An anonymous French hacker who goes by the name of Elliot Alderson on Twitter has discovered a security issue in the Government’s Aarogya Setu COVID-19 tracking app that could potentially put the privacy of 90 million Indians at stake. Being an ethical hacker, Alderson has “flagged” the issue to India’s Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) that falls under the Ministry of Electronics and Information Technology. Alderson is notably the same hacker who had earlier exposed issues in the Government of India’s mAadhar app for Android.
On Tuesday, Alderson took to Twitter to claim that he had discovered a security issue in the Aarogya Setu app and asked the Government to contact him in private, so the hacker could disclose it to the authorities. The Government contacted the hacker soon enough and the issue was disclosed to them. Alderson now awaits a fix for the said issue, failure of which would entail the hacker in disclosing the issue in public, as per the core tenets of ethical “white hat” hacking.
Hi @SetuAarogya,
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
— Elliot Alderson (@fs0c131y) May 5, 2020
The Government did come out with a detailed response to the hacker’s claims in the wee hours, last night. But the reason why we say the hacker still awaits a fix, is because in the words of Alderson, the Government basically said “(there’s) nothing to see here.” In other words, all is well with Aarogya Setu, as per the Government of India, even though the hacker appears to have raised not one, but two concerns with the app.
Basically, you said "nothing to see here"
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
— Elliot Alderson (@fs0c131y) May 5, 2020
“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the makers of Aarogya Setu said.
Alderson has already put the word out on Twitter that he will come out with more information today, and we will update this piece as soon as we know more.
In the meanwhile, Alderson isn’t the only one to have raised alarm over privacy issues in the Aarogya Setu app. New Delhi-based Software Freedom Law Centre has alleged that the app collects sensitive user data such as a user’s gender and travel history, The Internet Freedom Foundation (IFF) has also alleged that Aarogya Setu lacks transparency.
The issues are particularly serious, to be looked into, because even though Aarogya Setu is seemingly a “voluntary” app, it’s being made more and more “mandatory” each passing day. Failure to install it on smartphones (when out in the public) is even punishable in Noida and Greater Noida, as per a new directive by the UP police, which is a first for any such app. The Government has also directed public and private sector employees to have it installed on their smartphones. “Use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100 percent coverage of this app among the employees,” according to a recent MHA directive. Needless to say that Aarogya Setu is already mandatory for Central Government employees. And for people residing in COVID-19 containment zones.
[auto_also_read title=”Aarogya Setu is Government of India’s first ‘comprehensive’ COVID-19 tracking app, here are all the details” url =”https://www.financialexpress.com/industry/technology/aarogya-setu-is-government-of-indias-first-comprehensive-covid-19-tracking-app-here-are-all-the-details/1916887/” ][/auto_also_read]
