Ethical hacker Robert Baptiste on May 6 alleged that security flaws in the government’s Aarogya Setu application enabled him to see that five people at the Prime Minister’s Office (PMO) and two people at the Indian Army headquarters were unwell.
Mr. Baptise, who goes by Elliot Alderson on Twitter , also claimed that there was “one infected person at the Indian Parliament and three at the Home office.”
Coronavirus | What are the concerns around the Aarogya Setu app?
On May 5, he tweeted that there were security issues with Aarogya Setu. Tagging the official account of Aarogya Setu, he said, “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”.
‘Rahul is right’
He went on to add that former Congress president Rahul Gandhi, who has termed the app “a sophisticated surveillance system” , was right.
In response to the issues raised by Mr. Baptise, the team of Aarogya Setu, in a statement, said no personal information of any user had been proven to be at risk. “ ...we were alerted by an ethical hacker of a potential security issue of Aarogya Setu…No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the statement said.
Also read | Aarogya Setu not accessible to persons with disabilities
Following this statement, Mr. Baptise tweeted that he was able to “... know who is infected, unwell, made a self assessment in the area of his choice. Basically, I was able to see if someone was sick at the PMO office or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted… This is the issue.”
He further called for making the application’s source code open source. “...When you ask (force) people to install an app, they have the right to know what the app is really doing. If you love your country @SetuAarogya, publish the source code,” he tweeted, adding that countries such as Singapore, Israel did it and Iceland did it.
Comment | Implement Aarogya Setu, but only through law
As per the Aarogya Setu statement, Mr. Baptise pointed out that the application fetched user location on a few occasions. However, Aarogya Setu said, “This is by design and is clearly detailed in the privacy policy.”
It noted that the application fetched a user’s location and stored it on a server in a secure, encrypted and anonymised manner “1) at the time of registration, 2) at the time of self-assessment, and 3) when the user submits his or her contact tracing data voluntarily through the app or when we fetch the contact tracing data after the person turns COVID-19 positive .”
Further, the French hacker had said that a user can get the COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.
The Aarogya Setu statement said, “The radius parameters are fixed and can only take one of the five values -- 500 metres, 1 km, 2km, 5km and 10km. These values are standard parameters, posted with HTTP headers. Any other value as part of the ‘distance’ HTTP header gets defaulted to 1 km.”
Also read | Army asks personnel to use Aarogya Setu app
It added that a user can change the latitude/longitude to get the data for multiple locations. “The API call though is behind a Web Application Firewall, and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.”
— raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.”
Editorial | On Centre's directive to use Arogya Setu: App for one season
Mr. Baptiste sent out a tweet, saying: “Rahul Gandhi tweeted about the Aarogya app. I guess I’m forced to look at it now.” He claimed that the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet.
