By Ujwapal P |
Bengaluru, India, May 6 (efe-epa).- A security researcher, who earlier highlighted vulnerabilities in India’s national identity card project, on Wednesday flagged security issues with a contact-tracing app for coronavirus cases that has been made mandatory for government officials.
However, the developers of the application, Aarogya Setu (bridge to healthcare), dismissed the allegations that the app puts user data at stake highlighted by the ethical hacker, who tweets under the pseudonym Elliot Alderson.
“A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private,” the vigilante hacker said in a tweet, tagging the Aarogya Setu app handle.
He answered in affirmative a question asked by a user if the breach was “intentional and by design”.
The state-run National Informatics Centre, which a part of the Ministry of Electronics and Information Technology of the Indian government, developed the app that was launched by Prime Minister Narendra Modi on Apr. 2 for both Android and iOS-run mobile phones.
The developer in a statement said they had discussed the issues raised by the hacker.
“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” Aarogya Setu makers said.
Opposition Indian National Congress leader Rahul Gandhi too had flagged issues about the app that has also been made mandatory for people who want to travel home from the places where they are stranded since Mar.25 when the government imposed a strict nationwide lockdown.
Gandhi took to Twitter on Sunday and accused the government of building a sophisticated surveillance system with the app.
“The Aarogya Setu app is a sophisticated surveillance system, outsourced to a (private) operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe. But fear must not be leveraged to track citizens without their consent,” Gandhi said.
The hacker in his tweet seconded Gandhi, saying he “was right”.
The government plans to make mandatory the multi-lingual app that uses Bluetooth technology, algorithms, and artificial intelligence to alert users and instruct them on what measures they should take if they come across a Covid-19 positive patient.
The app, with already over 90 million downloads, uses location data to identify potential hotspots, integrates the e-pass of different states, besides offering health information and telemedicine facilities.
The administration in Noida and Greater Noida, the satellite towns of the national capital New Delhi, has made going out without a phone not having the app a punishable offense.
People coming from outside also need to install the app on their smartphones before they enter the area, the district administration said.
“All those with smartphones who do not have the application can be booked” under a penal code section which attracts a fine of Rs 1,000 or imprisonment up to six months, according to an official order.
Cyber experts and rights activists had already raised an alarm that the app could potentially violate user privacy and could be used as a surveillance tool.
“It collects not just Bluetooth data, it collects GPS data, it collects added location data (…),” Raman Jit Chima of Access Now, a digital rights advocacy group.
Apar Gupta, the executive director of the non-profit Internet Freedom Foundation, told EFE that location-based data had always been considered as sensitive personal data.