Data security shouldn’t be political. It applies to all of us. Each one of us. Which is why this story is important.
The morning of December 2, news portal YourStory published an unsigned story titled “22-year-old hacker from Mumbai hacks Narendra Modi app, exposes threat to 7 million user data”. In it Javed Khatri, a 22-year old mobile developer from Mumbai, makes the following claim:
“I am able to access private data of any user on the app. The data includes phone number, email, name, location, interests, last seen etc. I successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani (screenshot at the end of the article). Please find attached the screenshot.
“Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.”
The app Khatri was referring to was the official Android app of Indian Prime Minister Narendra Modi (NaMo app, for short), with over 7 million users.
Yet within hours, the story had vanished entirely from YourStory’s site, with the site implementing an HTTP 302 to redirect visitors to its home page instead. After radio silence from the site all through the day as social media users pilloried it for having deleted the article without any explanation, it put out a clarification later that evening.
Khatri’s website went down as well (and still was, at the time of writing this article), though it isn’t clear whether that was intentional or not.
Except for a handful of smaller players, none of the leading Indian newspapers, TV channels or online news portals covered the news. It was as if this never happened.
That’s not even the shocking part. It is this: this flaw was reported more than a year ago and even now hasn’t been properly fixed.
This “non-hack” — since it exploits some very basic flaws, making it like picking a lock made of paper — is a significant one because it sits at the intersection of various trends like digital citizen-government interactions, exploding mobile usage especially by first-time technology users, data security, and legal protection. Understanding this will require some patience, so with sleeves rolled up, let’s dive in.
Technology enables, technology exposes
How does the Narendra Modi app work? It has a great many features, including a newsfeed, a social network, a survey component, etc., and also has gamification in the form of badges. People are encouraged to provide personal details, being told that registration will enable them to: “join the conversation and be heard”, “contribute with special tasks”, “earn special credit points for every activity on the app”, and “receive personalised birthday greetings directly from PM Modi”.