Aarogya Setu’s statement on hacker’s claim: Developers of the Indian coronavirus tracking application Aarogya Setu have responded to allegations by an ethical hacker regarding security issues in the app. The Aarogya Setu team claims that “no personal information of any users has been proven to be at risk”.
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
Aarogya Setu on late Tuesday issued a statement explaining how it collects and manages location and user information after French hacker Robert Baptiste, who goes by Elliot Alderson on Twitter, flagged a “security issue” in the contact-tracing application.
The app makers also reiterated Aarogya Setu’s privacy policies which are accessible from the app itself. The app collects user location and stores them on the server which is said to be in a “secure, encrypted, anonymized manner”. The user’s location is fetched when they register, self-assess and when the user submits their contact tracing data voluntarily through the app, the statement added.
The team acknowledged some of the issues but refused to accept that they pose a security threat in any way.
Shortly after the exchange of tweets, the government released a six-page document that highlighted measures being taken to protect users’ data, privacy and security. Among the measures the government has said it is taking are assigning each user with a “unique randomized anonymous device ID” that is used for all communication between devices and the Aarogya Setu server.
As per the document, data is deleted in 45 days for non-risk users and 60 days from the date of discharge/cure for COVID-19 patients. Location data, one of the hacker’s concerns, is used “in case you test positive, only to map places visited in past 14 days for sanitization and testing to prevent the further spread”, the government said.
The government has also said the app “never reveals your personal identity” and that the “identity of COVID-19 patients is NOT shared with the public at large”. Other assurances given include: “Government uses your information ONLY for administering COVID-19-related health interventions and NOT any other purpose”.
In its earlier statement, the Aarogya Setu app team responded to two concerns raised by the French hacker, who goes by the name Elliot Alderson and had previously exposed flaws with the Aadhaar app. According to the statement these concerns had to do with the number of times the app fetched user location (three times) and the ability to change latitude-longitude (and radius) values to get data for multiple users.
The government, in its response, said “we thank this ethical hacker for engaging with us” but “no data or security breach has been identified” and “no personal information of any user has been proven to be at risk”. The hacker had earlier warned the government to fix the breaches or he would make them public, writing: “Putting the medical data of 90 million Indians (at risk) is not an option. I have very limited patience, so after a reasonable deadline, I will disclose it, fixed or not”.
.
.The hacker also responded to Aarogya Setu’s statement hinting that he will most likely reveal more details later today.
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
The Indian government has said all those attending office anywhere in the country must have the app installed during this extended two-week lockdown. In its notification, the government said heads of companies will be held responsible if employees are found without the app. All people in a COVID-19 containment zone are also expected to have the app. The government has reportedly also considered making the app mandatory on all newly-produced smartphones. The Aarogya Setu app has already been made compulsory for all residents of UP’s Noida and Greater Noida.