It all started with a bizarre trend on Twitter in line with #DeleteFacebook. On Friday, March 23, 2018, #DeleteNamoApp started trending on Twitter, alleging links of the app to Cambridge Analytica. The evidence posited was tenuous at best, and the immediate reaction of the BJP IT Cell with the #DeleteCongFakeNews hashtag led the whole thing the air of a silly political rivalry trying to capitalize on a real movement for internet freedom.

The #DeleteNamoApp trend over the official Narendra Modi app for the Prime Minister, though seemed to have a lot more steam and it caught the eye of ‘Elliot Alderson’, the security researcher who has been pointing out vulnerabilities in various Indian services and websites for the past few months.

That ominous tweet was followed up by a series of tweets about the Narendra Modi App sending user’s personal and device data to third-party domains.

CleverTap for those unaware is a highly popular engagement and marketing SDK incorporated by app makers to deliver retention, usage and retargeting campaigns for their users. It provides tools and insights into users and allows developers to send tailored push notifications or email-based campaigns to promote the app’s usage.

Of course the question is why does the Namo App need to send data to third-party servers at all? As for what data is being sent, the tweeted pictures clearly show the extent of the collection. Besides the make and model of your phone, everything from your carrier, app settings and all the information you have submitted are being sent to wzrkt.com.

The website clearly belongs to CleverTap, which used to be called Wizrocket when it started out. CleverTap has offices in the Los Angeles, San Francisco, New York, as well as in Bangalore, Mumbai and New Delhi, but the Indian connection is hard to miss with CEO and Co-founder Sunil Thomas, Anand Jain who is Co-founder and Suresh Kondamudi, CTO and Co-founder. All three were previously with Network18, the media company owned by Mukesh Ambani’s Reliance Industries. The name was changed from Wizrocket around the middle of 2015. The company has received nearly $10 million in funding according to Crunchbase.

We have reached out to Clevertap through the email contacts on their website for an explanation on the data being collected and the extent of its use and whether it is stored outside India as well. We will update the story as soon as we get the response from Clevertap.

We also examined the privacy policy of the Narendra Modi app. The link on the Play Store leads you to a web page which hosts the document. To say that the policy is half-baked would be a gross understatement. The entire policy is broken down into a handful of bullet points with single-line entries. Take a look below:

The Privacy Policy does not indicate the use of the Clevertap SDK as would be best practice. It does not mention that the profile created by the app during the setup is being sent to a third-party server, where it can be pooled together for more data mining and targeted campaigns.

To make matters worse, government-affiliated bodies are being urged to download the Narendra Modi App to communicate with the PM. A report this week said the personal mobile numbers, e-mail IDs and other details of more than 15 lakh students of the National Cadets Corps (NCC) are being collected. “The Honourable PM Narendra Modi has desired a direct interaction with maximum cadets of NCC. This is feasible by downloading the Narendra Modi app in the cell phones of the cadets,” a letter dated February 23 says, according to ThePrint.in.

Whether you believe the Narendra Modi App indeed has ties to Cambridge Analytica’s research or if you think the hashtag was fake news created by Congress, the wisest thing to do would be to uninstall the app and get your official Prime Minister updates through other sources.