A cyber-security engineer has flagged privacy-related holes in Aarogya Setu, a mobile app promoted by the Indian government as a “bodyguard” that allows people to assess their risk of catching the coronavirus.
The engineer who uses the name Elliot Alderson on Twitter claimed he had used the security holes in the app to determine a coronavirus-infected person was in the vicinity of the Indian Parliament and five persons “reported” being “unwell” in the Prime Minister’s Office earlier this week.
Alderson who identifies himself as “hacker” on Twitter — and has been described as an “ethical hacker” by the Indian government — has claimed an “attacker” could use the app to “know who is infected anywhere in India, in the area of his choice.”
“I can know if my neighbour is sick for example. Sounds like a privacy issue for me…,” Alderson said in a report published on the website medium.com, which describes his efforts to analyse the app and his interactions with Indian government agencies over the past two days.
Alderson had also posted on Twitter: “Rahul Gandhi was right.” The Congress leader had described the app as a sophisticated surveillance system.
The government has said that Aarogya Setu, developed by the ministry of electronics and information technology, calculates the risk of people catching the coronavirus based on their interactions with others, using Bluetooth technology, algorithms and artificial intelligence.
Around 90 million people in India have downloaded the app.
All citizens have been asked to download the app and it has been made mandatory for all government and private sector employees, as well as residents of containment zones. The Disaster Management Act, under which this and other lockdown rules have been issued, has a provision for jail for violations.
The government has said the app is designed to keep the user informed in case she or he crosses paths with someone who has tested positive.
The app asks the user to report Covid-19 symptoms and alerts a government server if symptoms are reported. This data will allow the government to take timely steps to initiate isolation procedure for the user, if required, and alert others if someone else comes in close proximity with the user.
The government has said it stores the user’s location and information in a “secure, encrypted and anonymised manner”.
But Alderson in his report has outlined steps that he claims helped him determine through the app that five persons reported being unwell within close proximity of the Prime Minister’s Office and the defence ministry.
“I decided to play with it a little bit and checked who was infected in some specific places with(in) a radius of 500 metres,” he wrote. His scrutiny, he claims, revealed one infected person in the vicinity of Parliament.
Alderson said he had alerted the government about the flaws via Twitter on Tuesday.
“A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” he posted.
Forty-nine minutes later, Alderson said, the National Informatics Centre and the Computer Emergency Response Team, both government agencies, contacted him. He sent them a technical report.
In response, the government on Wednesday thanked the “ethical hacker” and asserted that “no personal information of any user has been proven to be at risk by this ethical hacker”.
“We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no security or data or security breach has been identified,” the government said in a statement.
Alderson in response wrote: “I’m happy they quickly answered to my report and fixed some of the issues, but seriously: stop lying, stop denying.”
Against the backdrop of Alderson’s posts, Congress spokesperson Randeep Surjewala on Wednesday said the app keeps a complete track of the user’s movements, including the persons an individual meets and also the period of the meeting.
“It is as if you have a surveillance camera on your head which tells the app and the app’s operator where you are going, who you are meeting and for how long you are meeting,” Surjewala said, calling it a “gross breach of privacy”.
Computer security specialists say any contact tracing app would store information and do things that privacy activists would not find comfortable. “However, there is a strong need to do contact tracing through technology to control the spread of Covid. So a loss of privacy is the price we pay for our safety,” said Dheeraj Sanghi, a senior computer science engineer and director of the Punjab Engineering College, Chandigarh.
However, the hacker has claimed, Sanghi said, that the app is collecting a lot more information about each user and transferring a lot more information to central servers than has been claimed and that this is being done in a manner where it can get leaked.
“Considering the solid reputation the hacker enjoys and knowing that in the past he has proven many of his claims, I think we all have reasons to worry,” Sanghi said. “If the app is doing more than is being disclosed, that would be deeply worrisome.”
“You can’t fight a war if you lose trust in government. We have to be in it together to win the war on Covid,” Sanghi added. “If people stop installing the app, it would be a setback. If the government is asking hundreds of millions of people to install the app, people have a right to know what is in the app.”
Sanghi, among other computer scientists, said the government should make public the source code that would enable computer engineers to determine what exactly it is doing and how it works.