Coronavirus Outbreak: Aarogya Setu team says 'no user data at risk' after French hacker raises concerns over 'security of 90 million Indians'

The official handle of the Aarogya Setu contact-tracing app, developed by the National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology, asserted late on Tuesday that “no personal information of any user has been proven to be at risk”. The reply from the team came in response to a tweet by Elliot Alderson, a French security researcher, earlier in the day, who claimed: “Hi Aarogya Setu, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right.”

Hi @SetuAarogya,

A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?

Regards,

PS: @RahulGandhi was right

— Baptiste Robert (@fs0c131y) May 5, 2020

Rahul Gandhi on 2 May had called the app a “sophisticated surveillance system" and said it raised “serious data security and privacy concerns", via Twitter. On the same day, Alderson sent out a tweet saying, “Rahul Gandhi tweeted about the Arogya app. I guess I’m forced to look at it now." The French hacker then confirmed that both the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet, pointing out the security issue. Following this, late Tuesday night, the Twitter handle of Aarogya Setu put out an official statement which said that they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker. The statement said the Alderson had pointed out two issues — “the app fetches user location on a few occasions”, and a “user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.” The app’s team clarified that the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom

— Aarogya Setu (@SetuAarogya) May 5, 2020

Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500 m, 1 km, 2 km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”. Alderson responded to the tweet last night, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”

Basically, you said "nothing to see here"

We will see.

I will come back to you tomorrow. https://t.co/QWm0XVgi3B

— Baptiste Robert (@fs0c131y) May 5, 2020

More from India

Supreme Court clears Vantara elephant project, rejects PIL: Top 5 things to know Focus back to India-US trade deal: Trump’s negotiators landing in New Delhi tonight