Following allegations of security issues with the government’s Aarogya Setu application by French hacker Robert Baptiste, the application’s team on Wednesday said that no personal information of any user had been proven to be at risk.
“Earlier today, we were alerted by an ethical hacker of a potential security issue of Aarogya Setu…No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” an official statement said.
As per the statement, Mr. Baptise, whose goes by the name Elliot Alderson on Twitter, pointed out that the application fetched user location on a few occasions.
“This is by design and is clearly detailed in the privacy policy,” the statement said.
It added that the application fetched a user’s location and stored it on a server in a secure, encrypted and anonymised manner “1) at the time of registration, 2) at the time of self-assessment, and 3) when users submit their contact tracing data voluntarily through the app or when we fetch the contact tracing data of users after they have turned COVID-19 positive.”
Further, the French hacker had pointed out that a user could get the COVID-19 statistics displayed on home screen by changing the radius and latitude-longitude using a script. “The radius parameters are fixed and can only take one of the five values — 500 metres, 1 km, 2 km, 5 km and 10 km. These values are standard parameters, posted with HTTP headers. Any other value as part of the ‘distance’ HTTP header gets defaulted to 1 km.”
The statement said a user could change the latitude/longtitude to get the data for multiple locations. “The API call though is behind a Web Application Firewall, and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics. All this information is already public for all locations and, hence, does not compromise on any personal or sensitive data.”
On Tuesday evening, Mr. Baptiste had claimed that there were security issues with the Aarogya Setu app. “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” the hacker had tweeted, tagging the official account of Aarogya Setu app.
Rahul Gandhi’s tweet
He had further said that former Congress president Rahul Gandhi was right. Mr. Gandhi had a few days ago tweeted, “The Aarogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight — raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”
The Congress MP had called the app a “sophisticated surveillance system” and said it raised “serious data security and privacy concerns,” on May 2 via Twitter. On the same day, Mr. Baptiste sent out a tweet saying, “Rahul Gandhi tweeted about the Aarogya app. I guess I’m forced to look at it now.”
Mr. Baptise added that Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet.