No security breach in Aarogya Setu, says Centre after ethical hacker raises privacy concerns

New Delhi: Aarogya Setu, the COVID-19 tracking mobile application developed by the National Informatics Centre, involves no security breach, the central government clarified on Wednesday.

The government was replying to the queries of an ethical hacker after he raised concerns about a potential security issue in the app.

The app is the government's mobile application for contact tracing and disseminating medical advisories to users in order to contain the spread of COVID-19.

On Tuesday, a French hacker and cyber security expert Elliot Alderson had claimed that "a security issue has been found" in the app and that "privacy of 90 million Indians is at stake". Congress leader Rahul Gandhi had earlier shared his misgivings about the data security of the application.

Dismissing the claims, the government said "no personal information of any user has been proven to be at risk by this ethical hacker".

"We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified," the government said through the app's Twitter handle.

The tweet gave point-by-point clarification on the red flags raised by the hacker.

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020

"We discussed with the hacker and were made aware of the following... the app fetches user location on a few occasions," it said, but added that this was by design and is clearly detailed in the privacy policy.

The app fetches users' location and stores on the server in a secure, encrypted, anonymised manner - at the time of registration, at the time of self assessment, when users submit their contact tracing data voluntary through the app or when it fetches the contact tracing data of users after they have turned COVID-19 positive, it said.

On another issue that users can get COVID-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script, Aarogya Setu said that all this information is already public for all locations and hence does not compromise on any personal or sensitive data.

"We thank the ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately...," it said.

Responding to Aarogya Setu's clarification, Alderson tweeted, "I will come back to you tomorrow".

(With PTI inputs.)

The comments posted here/below/in the given space are not on behalf of Onmanorama. The person posting the comment will be in sole ownership of its responsibility. According to the central government's IT rules, obscene or offensive statement made against a person, religion, community or nation is a punishable offense, and legal action would be taken against people who indulge in such activities.