As the debate about the potential privacy issues around the Aarogya Setu app continues, the developers have shared a clarification on certain issues raised by an ethical hacker. On Twitter, French hacker Robert Baptiste, who tweets with pseudonym Elliot Alderson, posted that he had found a major security issue on the Aarogya Setu app.
In a tweet, Elliot Alderson says, “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” while tagging the official handle of the app. He then tweeted, “49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them.” Soon after, the Aarogya Setu developers also released a statement clarifying how the app works.
Hi @SetuAarogya,A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?Regards,PS: @RahulGandhi was right— Elliot Alderson (@fs0c131y) May 5, 2020
They say that the Aarogya Setu app is designed to collect a user’s location at certain points in the process—while the user is setting up the app and registering, at the time when the user is making a self-assessment, and also every time when a user either voluntarily shares their contact tracing data from within the app or in case a self-assessment indicates COVID-positive.
Aarogya Setu is a contact-tracing app developed by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, and is being pushed by the Government of India, as the one-stop solution for contact tracing as the COVID lockdown continues in the country. It has been made mandatory for employees of all private companies, and government employees also have to install the app on their phones.
Alderson also pointed out that the “User can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script.” For this, the Aarogya Setu developers say that “the radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2km, 5km and 10km.” They say this does not compromise on any personal or sensitive data because the information is already public for all locations.
The Aarogya Setu developers also say that no personal information of any user has been proven to be at risk by this ethical hacker. In the meantime, Alderson has posted a tweet earlier this morning, which says, “Do you know what triangulation is @SetuAarogya?” We expect this to rumble on for a while now.