Coronavirus Outbreak: Aarogya Setu team says 'no user data at risk' after French hacker raises concerns over 'security of 90 million Indians'

The official handle of Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that 'no personal information of any user has been proven to be at risk'.

FP Staff May 06, 2020 09:32:31 IST
Coronavirus Outbreak: Aarogya Setu team says 'no user data at risk' after French hacker raises concerns over 'security of 90 million Indians'

The official handle of the Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that "no personal information of any user has been proven to be at risk".

The reply from the team came in response to a tweet by Elliot Alderson, a French security researcher, earlier in the day, who claimed: "Hi Aarogya Setu, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right."

Rahul Gandhi on 2 May had called the app a “sophisticated surveillance system" and said it raised “serious data security and privacy concerns", via Twitter. On the same day, Alderson sent out a tweet saying, “Rahul Gandhi tweeted about the Arogya app. I guess I’m forced to look at it now."

The French hacker then confirmed that both the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet, pointing out the security issue.

Following this, late Tuesday night, the Twitter handle of Aarogya Setu put out an official statement which said that they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.

The statement said the Alderson had pointed out two issues — “the app fetches user location on a few occasions”, and a “user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.”

The app's team clarified that the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”

Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500 m, 1 km, 2 km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”.

Alderson responded to the tweet last night, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”

Updated Date:

also read

New easy-to-use test can tell how much immunity you have against COVID-19
India

New easy-to-use test can tell how much immunity you have against COVID-19

Easy access to this kind of test could help people determine what kind of precautions they should take against COVID-19 infection, such as getting an additional booster shot, the researchers said

COVID-19: Corbevax approved as precaution dose for adults vaccinated with Covaxin, Covishield
India

COVID-19: Corbevax approved as precaution dose for adults vaccinated with Covaxin, Covishield

This is for the first time that a booster dose that is different from the one used for primary vaccination against Covid has been allowed in the country

COVID-19: India reports 20,551 new COVID-19 cases in last 24 hours
India

COVID-19: India reports 20,551 new COVID-19 cases in last 24 hours

According to government figures, 53 new COVID-19 deaths were reported in the country in span of 24 hours. This has increased total fatalities due to the cirus to 5,26,530. The daily positivity rate stands at 5.14 per cent.