Security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter, has alleged that that PM Narendra Modi’s application, the “Narendra Modi” application, was collecting the following details about people who downloaded it: email, photo, name, gender, photo, education, device ID, date of birth, phone number, language preferences, profession, city, carrier, among other fields such as (what appear to be interests or the willingness to receive alerts about the PM), video preferences etc.

This data is being sent to Clevertap, Baptiste revealed, which is a California based company, and has servers outside of India.

1. What is CleverTap’s role in collecting information?

Clevertap is an analytics and a customer marketing platform. It collects data offered to it by the device (with user permissions), from forms filled in by the user, and on segments based on actions taken by the user within the application.

The data collection here is being done by the Narendra Modi app, and not Clevertap:

  • Collection of demographic information is based on fields that the Narendra Modi app has defined
  • Device and network related information is what has been enabled by the Operating System and allowed by users
  • Behavioral information has been collected by the Narendra Modi app, enabled by Clevertap.

In this, technically, the Narendra Modi app is a data collector, and Clevertap is a data processor. If data processing wasn’t allowed, you wouldn’t be able to use Google Analytics, and India’s entire BPO industry would die. It’s a legitimate business, but we need a privacy law in India to govern data collection.

2. What is Clevertap’s role in behavioral targeting?

Clevertap allows behavioral targeting of messaging within the application. Clevertap’s website says:

“When a person launches the company’s app for the first time, we automatically create a CleverTap user profile for the person with our SDK. As the person navigates through product pages in the app, we log these actions as events associated with the user’s profile.” [source]

An example of the kind of behavior that apps which deploy Clevertap may track is indicated here:

  • What users do immediately AFTER an event (ex: launched app)
  • What users do immediately BEFORE an event (ex: uninstalled app)
  • And any other user journey within your app

In terms of behavioral targeting of messaging, Clevertap allows the following:

“Through CleverTap’s dashboard, the marketer can create a campaign to show an in-app notification to users who recently made a purchase above a certain price. Next time the user launches the app, they will see a personalized message thanking them for buying that specific product and a discount code for their next purchase.” [source]

Now how would the Narendra Modi app have done things differently, since it had no e-commerce play? It could have tracked usage of the app (news, specific news items, Mann ki baat, NaMo TV), and built profiles of each individual in terms of their topics of interest, and shown them updates related to what their potential areas of interest are.

While there is no indication that this feature was being misused by the application, but it does lend itself to microtargeting based on behavioral data. This is not happening at the scale at which Cambridge Analytica was targeting users, but the risk remains. We need rules and laws governing behavioral targeting because of the impact it appears to have, especially when it comes to political activity.

2. Data being sent to a US based company: I’m not sure how it really matters whether Clevertap is an Indian company or not: Its data probably has stronger privacy protections in the US than in India, which doesn’t have a privacy law, and the Indian state apparatus has wanton disregard for privacy and argues against it. That Clevertap’s founders are Indian and it operates mostly in India doesn’t make it an Indian company, but that shouldn’t matter.

3. On data being sent to servers outside of India: Even if the servers were in India, it wouldn’t provide users with any significant protection. All that hosting within India does is enable state surveillance from the Indian state. Hosting outside will enable surveillance from outside the Indian state, but that will depend on local laws. Even if hosting in India was mandatory, data can still be sent first to Indian servers and backups can be kept outside. What helps users is hosting in countries with the strongest data protection laws.

4. Narendra Modi app and terms and conditions were changed: Someone was daft enough to put in a line in the privacy policy that said that information collected will not be shared with third parties (web archive link), and then allow a third party to be given that data for processing. The policy has since been changed, and this is the way the policy should have been written in the first place.

5. Consent isn’t working: We’ve reached a point where user consent isn’t really working out, because of bounded rationality issues: users don’t realise the implications of how much data they’re allowing someone to collect about them, and the implications of this data collection. Terms and conditions and privacy policies aren’t serving their purpose anymore. The amount of data that devices allow for collection needs to be limited, and be made necessary and proportionate. We need companies and app developers to be more responsible about what how much data they collect, how they process and use it. There’s a global market failure in data protection.

What has happened in case of Clevertap here can happen with others too: there’s a legitimate distrust of data collectors and processors, given what has happened with Facebook and Cambridge Analytica.

Information asymmetry breeds distrust, and reactions are going to be often visceral. The collateral damage, as in case of Clevertap here, will only increase with time.

It’s up to the advertising and marketing industry to win users trust back, and be more transparent and fair.

P.s.: The issue of NCC cadets being nudged by the state machinery towards downloading the Narendra Modi app is a separate issue: the PMO India app is separate from the Narendra Modi app, and the state machinery shouldn’t be used to promote the usage of a private service. It’s the same issue as BHIM, which is a bank-consortium owned app, being allocated government resources for promotion, and the PM endorsing it.

Vidyut adds

While the privacy policy is now updated to disclose the sharing of data with third parties, it does not change:

  • Data collected and shared with third party so far has been collected without user consent. It may also be illegal in spite of the absence of a privacy law, given that the privacy policy had stated that the data would not be shared, while sharing it.
  • Silently updating a privacy policy is not ethical (or legal in countries with privacy laws – India currently lacks one) An update to the privacy policy, particularly one that adds something as major as sharing user data with a third party should be accompanied with a notification about the updated privacy policy for users to read and consent to.
  • Ideally, users refusing to consent to the privacy policy that includes sharing data with third parties, should have the right to have their unethically harvested data deleted from the database of the app.