for more engaging content. Now, this is very interesting. What is engaging content? So this company called CleverTap, if you go to its website and you can download their white papers freely available, they are clearly saying that they are into target ads. And they are saying that they do three things. They do time-based targeting, location-based targeting, and behavior-based targeting, which effectively means that behavior-based targeting suggests that they are doing psychographic profiling. And they're saying that, so when they're talking about time-based profiling, they're saying that, look, if you are, let's say, if you are depending on your profile. So let's say you are a student and you're not just that you're bunched into the category of a student, but if you're a student who stays up late at night for chatting with friends, whatever, then the best time to send you a message is late at night, when you are typically viling of your time, right? And the worst time to send it is in the morning because you're probably sleeping or you're going to your classes. However, if you are a different student, if you are a student who goes to sleep early, then there is a different time to send you these messages. If you are an office-going person, then sending you messages late at night is probably going to get ignored, right? While sending it at your commute time or your lunch time, you are more likely to see the message and read it. So these are examples which CleverTap is giving in their white paper. So this is clearly psychographic profiling, right? So then for Amit Malviar to claim that this is somehow innocent attractive content that has been sent to you, that is... Yeah. So the same security analyst who pointed out these flaws in the Narendra Modi app has also talked about some things in the official Congress app, which was later taken down. What are the problems in the Congress app? See, the Congress app... First of all, the Congress app doesn't have as many... Doesn't ask for as many permissions as the Narendra Modi app does. And the problem with the Congress app that the security expert pointed out were two-fold. One was that the app... The backend server for the app was hosted in Singapore. And the second was that the app was using HTTP rather than HTTPS. So HTTPS is HTTP secure, right? So for any secure communication, you use HTTPS. And hence, it is an insecure app, right? So there you can say, fine, it was a poorly written app. And Congress has now, in response to this, said that this was an outdated app and nobody was using it. And they have withdrawn the app. And you can't find that app anymore on Google App Store. So yeah, so the Congress app had problems, but the scale and the category of problems are nowhere in comparison to the Narendra Modi app. So lastly, Bappa, now this whole Cambridge Analytica scam is also in the news these days. And now we know that BJP has collected data till has been collecting data to such a huge extent. Can these two things be linked? Yeah, so that's a very interesting question. So clearly, BJP is collecting all this data. Now, the connection with Cambridge Analytica, that comes from two different sources. One is that there's a company called Ovaleno, which is a front of Cambridge Analytica. They are Cambridge Analytica's business partner in India. So on their website, they have clearly stated that they helped BJP win the 2014 elections. And they were part of the Mission 272, which is the BJP's campaign for the 2014 election. So that's one evidence. The other evidence is very recent. So yesterday in the British Parliament, Christopher Wiley, who was a whistleblower who used to work in Cambridge Analytica, he testified that his predecessor, person named Dan Murusan, he was supposedly working in India and he was found mysteriously poisoned in his hotel room in Kenya. And then there was another person who testified before the British Parliament, a person from a company called Personal Data. And this person said that he had heard that another billionaire was paying Murusan and this businessman wanted Congress to lose. So the circumstantial evidence is very strong that BJP had in fact employed Cambridge Analytica and at the very least, the EC should initiate an investigation into this matter because this is a very serious issue. This is a threat to our democracy. So thank you, Bapa, for joining us in this discussion and thank you for watching this clip.