There is no security breach in coronavirus tracking app Aarogya Setu, the government said today in response to claims by a French “white hat”, or ethical hacker, who said on Tuesday that the “privacy of 90 million Indians is at stake”. In a detailed statement released this morning the government said there was “no data or security breach” and that “no personal information of any user has been proven to be at risk by this ethical hacker”.
Apparently unimpressed by the government’s response, which he attached in his tweet, the hacker said: “Basically, you said “nothing to see here”. We will see. I will come back to you tomorrow”. Around two hours later the hacker asked the government: “Do you know what triangulation is”, referring to the process of locating an unknown point by forming triangles from known points.
On Tuesday the hacker, who goes by the name Elliot Alderson and had previously exposed flaws with the Aadhaar app, posted a series of tweets warning of a “security issue”. Mr Alderson also wrote: “PS: Rahul Gandhi was right” and tagged the Congress MP in his tweet.
“Hi Aarogya Setu, a security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right,” the first tweet read.
Less than an hour later the hacker acknowledged the Indian government had reached out; the Indian Computer Emergency Response Team and the National Informatics Centre had contacted him.
The hacker then warned the government that unless the breaches were fixed, he would make the flaws public, writing: “Putting the medical data of 90 million Indians (at risk) is not an option. I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not”.
Mr Gandhi this week cautioned against the Aarogya Setu app – which the government has said uses location data from phones to track coronavirus hotspots – calling it a “sophisticated surveillance system“.
Union Minister Ravi Shankar Prasad, responding to the criticism, called the app a “powerful companion which protects people”.
“Daily a new lie. Aarogya Setu is a powerful companion which protects people. It has a robust data security architecture. Those who indulged in surveillance all their lives, won’t know how tech can be leveraged for good!” Mr Prasad tweeted.
The centre has made the Aarogya Setu app, which has been heavily promoted by Prime Minister Narendra Modi and Union Ministers, mandatory for all public and private sector employees, and the Uttar Pradesh government has made it a crime, under the Disaster Management Act, for people living in Noida to not download the app.
Everyone in a COVID-19 containment zone will also have to download the app, as will all those brought back to India via special flights being sent to a number of countries starting today. Those working from home, however, need not use the app.
The centre has set a target of achieving 30 crore app downloads in the next few weeks.
The number of COVID-19 cases in India is nearing 50,000 with 1,694 deaths linked to the virus.