The Centre on Wednesday said there is no security or data breach in the Aarogya Setu mobile application, which is being promoted as an important tool by the Narendra Modi government in the fight against the coronavirus outbreak, primarily for contact tracing. This came after an ethical hacker who goes by the name Elliot Alderson, who previously had exposed flaws with the Aadhaar app, warned that the “privacy of 90 million Indians is at stake”.
In a series of tweets on Tuesday, the cyber security expert said Congress leader Rahul Gandhi was right after he pointed out that the Aarogya Setu app was a “sophisticated surveillance system” with security and privacy concerns.
Union Information Technology Minister Ravi Shankar Prasad rejected the charges by the Opposition, saying the Aarogya Setu is “absolutely robust, safe and secure in terms of privacy protection and data security”.
“This is a technological invention of India, Ministry of Electronics and Information Technology, our scientists, NIC [National Informatics Centre] Niti Aayog and some private [entities], whereby it is a perfectly accountable platform to help in the fight against Covid-19,” Prasad told PTI.
“A security issue has been found in your app,” Alderson tweeted. “The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right.”
Less than an hour later, the French hacker acknowledged that the Indian Computer Emergency Response Team and the National Informatics Centre had contacted him about the matter.
In a statement, the government said no personal information of any user has been proven to be at risk by Alderson. “We are continuously testing and upgrading our systems,” it added. “Team Aarogya Setu assures everyone that no data or security breach has been identified.”
The Centre also thanked the cyber security expert for engaging with them. “We encourage any users who identify a vulnerability to inform us immediately,” it said.
However, the hacker in response to this tweeted: “Basically, you said ‘nothing to see here’. We will see. I will come back to you tomorrow.”
Alderson also warned the government that unless the breaches were fixed, he would make the flaws public. “To be super clear: I’m waiting a fix from their side before disclosing publicly the issue,” he tweeted. “Putting the medical data of 90 million Indians is not an option. I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not.”
The Union minister said the app is a very robust invention of technology and many other countries are using similar apps to fight coronavirus. “The second most important point is that the data is limited,” he added. “Routine data remains for 30 days and in the event you are infected, then [for] 45 to 60 days. Then automatically it will vanish.”
He added there is always an option to uninstall the app so he did not understand what the issue was all about.
The Aarogya Setu app is meant to alert users if they have come in contact with a coronavirus patient, and what measures they need to take in case that happens. But cybersecurity experts worry that it could violate its users’ privacy and be a surveillance tool in the hands of the government.
Prime Minister Narendra Modi has also repeatedly urged the citizens to download the app, which was launched early in April. Several government agencies have also been spreading awareness about Aarogya Setu through different social media and other channels.
Last month, the Centre had made the app mandatory for all public and private sector employees. It also directed local authorities to ensure that people in Covid-19 containment zones have signed up for the app. Police in multiples places such as Noida have also said it is mandatory for residents to have the app on their phones.
The number of coronavirus cases in India rose to 49,391 on Wednesday morning and the country recorded 1,694 fatalities, according to the figures from the health ministry.