Aarogya Setu was developed by the National Informatics Centre to help contact-tracing of at-risk individuals in the wake of the Covid-19 pandemic.
By Anwesha Ganguly
When the Indian government launched its Covid-19 contact-tracing app Aarogya Setu last month, it piqued the interest of a French cyber security expert.
“I installed the app and I have one hour in front of me, let’s see what I can find,” Robert Baptiste wrote on social media. Within two hours, Baptiste claimed he found a way to access data that should have been protected. The issue was later fixed by the app’s developers. Earlier this week, Baptiste raised an alarm again. “The privacy of 90 million Indians is at stake,” he wrote asking developers to contact him to discuss the security risk.
Baptiste found that by tweaking the coordinates of a user’s location, the app could tell you who is infected anywhere in India. The developers contacted him and concluded that no personal information of any user has been proven to be at risk by the ethical hacker. Unsatisfied by the response, Baptiste called for the app’s architecture to be “open source,” meaning anyone could inspect the source code and flag off potential risks.
As unease over data surveillance grows, the government is mulling doing that. “We developed the app in two weeks. During the development, we got it audited by IIT-Madras, and by one of the largest tech audit firms. We circulated it among security researchers widely… we religiously go through security testing. We are very paranoid about security and potential vulnerabilities. We are committed to open sourcing. We are not that far from open sourcing the app,” said Arnab Kumar, program director, NITI Aayog, who has been involved in the app’s development. A final decision is yet to be taken.
Aarogya Setu was developed by the National Informatics Centre to help contact-tracing of at-risk individuals in the wake of the Covid-19 pandemic. The app does bluetooth-based contact tracing.
“Covid-19 positive information comes from a testing lab to the Indian Council of Medical Research, and from their database to ours. Then we push that information to the user’s phone and pull the contact-tracing data for the last 14-odd days,” Kumar said, adding that communication between the where the data is stored and the device it is stored from is “anonymised.”
Getting the data from multiple locations like Baptiste demonstrated “is no different than asking several people of their locations’ Covid-19 statistics. All this information is already public for all locations and hence does not compromise any personal sensitive data,” the app’s team said in a statement earlier this week.
Baptiste claimed he used this method to find that on May 5, there was one Covid-19-infected person in the Indian Parliament, five people felt unwell at the Prime Minister’s Office and two were unwell in the Indian Army Headquarters. “I can know if my neighbour is sick, for example,” he wrote on social media on Wednesday.
Baptiste isn’t the only one to raise concerns over the app’s privacy concerns. “From a privacy perspective, since such apps probably are at their most efficient when they have continuous access to location data, which evoke reasonable apprehension of mass, real-time or dragnet surveillance,” Sidharth Deb, member, Internet Freedom Foundation, wrote in a working paper last month. Deb called for a sunset clause and parliamentary oversight on the data collected through the app.
Earlier this month, the home ministry directed local authorities to ensure 100% coverage through Arogya Setu in containment zones. In Noida, Uttar Pradesh, not having the app has been made a punishable offence.