A day after noted cyber-security researcher, Baptiste Robert aka Elliot Alderson (@fs0c131y), claimed that a serious security vulnerability in the controversial Aarogya Setu app may have have jeopardized the privacy of 90 million people online, the Indian government has issued a detailed denial, claiming that the issues pointed out by the researcher are included in the app ‘by design’.
According to Robert, not only does the app allows for continuous location tracking in the background, it also allows anyone to see the concentration of COVID-positive or COVID-suspected people within up to a 10km radius. While the government acknowledges both those ‘features’ in the app’s privacy policies, Robert says that he was able to develop a script that enabled him to view similar data for all Aarogya Setu users across the length and breadth of the country.
Basically, you said "nothing to see here"
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
— Baptiste Robert (@fs0c131y) May 5, 2020
In its rebuttal, the government claimed that the app only fetches user locations in a few cases, including, at the time of registration, at the time of self-assessment, when the user submits their contact-tracing data voluntarily, or when the user is COVID-positive. The location-tracking, it said, is “for everyone’s benefit”, and the data is stored “in a secure, encrypted and anonymized manner”. Robert, however, is sticking to his guns, and has vowed to come back with more details about the vulnerabilities later today.
After the successive data breaches at Aadhaar over the past couple of years, cyber-security analysts, civil liberties advocates and industry insiders were already skeptical about Aarogya Setu, with the non-profit Internet Freedom Foundation (IFF) recently sending a joint representation to the Prime Minister’s Office urging the government against the mandatory use of the Aarogya Setu app because of privacy concerns.
Now, with new revelations about the app, opposition to its mandatory installation on smartphones will become an even bigger issue among many people around the country, but it will be interesting to see if the government will acknowledge that whether by design or by accident, the app does include several provisions that are highly disconcerting and should be addressed immediately.