A recent ethical hack into its coronavirus contact-tracing app has brought back bitter memories for the government of India.

In what unfolded like a potboiler on social media, French ethical hacker Robert Batiste, who goes by the name Elliot Alderson on Twitter, revealed on May 6 that the app, Aarogya Setu, had serious security flaws. According to Baptiste, this vulnerability can expose a user’s health status and pinpoint his or her location.

The government denied these red flags and termed them “amateurish hacks,” but its record of keeping its systems and apps safe has not been promising.

The fact that this particular app has no sunset clause has led experts to question its hidden surveillance motives. “With Aarogya Setu, the reliance on location data as a way to contact trace raises questions on the centralisation of data and manipulation of the app’s feature,” Kanishk Karan, research associate at think-tank Atlantic Council’s Digital Forensic Research Lab, told Quartz.

Add to this the fact that its software code is not open for independent security audits, the red flags multiply. “The Indian government and its agencies often use commercial app developers or IT service providers who show them some monkey dance tricks,” said Prashant Mali, advocate and president of Mumbai-based Cyber Law Consulting. “For Aarogya Setu, the government should make the source code open source, promote mass awareness in vernacular languages, and remove the trust deficit.”

A chequered history

From the Unique Identification Authority of India number, Aadhaar, to a nuclear plant in Tamil Nadu, white-hat hacks and cyber security experts have often exposed critical vulnerabilities in the tech the Indian government uses.

  • Aadhaar, 2018: In a series of tweets, Baptise destroyed UIDAI’s claims. Among other things, the hacker claimed it was a breeze to find personal details, including addresses and bank account numbers, of Indian citizens via Aadhaar. The controversy peaked in July 2018 when RS Sharma, chairman of the telecom regulatory authority of India, dared hackers to prove there were security flaws and released his own Aadhaar number in the public domain. Hackers promptly deposited Re 1 into his bank account with this information, proving their point.
  • State Bank of India, 2019: In February that year, India’s largest bank stored customer data on a Mumbai-based server but failed to secure it with a password, according to TechCrunch. This data, which was discovered by a security researcher, left transaction details sent over the bank’s SMS service open for anyone with coding skills to access.
  • Kudankulam Nuclear Power Plant, 2019: The IT server of this facility in Tamil Nadu was the target of a malware attack in November that year. The attackers tried to gather information on browsing history and data on the computers connected to the server. Though the central system that operates the plant was left untouched, the episode came dangerously close to spying on India’s nuclear capabilities.

The privacy framework

What exacerbates the threats is the fact that the government has no clear legislation on privacy or plans to set up an agency to monitor data protection. This despite India’s Supreme Court, in August 2017, upholding the right to privacy as a fundamental one.

This landmark judgment led to the formation of the Justice BN Srikrishna committee, which was to draft a law on privacy. While it did recommend a data protection Bill, there’s been no legislation yet.

Cyber security advocate Mali believes such a law will settle most issues. “The best thing is to quickly bring the impending personal data protection bill, which would lay down the legal framework of privacy to which vendors can adhere and citizens can take recourse, too,” he said. “Even after 72 years [since Independence], a country, its citizens, and its government doesn’t have or know about right to privacy. And when the Supreme Court suddenly granted one without clear guidelines or awareness on how to implement this, there has been chaos,” he added.

The panel’s other suggestion of data localisation even led to a backlash from technology companies.

Eyes on you

The lack of personal data protection regulation also gives the government powers of surveillance. The Information Technology Act, 2000, for instance, allows widespread communications interceptions by the government in the event of a security or national threat.

Given these powers of the state, the worry is that Aarogya Setu could become a citizen-surveillance tool. This, for experts, is made worse because the app is now mandatory for several sections of the civil society. For instance, government employees going back to work after the lockdown need to have the app installed. Several private companies and residential colonies, too, have made the app mandatory for their staff and visitors.

A recent submission to the Indian government from the Internet Freedom Foundation, a digital advocacy and rights organisation, highlights this issue with the contact-tracing app as one that threatens civil liberties.

“We assert that the reasoning and demands that require a greater focus on healthcare and labour rights during this time are the preferred constitutional obligation and goal as opposed to the mandatory installation of a smartphone application,” said its letter on May 2.

Worse, non-compliance invites a criminal penalty, thereby being a threat not only to livelihoods but also the liberty of workers all across India. “This marks a dramatic shift from a model of ‘encouragement’ and trust to one of coercion and compulsion, which we urge your offices to kindly reconsider,” it read.

This article first appeared on Quartz.