The Congress on Wednesday again criticised the central government over Aarogya Setu, India’s contact tracing app, arguing that it raises serious data security and privacy concerns. It said the application detects and tracks users’ movement, and that it can be misused as there is a human interface at the backend.
The government, on its part, “assured” that “no data or security breach has been identified”.
Congress’s Randeep Surjewala argued that an ethical hacker had on Tuesday pointed out “serious privacy flaws” in the app. He said the hacker — who goes by the pseudonym Elliot Alderson — has claimed that he had been contacted by the Indian Computer Emergency Response Team (CERT-in) and National Informatics Centre (NIC).
“If there was no problem, why was CERT contacting the ethical hacker?” Surjewala said. Soon after Surjewala’s press conference, the hacker put out a series of tweets mentioning security concerns with the app.
The government defended the app in response to Alderson’s claims. It released a statement early Wednesday on the official handle of the Aarogya Setu app saying that “no personal information of any user has been proven to be at risk by this ethical hacker”, and “assured” that “no data or security breach has been identified”.
It said it had discussed the issues raised by the “ethical hacker”, and that either they were by design or the information was already public and did not “compromise on any personal or sensitive data”. It thanked “this ethical hacker” for engaging with them and encouraged “any users who identify any vulnerability” to inform them.
Alderson, who runs the @fs0c131y handle on Twitter, is a French Android developer whose actual name is Robert Baptiste. He mentioned on Wednesday that he was able to access through the app information about people who are COVID-19 infected and felt unwell, among other data points, including people in sensitive offices like the PMO or Parliament. “I was able to see if someone was sick in a specific house if I wanted,” Alderson tweeted. In the evening, he published a security note detailing his findings.
In another tweet, he said: “And yes, yesterday: – 5 people felt unwell at the PMO office – 2 unwell at the Indian Army Headquarters – 1 infected people at the Indian parliament – 3 infected at the Home Office.”
He asked the government to make the source code of the app “open source”. “When you ask (force) people to install an app, they have the right to know what the app is really doing. If you love your country @SetuAarogya, publish the source code.”
When asked about making the application open-source, a top IT ministry official, calling the app “robust and secure”, said: “Open-source is a luxury and in peace time I would love to do that… If it’s a person with serious intent, then the responsible behaviour for an ethical hacker is to make what is called a responsible disclosure.”
On private developers working on the app, he said: “They came in as volunteers. They haven’t come in on behalf of their companies.”
Previously, The Indian Express reported that the application is on an Amazon Web Services cloud server. —With inputs from
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines