The official handle of Aarogya Setu, a COVID-19 tracker app developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, issued a statement early on Wednesday assuring that “no data or security breach has been identified.”
This was in response to a tweet by a French “white hat”, or ethical hacker, who said on Tuesday that the “privacy of 90 million Indians is at stake”.
A French security researcher named Elliot Alderson had tweeted saying: “Hi @SetuAarogya, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right.”
In response, the Indian government’s contact-tracing app asserted that “no personal information of any user has been proven to be at risk”.
In a statement, the Government said that it was “alerted by an ethical hacker of a potential security issue of the mobile application.”
On the question of the App fetching user location on a few occasions, the team clarified that it was designed for “everyone’s benefit”.
The application team said that it fetches a user’s location and store on the server in a secure, encrypted, anonymised manner i) At the time of registration ii) At the time of self-assessment iii) When a user submits their contact tracing data voluntary through the App or when we fetch the contact tracing of a user after they have turned COVID-19 positive.
The Aarogya Setu team also thanked the ethical hacker on engaging with it to identify vulnerabilities.
However, the hacker seemed unimpressed with the Government’s response and tweeted: “Basically, you said “nothing to see here”. We will see. I will come back to you tomorrow”.
Around two hours later the hacker asked the government: “Do you know what triangulation is”, referring to the process of locating an unknown point by forming triangles from known points.
The Government had on April 1 unveiled the ‘Aarogya Setu’ App – a COVID-19 tracking mobile application.
The app is aimed at augmenting the initiatives of the Central government, particularly the department of health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.
The application, which tracks through a Bluetooth and location-generated social graph, is designed to alert users if they have come in close proximity with any COVID-19 positive patient.
It calculates the user’s risk of infection based on recency and proximity of COVID-19 patient.
The app’s alerts are accompanied by instructions on how to self-isolate and what to do in case you develop symptoms that may need help and support.
“With Aarogya Setu, you can protect yourself, your family and friends, and help our country in the effort to fight COVID-19,” according to the description of the app.
Meanwhile, the Government has issued orders making the downloading of the ‘Aarogya Setu’ App mandatory for all Central government staff.
The employees have been asked to download the app on their mobile phones and review their status before starting for office and commute only when the App shows ‘safe’ or ‘low risk’ status.
The Central government staff have also been advised that in case the App shows a message that he/she has a ‘moderate’ or ‘high risk’, then the concerned individual should not report to office and self-isolate for 14 days or till the status becomes ‘safe’ or ‘low risk’.