India’s homegrown contact tracing app for Coronavirus, dubbed Aarogya Setu, has been under scrutiny due to many security and privacy concerns.
Popular French hacker Elliot Anderson, known for exposing flaws in the Aadhar app, recently pointed out that a security flaw in the Aarogya Setu app jeopardizes the health data of 90 million Indians.
After his initial tweet, Indian govt. posted a statement saying that no personal information of any user is at risk, as highlighted by the hacker.
Aarogya Setu app: privacy concerns
The next day, Elliot wrote a detailed article on Medium, highlighting the possible risks involved in the Aarogya Setu app. Two major points were raised in the article:
- The app allowed hackers to gain access to internal files, including the local database. Elliot found this issue when he examined the app a month ago, but in his latest research, he discovered the issue had been fixed silently.
- The functionality of the app, when tweaked a bit, could allow anyone to know who is sick anywhere in India. If this data falls into the wrong hands, it could be exploited.
Amidst the privacy concerns, Abhishek Singh, the CEO of MyGov India, spoke to Hindustan Times about how the app handles the location data of users.
Data is stored locally except…
According to Abhishek, the app collects only basic data, details of which are already mentioned in the privacy policy of the app. Once the app collects the data, a device ID is generated, and all the subsequent communications are established with the device ID of the smartphone.
Further, Mr. Singh confirmed that all the data is stored locally on the device except for people who have been tested positive for Covid-19. Their data is sent to government servers in encrypted form.
The app will be useless once Covid-19 is contained
Many fear that the government will use the app and the collected data to track people’s location even after Covid-19 is contained. Allaying privacy concerns, Mr. Singh said the Aarogya Setu app will become useless after Covid-19.
While statements from MyGov CEO might ease privacy concerns, the mandatory imposition is still a concern for civil rights advocates.
Yesterday, Noida police issued a statement saying that avoiding the installing of the Aarogya Setu app could lead to jail time or a fine of Rs 1000. Meanwhile, India has made it compulsory for public and private sector officials to install the app.
While the government is rolling out stringent measures to ensure that people install the app, I believe it should also roll out a framework to handle all the data that’ll be uploaded to the government servers and should maintain transparency about the working of the app.
