Need dedicated legal framework
access the data that is on a user’s device. This could include either the media, audio, or any other information available on one’s phone. It really depends from app to app as to what is the specific focus on the data that they want to achieve and what are the reasons for which they are seeking specific permissions from users.
Today’s world is a data economy world. Today, every service provider is interested in a user not as a person but, as a data entity who is constantly generating, broadcasting and transmitting data. Service providers consequently use data generated from users for various purposes like targeting them with specific messages or advertising, etc. Data has a multifold purpose not just for profiling users, but also for the purposes of bombarding users with various kinds of services, perspectives, opinions, content, text which could help them make decision to pertaining to their existing day-to-day affairs.
India as a nation needs to protect its data users and their personal and data privacy. The nation needs to revisit its existing stand on intermediary liability and make service providers liable for unauthorised access to and use of third party data. The nation needs to ensure that the data of Indians is not first sent to locations outside India and then misused. Data localisation is one approach that needs to be well examined in this regard, not only to protect Indian data users but also to protect Indian cyber sovereignty as also India’s sovereign interest in cyberspace. All eyes are on the government to provide effective remedy to people who are prejudicially affected by unauthorised data breaches. A Twitter profile that goes by the name Elliot Alderson has described the issue with the Namo Android app as follows:
When creating a profile in the Namo Android app, device information including OS, network type and carrier, and personal data such as name, photo, gender and email are sent to a third-party domain -- in.wzrkt.com -- without asking for the user’s permission.
The domain is hosted by Godaddy and the Whois.com info is hidden. Whois.com is a web service that can be used to find out the registration details of a domain.
The domain belongs to a US company called Clevertap. The company describes itself as an engagement platform that “enables marketers to identify, engage and retain users and provides developers” Several reports have identified the man behind the Twitter profile as Robert Baptiste, a 28-year-old French security researcher and telecommunications engineer. He has refused any audio/video interviews but told a publication in a Twitter interaction that he was a freelance Android app developer. The BJP says “the permissions required are all contextual and cause-specific” and that the “data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content.” An archive search for the app’s privacy policy returned following result:
“Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent.” The terms appear to have changed after tweets by ‘Elliot Alderson’. The privacy policy now reads: “Certain information maybe processed by third party services to: — Offer you the most contextual content…” ‘Alderson’ says he has found ‘something interesting’ in the Congress’ membership app, too.
He says when you apply for membership in the Android app, your personal data is sent through an HTTP request to membership.inc.in. The data is encoded with “base 64” that is “very easy” to decode. HTTP, as indicated by ‘Alderson’, is a predecessor to HTTPS, a more secure protocol to keep data secure from hackers.
‘Alderson’ adds that IP address of membership.inc.in is 52.77.237.47. It is a server located in Singapore.
BJP'S IT cell in-charge Amit Malviya tweeted that the INC membership website is no longer available. “Message you will get 'We are incorporating minor changes to the website. Please visit us again in a while to access the INC membership process...' What is the Congress party trying to hide? http://membership.inc.in,” Malviya tweeted.
The Congress says “there is no truth to this allegation. There has been NO breach of Data whatsoever.” The party says the portal has not been used in over five months “since we moved membership to http://www.inc.in”
“With INC app was being used for Social Media updates alone since transitioning the membership to the website. This morning we were forced to remove the app from the Playstore as the wrong URL was being circulated & people were being misled.”