The Fact, the Law, & the Changing Privacy Policies of the Narendra Modi Application
The Backstory
A supposedly French security researcher, you uses the Twitter name Elliot Anderson (@fs0c131y), and has till now riddled many holes into the claims of Aadhaar infrastructure being unbreakable and safe, has claimed in a series of tweets that Prime Minister Narendra Modi’s mobile application is sending personal information of its users to a third party website called in.wzrkt.com and it is doing so without the user’s consent.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
The popular Indian fact checking website AltNews cross verified the claims and showed further proof that the mobile application on the name of the Hon’ble Prime Minister was using sending data of its users to a third party platform, without the permission of their users.
It is also important to note here that the Privacy Policy of the Mobile Application in question, initially clearly stated that the Data was not being shared with any third party. But post the revelation that data was being shared, the Privacy policy was updated without notification (Read more here). The cached version of the old privacy policy can be still found here.
Following the claims of the security expert, the Public Relations team of the Narendra Modi Mobile Application, reached out. The Twitter handle @fs0131y was kind enough to share the conversation publicly.
One minute after my post on @narendramodi‘s #android app, the “App team” created a new Twitter profile to discuss with me. We had a nice discussion. In order to be fair, here their first answer. pic.twitter.com/4JbdoSefpt
— Elliot Alderson (@fs0c131y) March 24, 2018
The Legal Angle:
International Law:
As can be seen in the conversation above between the App Team and the Security Expert, the App Team pleads ignorance to the applicability of violation of European Union General Data Protection Regulation. (EU GDPR).
While it is true that non compliance with GDPR does not directly effect the legal validity of the mobile application, unless it is securing data from European users, it is also true that by virtue of the applications accessibility from European markets, it can been deemed to have the be GDPR binding on it.
More importantly, keeping GDPR aside, the application is in clear violation of the Terms of Service of Google Playstore, where the App was listed. The Terms of Service as accessible here clearly state that;
“Your app’s request for consent:
- Must present the consent dialog in a clear and unambiguous way;
- Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
- Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
- Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and…..”
It is important to note that despite changing the Privacy Policy of the App, at the time of writing this, the Application still does not allow the user to choice to affirmatively consent to their personal data being shared by third party, and is hence effectively in violation of the ToS of Playstore.
Domestic Law:
The Indian law regulating the collection and use of personal data is the Information Technology Act 2000 (IT Act). The IT Act applies to the whole of India and also to acts committed outside India, although its extra-territorial effects are not entirely clear.
Any person that is negligent in using Reasonable Security Practices and Procedures (RSPPs) in protecting sensitive personal data or information (SPDI) is liable to pay compensation for any wrongful loss or wrongful gain (as per under Section 43A of the IT Act).
The Government of India has till date also issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (IT Rules), which cover security procedures and also contain basic rules on privacy.
Therefore, the parties are free to agree on their own rules relating to RSPPs, including any security standards or privacy policy, as long as there is mutual consent and agreement.
A person is liable to criminal punishment, if he discloses personal information in breach of contract or without the consent of the concerned party and disclosure is made with the intention to cause, or knowing that disclosure is likely to cause, wrongful loss or wrongful gain (as per under Section 72A of the IT Act). Also under Section 43A of the Information Technology Act, 2000, a body corporate/company who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. Hence if the charges against the mobile application are proved,though the Hon’ble Prime Minister cannot be held personally liable, the company which had developed this Application can be held liable.
What all date is protected under the IT Act?
Section 43A of the Information Technology Act, 2000 (IT Act) applies to the use of sensitive personal data or information (SPDI). SPDI [as stated in Section 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)] refers to:
1) Passwords.
2) Financial information, such as bank account or credit card details.
3) Physical, physiological and mental health condition.
4) Sexual orientation.
4) Medical records and history.
5) Bio metric information.
The IT Act and the IT RSP Rules do not provide any exceptional case in which the SPDI of an individual can be collected and transferred to a third party without their express consent.
[To Be Updated]
Leave a Reply