Aarogya Setu Team Rubbishes Privacy Issue Reports, Government Assures Safety

| Updated: Thursday, May 7, 2020, 11:13 [IST]

Noted cybersecurity expert- Elliot Alderson (Twitter name) who previously exposed flaws in Aadhar, has now claimed that the Aarogya Setu app has a vulnerability that compromises the privacy of 90 million Indian users. The French cyber expert alerted the team behind the Aarogya Setu app on Twitter and urged them to contact him in private to discuss the security issue.

Aarogya Setu Team Rubbishes Privacy Issue Reports, Assures Safety

His tweet also mentioned about Rahul Gandhi being right for calling Aarogya Setu a 'Sophisticated Surveillance System'.

In his second tweet, the cyber expert said, "49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them."

Now the app developers behind the Aarogya Setu app has issued an official statement on Twitter reaffirming that no data or security breach has been identified and the smartphone application is safe to use.

"No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing an upgrading our systems. Team Aarogya Setu assures that no data or security breach has been identified", said the app developers.

The cyber expert who previously exposed security issues with mAadhaar application pointed out two major issues with the Aarogya Setu app.

The app fetches user location on a few occasions

The Aarogya Setu team addressed it by stating that the user's location is the app's design requirement and is stored on the server in a secure, encrypted and anonymised manner.

User can get the Covid-19 stats displayed on home screen by changing the radius and latitude-longitude using a script

The app developers mentioned that the radius parameters on the app "are fixed and can only take one of the five values: 500m, 1km, 2km, 5 km, and 10 km." These values are standard parameters, posted with HTTP headers. As the information is already public for all locations, it does not compromise on any personal or sensitive data.

The team behind the Aarogya Setu app also thanked the ethical hacker and even urged users to contact the team at support.aarogyasetu@gov.in if they identify any vulnerability in the smartphone app.

To recall, former Congress President Rahul Gandhi on Saturday called Aarogya Setu a "Sophisticated Surveillance System." He also mentioned that the project has been outsourced to a private operator which raises serious security and privacy concerns. "Technology can help keep us safe; but fear must not be leveraged to track citizens without their concern," Mr Rahul Gandhi wrote on Twitter.

Union Information Technology Minister Ravi Shankar Prasad called the charge a "lie" and said, "Aarogya Setu is a powerful companion which protects people. It has a robust data security architecture. Those who indulged in surveillance all their lives, won't know how tech can be leveraged for good!"

If you haven't followed technology news lately, you must know that Aarogya Setu app is Government of India's mobile application for contact tracing and dissemination of medical advisories to contain the spread of COVID-19. The Center recently issued guidelines for this third lockdown which included a directive, stating that the app download is mandatory for all public and private sector office employees

The directive also mentioned that all citizens living in an identified COVID-19 containment zone will also be required to have the Aarogya Setu app installed on their smartphone.

The app is available for both Android and iOS devices in 11 different Indian languages including English, Hindi, Gujrati, Kannada, Telugu, Malayalam, Tamil, Bangla, Marathi, Odia, and Punjabi.