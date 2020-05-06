SOPA Images via Getty Images In this photo illustration Aarogya Setu logo seen displayed on a smartphone.

A French cyber security researcher who pointed out a security issue with the Aarogya Setu app said he would respond with more details on Wednesday after the government denied there had been any privacy breach. The government had late Tuesday night responded to tweets by ethical hacker Baptiste Robert, who goes by the name Elliot Alderson online, which said that the Aarogya Setu, the app used by it for contact tracing of COVID-19 patients, had risked the privacy of 90 million Indians. Alderson had asked the app’s team to contact him, adding in postscript that Congress leader Rahul Gandhi had been right. The app’s team tweeted thanking the hacker for bringing the issue to their notice, but denied any data breach had taken place.

Gandhi had last week called the app “a sophisticated surveillance system, outsourced to a private operator, with no institutional oversight - raising serious data security and privacy concerns.” Within an hour of his tweet, Alderson said he had been contacted by the Ministry of Electronics & Information’s Computer Emergency Response Team and the National Informatics Centre. The government later tweeted out a statement saying “no personal information has been proven to be at risk” and that there had been no security or data breach. One of the issues pointed out by Alderson included the app’s use of the user’s location. The government, in its response, said that the data on a user’s location was stored on a server in a “secure, encrypted, anonymised manner”. The government also claimed that the location of the user is accessed at the time of registration, self-assessment, when the user submits contact-tracing data “voluntarily” and when the app fetches data after a user tests positive for COVID-19. The app was recently made mandatory not just for individuals in containment zones, but for all government officials. You can read the app team’s full statement below:

Alderson seemed less than satisfied with the government’s response, saying he would respond further on Wednesday. To a tweet asking he whether he thought the security issue was intentional and by design, Alderson replied “yes”.

