"No Data Breach In Aarogya Setu App": Government On Hacker's Red Flag

Centre has made Aarogya Setu app, which has been promoted by Prime Minister Narendra Modi and Union Ministers, mandatory for public and private sector employees

Coronavirus tracking aap Aarogya Setu has been made mandatory for all public, private sector workers

New Delhi: There is no security breach in coronavirus tracking app Aarogya Setu, the government said today in response to claims by a French "white hat", or ethical hacker, who said on Tuesday that the "privacy of 90 million Indians is at stake". The hacker also said Congress MP Rahul Gandhi, who has repeatedly warned against the app, "was right". In a statement released this morning the government said there was "no data or security breach" and that "no personal information of any user has been proven to be at risk by this ethical hacker". The hacker responded: "Today, I will write a detailed article on the Aarogya Setu issue. It shuld be ready end of today". Several people have expressed privacy and security concerns over the app, which has been made mandatory for all public and private sector employees, as well as those in coronavirus containment areas.

Here are the top 10 points in this big story:

  1. Shortly after the exchange of tweets with the hacker, the government released a six-page document that highlighted measures being taken to protect users' data, privacy and security. Among the measures the government has said it is taking are assigning each user with a "unique randomised anonymous device ID" that is used for all communication between devices and the Aarogya Setu server.

  2. As per the document data is deleted in 45 days for non-risk users and 60 days from date of discharge/cure for COVID-19 patients. Location data, one of the hacker's concerns, is used "in case you test positive, only to map places visited in past 14 days for sanitisation and testing to prevent further spread", the government said.

  3. The government has also said the app "never reveals your personal identity" and that "identity of COVID-19 patients is NOT shared with the public at large". Other assurances given include: "Government uses your information ONLY for administering COVID-19-related health interventions and NOT any other purpose".

  4. In its earlier statement the Aarogya Setu app team responded to two concerns raised by the French hacker, who goes by the name Elliot Alderson and had previously exposed flaws with the Aadhaar app. According to the statement these concerns had to do with the number of times the app fetched user location (three times) and the ability to change latitude-longitude (and radius) values to get data for multiple users.

  5. The government, in its response, said "we thank this ethical hacker for engaging with us" but "no data or security breach has been identified" and "no personal information of any user has been proven to be at risk". The hacker had warned the government to fix the breaches or he would make them public, writing: "Putting the medical data of 90 million Indians (at risk) is not an option. I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not".

  6. The Aarogya Setu, pitched by the government as a contact tracing app that will help in tracking movement of COVID-19 patients within coronavirus hotspots, has been criticised for capturing far more data than is absolutely necessary for its purpose. The app, which uses GPS (global positioning system) to track and record user data, has been red-flagged by New Delhi-based Software Freedom Law Centre and Internet Freedom Foundation (IFF). Many have also pointed to a lack of transparency, comparing it to exercises undertaken by the Singapore government.

  7. The Indian government has said all those attending office anywhere in the country must have the app installed during this extended two-week lockdown. In its notification the government said heads of companies will be held responsible if employees are found without the app. All people in a COVID-19 containment zone are also expected to have the app. The government has reportedly also considered making the app mandatory on all newly-produced smartphones. The Aarogya Setu app has already been made compulsory for all residents of UP's Noida and Greater Noida.

  8. Congress MP Rahul Gandhi has been among those most critical of the Aarogya Setu app, calling it a "sophisticated surveillance system". Another Congress MP - Shashi Tharoor - had a similar warning and expressed concern over the centre's decision to make the app mandatory for public, private sector employees.

  9. Union Minister Ravi Shankar Prasad, responding to the criticism, called the app a "powerful companion which protects people". "Daily a new lie. Aarogya Setu is a powerful companion which protects people. It has robust data security architecture!" Mr Prasad tweeted. Another Union Minister - Prakash Javadekar - said this week that "there should be no concern over privacy-related issues".

  10. India has nearly 50,000 COVID-19 cases and 1,694 deaths have been linked to the virus. A number of other countries, including Singapore and the United Kingdom, have also developed apps to monitor movement of COVID-19 cases.