French cyber security researcher and ethical hacker Baptiste Robert, who goes by the name Elliot Alderson online, mocked the Indian government’s response to security issues raised by him regarding the Aarogya Setu app.
Alderson had on Tuesday night pointed out that the app, used by the government for contact tracing of COVID-19 patients, had risked the privacy of 90 million Indians.
While the government denied there had been any privacy breach, Alderson said that an issue that had previously allowed him to access any internal file on the app had been quietly fixed.
He also said he had been check who is infected, unwell and had made a self assessment in the area of his choice. “Basically, I was able to see if someone was sick at the PMO office or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted,” he said.
The government had late Tuesday night responded to tweets by Alderson after he asked the app’s team to contact him, adding in postscript that Congress leader Rahul Gandhi had been right.
Gandhi had last week called the app “a sophisticated surveillance system, outsourced to a private operator, with no institutional oversight - raising serious data security and privacy concerns.”
Within an hour of his tweet, Alderson said he had been contacted by the Ministry of Electronics & Information’s Computer Emergency Response Team and the National Informatics Centre.
The government later tweeted out a statement saying “no personal information has been proven to be at risk” and that there had been no security or data breach.
One of the issues pointed out by Alderson included the app’s use of a user’s location. The government, in its response, said that the data on user’s location was stored on a server in a “secure, encrypted, anonymised manner”.
The government also claimed that the location of the user is accessed at the time of registration, self-assessment, when the user submits contact-tracing data “voluntarily” and when the app fetches data after a user tests positive for COVID-19.
The app was recently made mandatory not just for individuals in containment zones, but for all government officials.
You can read the app team’s full statement below:
Alderson was less than satisfied with the government’s response.
To a tweet asking he whether he thought the security issue was intentional and by design, Alderson replied “yes”.
Communications and Information Technology Minister Ravi Shankar Prasad told the Economic Times on Wednesday that the app was “completely Covid-centric” and “secure”.
“This app is completely safe and secure—data is secured for a very limited purpose and for a very limited period of time. This helps avoid your contact with a person who is inflicted and the whole purpose of this app is to protect you.”