As India, like other countries around the world, amp up their efforts to fight the coronavirus pandemic, new measures are being implemented to curb the spread of the virus. Contact tracing has been considered an effective technological solution to slowdown COVID-19 spread and India introduced its own Aarogya Setu app to amplify its contact tracing efforts. However, the app has been met with heavy criticism as it drew privacy concerns.
Only days after Congress leader Rahul Gandhi termed the Arogya Setu app a 'sophisticated surveillance system' and said that fear must not be leveraged to track citizens without their consent, a French hacker Robert Baptiste, who goes by Elliot Alderson on Twitter, said the app indeed has a security issue.
Without divulging into the specifics of the "security issue" he discovered in the Aarogya Setu app, Alderson's agreement with Rahul Gandhi suggests the app is a surveillance tool in disguise. He warned that the privacy of 90 million Indians is at stake.
Issuing further clarification on why he chose not to disclose the security flaw, Anderson said in follow-up tweets that the necessary departments CERT-In and National Informatics Centre (NIC) have been notified.
Official response on Aarogya Setu privacy
The Aarogya Setu team has reverted with the counter-statement that suggests the ethical hacker's discovery of a security issue does not pose a risk to any user's personal information. The ethical hacker had revealed two main concerns with the app: it fetches user location on a few occasions and that a user can get COVID-19 stats displayed on home screen by changing the radius and latitude-longitude using a script.
In response to these, the team behind the government's app said the first claim made by the ethical hacker on the lines of location access is by design and clearly mentioned in the privacy policy. As for the second claim, the official response is that it is not a privacy risk.
"No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified," read the official statement.
When International Business Times India reached out to Alderson for a statement, the ethical ethical hacker said he will reveal the details of his findings publicly on Wednesday.
'Rahul Gandhi was right'
Union Minister Ravi Shankar Prasad was quick to react to Rahul Gandhi's remarks and called him a liar. Prasad backed the centre's stand on Aarogya Setu app, saying it is a "powerful companion which protects people" But a noted ethical hacker's revelation about the app's privacy raises concerns, especially when Robert Baptiste had explicitly mentioned "Rahul Gandhi was right."
In case you're wondering, Gandhi's tweet that irked the IT minister and many others from the BJP party had also accused the center of leveraging fear to track people.
"The Arogya Setu app is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent," Rahul Gandhi had said on Twitter.