On Tuesday, a French ethical hacker named Elliot Alderson took to Twitter to claim that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.
The app which is available in 11 languages determines the location of the person and informs whether he is in proximity to a Coronavirus positive patient. Aarogya Setu app also contains a list of helpline numbers for every State in India. A chatbot within the app helps resolve user queries and educate about the symptoms of the Chinese virus.
49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them.
— Elliot Alderson (@fs0c131y) May 5, 2020
Response of Aarogya Setu
On Wednesday, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
On charges of giving users the power to use ‘scripts’ to harvest Coronavirus data by altering the radius, Aarogya Setu emphasised that the radius parameters are fixed and cannot be changed beyond 10 km. On the allegation that data from multiple locations can be fetched by changing the latitude or longitude, the app administrators said that it is not a security threat, as it is same as someone calling to people at different locations and asking the data in those locations. All this data is already in the public domain, and it does not compromise on any personal data. They also mentioned that API calls for data go through a Web Application Firewall, and bulk API calls is not possible to harvest data automatically.
Moreover, they stated that the ethical hacker did not provide any evidence that proves that a user’s personal information has been compromised. The app also urged people to highlight any vulnerabilities that come to their notice at their official email address.
World Bank praises Aarogya Setu app
The Aarogya Setu app developed by the Ministry of Electronics and Information Technology through Public-Private partnership has earned praise from the World Bank for successfully using digital technologies in monitoring the transmission of the Wuhan Coronavirus.
In the South Economic Focus report of the World Bank released on April 12, it observed, “Digital technologies can also be used to monitor the spread of COVID-19. Such initiatives, largely voluntary, have been successful in helping combat the pandemic in East Asia.” The report, citing the example of India’s indigenous app, stated that innovative solutions technology can help track the deadly virus in a region that comprises of tech-savvy but poor and uneducated households.
