French security researcher and expert Robert Baptiste or Elliot Alderson exposed Aarogya Setu, a contact-tracing app, of exposing the health data of 90 million Indian citizens.
On Wednesday, May 6, 2020, Alderson posted on Twitter that a security vulnerability of the app allows hackers to find out the names of the COVID-19 infected, unwell, and ‘those who made a self-assessment in the area of his choice.’
Alderson said anyone can easily see who is sick at the PMO office or the Indian Parliament. The security breach even shows the specific location or houses of the sick, claimed Alderson. His tweet came few hours after the Electronics & IT Minister Ravi Shankar Prasad denied the accusation.
Despite this shocking information, Alderson failed to elaborate on the specific nature of the flaw that allegedly exposed the data of Indian citizens.
The National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology developed the Aarogya Setu app. Despite the security flaw claims of French security expert, NIC denied the existence of a data breach.
Prasad said the app is ‘absolutely robust, safe, and secure’ which means there are no privacy and data security flaw exists. However, the team acknowledges some of the issues raised but ‘refused to accept that they pose a security threat in any way.’
The minister also added, “This is a technological invention of India—Ministry of Electronics and Information Technology, our scientists, NIC, Niti Aayog and some private [entities]—whereby it is a perfectly accountable platform to help in the fight against COVID-19.”
The Aarogyu Setu also made a statement that ‘no personal information of any user has been proven to be at risk by this ethical hacker.’ The app also undergoes continuous testing and upgrading to assure users that their data is safe from any security breach.
Earlier this month, the government of India mandated all public sector and private employees to download and use the Aarogyu Setu app. This came after the government set new guidelines for the extended lockdown beyond May 3, 2020.
Individuals who also cross the Delhi-Gurgaon border are mandated to download the app. This is part of the government’s initiative to elaborate contact tracing, together with testing, to restrict the massive spread of the virus.
Many countries like South Korea and Singapore developed a contact-tracing app to track the spread and progress of the disease.