The government on Wednesday said no data or security breach has been identified in Aarogya Setu after an ethical hacker raised concerns about a potential security issue in the app. The app highlights if you have been in proximity to someone positive for COVID-19 using Bluetooth and location services.
On Tuesday, a French hacker and cybersecurity expert who goes by the moniker Elliot Alderson had tweeted that "a security issue has been found" in the app and that "privacy of 90 million Indians is at stake". He also said that Rahul Gandhi was right, referring to the Congress leader’s earlier tweet on Aarogya Setu. “The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent,” Rahul had said.
The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.
— Rahul Gandhi (@RahulGandhi) May 2, 2020
Dismissing this, the statement by the Aarogya Setu team said that "no personal information of any user has been proven to be at risk by this ethical hacker".
"We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified," the government said through the app's Twitter handle.
"We discussed with the hacker and were made aware of the following... the app fetches user location on a few occasions," it said but added that this was by design and is clearly detailed in the privacy policy.
Aarogya Setu’s statement said that the app fetches users' location and stores on the server in a secure, encrypted, anonymised manner - at the time of registration, at the time of self-assessment, when users submit their contact tracing data voluntary through the app or when it fetches the contact tracing data of users after they have turned COVID-19 positive.
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
On another issue that users can get COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script, Aarogya Setu said that all this information is already public for all locations and hence does not compromise on any personal or sensitive data.
"We thank the ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately...," it said.
Responding to the government’s clarification, Alderson tweeted, "Basically, you said "nothing to see here". We will see. I will come back to you tomorrow.”
Basically, you said "nothing to see here"
— Elliot Alderson (@fs0c131y) May 5, 2020
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
With PTI inputs