Robert Baptiste, a French security researcher who goes by the moniker Elliot Alderson and uses the handle @fs0c131y on Twitter, has been causing ripples continents apart, close to home in India. Baptiste has been in the thick of things since he has single-handedly managed to embarrass not just UIDAI but also the Congress and the BJP ahead of the 2019 general elections.
Amid the furore caused by the Facebook-Cambridge Analytica scandal, which saw personal data of as many as 50 million Facebook users being harvested and later used to influence voter behaviour in the Brexit referendum and more notably the US presidential polls, the allegation that personal information of Indian users was also being leaked to voter profiling firms has come as a blow to these self-proclaimed guardians of democracy.
On March 25, Baptiste pointed out that Prime Minister Narendra Modi’s official Android app was sending personal user data to a third-party domain traced to the US company Clever Tap. The latter calls itself the “next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers”.
Thus, the app was not only collecting personal data of citizens — that may also include their voter ID — it was also sending it to a US-based “analytics” company without user consent.
What’s worse is that this exposé came a week after the PMO requested for the mobile numbers and email IDs of more than 15 lakh students of the National Cadets Corps (NCC) under the pretext that PM Modi wants to directly interact with the cadets, bearing another recommendation that all students download the NaMo app on their smartphones.
Flaws in Congress app
Baptiste’s other major piece of ethical hacking business this week has been his exposé of how not just the NaMo app, but also the Congress app was stealing data from its users.
On March 26, he exposed how the official Android app of the Indian National Congress sends the personal data of users to the party’s website without the consent of the users. Additionally, Baptiste said that the app’s encryption is encoded through HTTP, which is considered an insecure way to transfer data, adding to the mix the possibility of data leaks.
Why the woke Indian is still not worrying enough about data privacy
Link: ( https://www.dailyo.in/technology/aadhaar-cambridge-analytica-facebook-namo-app-data-privacy-congress-party-bjp-robert-baptiste-23098 )
The Congress app story joins the revelations and exposés about data leaks, privacy and the illegal usage of such data. While Aadhaar has been a part of the privacy and data protection discourse for some time — Baptiste has had a huge role to play in keeping the discussion alive — it was the Facebook-Cambridge Analytica (CA) exposé that once again brought this concern out in the open.
CA, a British voter profiling firm that claims to “use data to change audience behaviour”, had harvested more than 50 million Facebook profiles and used them to build a powerful software programme to predict and influence choices at the ballot box. A whistleblower revealed how CA used personal information taken without authorisation in early 2014 to build a system that could profile individual US voters, in order to target them with personalised political advertisements.
The results of this “grossly unethical experiment” could be seen in the 2016 US presidential elections, the Brexit referendum and even Nitish Kumar’s JDU achieving a landslide victory in the 2010 Bihar Assembly polls. As confirmed by a Facebook statement, by late 2015, the social media giant had found that the information had been harvested on an unprecedented scale; yet, it failed to alert users and took only limited steps to recover and secure private information.
While the Congress party may deny illegally harvesting data of potential voters, it claimed that the app was only to promote Congress-lated news — this disturbing bit of news is nothing compared to the problems that is the Narendra Modi app. A privately owned application the NaMo app has often been made to seem like a government-sanctioned tool. It is most definitely not so. But Prime Minister Narendra Modi continues to “ask” (using his position of power to unethically pressure) people into using the app that not only asks for a lot of sensitive information, but also is possibly ill-equipped to protect itself from leakage.
Serious security flaws in NaMo app should leave us all worried
Link: ( https://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data-14347 )
Just last week, the PMO requested for the mobile numbers and email IDs of more than 15 lakh students of the National Cadets Corps (NCC) under the pretext that PM Modi wants to directly interact with the cadets, bearing another recommendation, that all students download the NaMo app on their smartphones.
But the unethical collection of “consensually provided” data via the NaMo app is just the tip of the iceberg. On March 25, it was Baptiste again who pointed out that the app was sending personal user data to a third-party domain that was traced to an American company called Clever Tap. The latter calls itself the “next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers”.
So not only is the personal data of citizens being collected for the BJP and Narendra Modi — that may also include their voter ID number — it is also transferred to an American “analytics” company without user consent. What can we learn from all these instances? The simple answer is that absolutely no data is safe.
Indians need to wake up to understand that their data is their responsibility. Blindly trusting organisations or people and their goodwill — Facebook, Narendra Modi or Congress party — to safeguard this data is naïve at best. In the Cambridge Analytica controversy, it was found that users, to a vast degree, were responsible for the data that was illegally procured by the company from Facebook.
When users voluntarily sign up for unsecure applications, allowing the applications to access their data however they choose to, they are, of course, to be blamed. The same can be said for people signing up for the Narendra Modi app or the Congress app.
Indians need to understand that private information and data is as valuable as money. And if we think twice or thrice before trusting someone with our bank details or even hard cash, why do we display such callousness with data?
A similar argument could also be made for Aadhaar as well. What makes Aadhaar different, however, is there has been a state-sponsored campaign to coerce people into signing up for the biometric-data-based unique identity scheme. In fact, while a larger section of the population is aware of how unsafe Aadhaar data is — a series of leaks and exposés have helped make that apparent — it is still nothing compared to the vast majority that has no inkling of what risks biometric data in the wrong hands can pose.
Coercion and Silence Are Integral Parts of the Aadhaar Project
The story of Aadhaar is one of coercion, rampant illegality, and outrageous contempt of court orders through which the project has built its database.
Link: ( https://thewire.in/economy/coercion-aadhaar-project-ushar )
In a recent ZDNet report, a security researcher pointed out that a data leak on a system run by a state-owned Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information.
Unless the Supreme Court manages to come to a decision on Aadhaar and its risks, there is barely anything one can do to safeguard precious biometric data. Try as one might, years and years of living on social media, especially Facebook, has provided the company with enough private information that, at this point, deleting or deactivating an account will amount to almost nothing.
Last year, a report by Quartz claimed that “Google is tracking Android users even when they turn location services off”. This suggests Android phones have been sharing user location by approximating distance to nearby cellular towers and sending the results back to Google. Social media giants like Facebook and tech companies like Google have tricked users into voluntarily dumping all their private information with them, under the garb of making lives simple.
Google collects Android users’ locations even when location services are disabled
Link: ( https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled )
Granting certain permits to applications, letting these applications access our phone data etc were never good ideas.
Sadly, it is at this late stage that we can see the inherent risks involved.