Covid-19 crisis: French hacker targets Aarogya Setu app again, lists issues

Govt says continuously upgrading systems, no data or security breach has been identified

The demand to open-source contact-tracing app Aarogya Setu has gained momentum, as French cybersecurity researcher Robert Baptiste — who goes by the pseudonym Elliot Alderson on Twitter — wrote and explained a piece detailing the issues with the app.
 

In a Medium post, Baptiste explained how the app could be manipulated to get data of people infected in a given area. The government has said Aarogya Setu has been downloaded by 90 million people.
 

“Though the app (Aarogya Setu) could be a useful tool in containing the (Covid-19) outbreak, a few tweaks and evolutions in the privacy policy will make the app more robust; it will enhance its privacy and make it more secure,” said authors of a working paper by The Dialogue, titled Privacy Framework for the Aarogya Setu App.
 

Among the 11 recommendations it makes are making the app open source for greater transparency and inspiring public confidence, bringing out an Ordinance to establish a legal standing for the app, and making it mandatory only in containment zones.
 

On Wednesday, #OpenSourceAarogyaSetu was trending on Twitter. The demand to open source the application has been a constant one from privacy advocates since some time.

Mishi Choudhary, Technology Lawyer and Founder of legal service firm Software Freedom Law Centre, told Business Standard earlier that there is a need to open source the app to fix vulnerabilities by letting the larger software community look at the code.
 

An official at the Ministry of Electronics and Information Technology said: “The Government of India has an open source policy. The fundamental thing is, once the app stabilises, it will be open sourced. The focus right now is to deal with the pandemic and containment of the disease... If the app is open sourced at this stage, people will come up with false reports too, which will have to be checked, taking up a good amount of time and resources.”

Statement by Aarogya Setu app team

Kris Gopalakrishnan, co-founder of Infosys and chairman of Axilor Ventures, said at a webinar that a balance has to be found between privacy and data collection.
 

“If you look at Aarogya Setu, we are willing to share some details because that’s necessary for us to figure out if we have come in contact with someone who has got the virus. Contact tracing has to be facilitated through the use of technology.

There is a balance required and we all need to work together, including the government, to respect privacy. We need to have a regulatory framework for transparency, disclosures and everybody should comply with them,” he said.

The team of Aarogya Setu responded on Wednesday to issues raised by the French hacker. On the issue of the app fetching user location on a few occasions, the Aarogya Setu team said: “This is by design and clearly detailed in the privacy policy.”

The other issue raised by the French hacker was that a user could get the Covid-19 status displayed on the Home Screen by changing the radius and latitude-longitude using a script.
 

He claimed to have found, during the day, that five people felt unwell at the Prime Minister’s Office on Tuesday, two unwell at the Indian Army headquarters, while one was infected at the Parliament and three at the Home Ministry. He also detailed how he managed to find this information in his post on Medium.

“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” Aarogya Setu added in its response.
 

On Tuesday night, Alderson had tweeted that the privacy of 90 million people was at risk because of Aarogya Setu.
 

The government, through guidelines issued for extension of the lockdown on May 2, had made the use of Aarogya Setu mandatory in containment zones as well as for all public and private entity employees, raising questions about the privacy, legality and efficacy of such a measure.