The official handle of Aarogya Setu, the contact-tracing app developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, asserted late on Tuesday that “no data or security breach had been identified” in the app.
The reply seemingly came in response to a tweet by Elliot Alderson, a French security researcher, earlier in the day, who claimed: “Hi @SetuAarogya, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right.”
A while later, Anderson tweeted again: “49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them. To be super clear: I’m waiting a fix from their side before disclosing publicly the issue. Putting the medical data of 90 million Indians is not an option. I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not.”
Late at night, the Twitter handle of Aaroga Setu said they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.
The Setu team said the hacker had pointed out two issues – “the app fetches user location on a few occasions”, and a “user can get the Covid-19 stats displayed on home screen by changing the radius and latitude-longitude using a script.”
However, said the team, the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”
Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500m, 1km, 2km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”.
Anderson responded to the tweet, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”
The Aarogya Setu clarification comes days after Congress leader Rahul Gandhi called the contact tracing app a “sophisticated surveillance system outsourced to a private operator”.
Earlier in the day, tech giants Apple and Google said they will not allow location-tracking in apps that use the API (needed to make apps) being jointly built by them to help health agencies curb coronavirus. However, the development is unlikely to have an impact on Aarogya Setu, given that it uses its own APIs.
The Ministry of Home Affairs Tuesday made it mandatory for stranded Indians abroad who will be brought back by special flights to download the app. The Centre, last week, made the use of the app mandatory for all employees of public and private organisations.
Before this too, the Aaroyga Setu has been under the lens for being allegedly invasive and violating data privacy norms.
According to a statement released on April 2 by the Ministry of Electronics & Information Technology, the app will track users’ “interaction with others”, and will alert authorities if there is any suspicion of the user having been in contact with a person infected with coronavirus.
“Once installed in a smartphone through an easy and user-friendly process, the app detects other devices with Aarogya Setu installed that come in the proximity of that phone. The app can then calculate the risk of infection based on sophisticated parameters if any of these contacts are tested positive,” the government had then said.