Coronavirus Outbreak: Aarogya Setu team says 'no user data at risk' after French hacker raises concerns over 'security of 90 million Indians'

The official handle of Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that 'no personal information of any user has been proven to be at risk'.

FP Staff May 06, 2020 09:32:31 IST
Coronavirus Outbreak: Aarogya Setu team says 'no user data at risk' after French hacker raises concerns over 'security of 90 million Indians'

The official handle of the Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that "no personal information of any user has been proven to be at risk".

The reply from the team came in response to a tweet by Elliot Alderson, a French security researcher, earlier in the day, who claimed: "Hi Aarogya Setu, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right."

Rahul Gandhi on 2 May had called the app a “sophisticated surveillance system" and said it raised “serious data security and privacy concerns", via Twitter. On the same day, Alderson sent out a tweet saying, “Rahul Gandhi tweeted about the Arogya app. I guess I’m forced to look at it now."

The French hacker then confirmed that both the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet, pointing out the security issue.

Following this, late Tuesday night, the Twitter handle of Aarogya Setu put out an official statement which said that they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.

The statement said the Alderson had pointed out two issues — “the app fetches user location on a few occasions”, and a “user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.”

The app's team clarified that the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”

Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500 m, 1 km, 2 km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”.

Alderson responded to the tweet last night, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”

Updated Date:

also read

Unseen warriors of COVID: No rest for gravediggers in Bengaluru as crematoriums run out of space
India

Unseen warriors of COVID: No rest for gravediggers in Bengaluru as crematoriums run out of space

At the city's Chamrajpet crematorium, authorities had to put up a 'housefull' sign and families were told to wait with bodies in ambulances to avoid overcrowding

UP Panchayat Election 2021: Polling marred by clash between rival groups in Mathura; 60 percent turnout till 5 pm
Politics

UP Panchayat Election 2021: Polling marred by clash between rival groups in Mathura; 60 percent turnout till 5 pm

Lakhs of candidates were in fray for over 7.32 lakh seats in gram panchayat wards, 58,176 in gram panchayats, 75,852 in kshetra panchayats and 3,050 in zila panchayats

Tokyo Olympics 2020: Australia to give Japan-bound athletes, support staff priority for COVID-19 vaccine
Sports

Tokyo Olympics 2020: Australia to give Japan-bound athletes, support staff priority for COVID-19 vaccine

The vaccination program for athletes and support staff will include about 2,000 people, including an estimated 450-480 Olympic athletes.