tech

Arogya Setu app on privacy issue: Read full statement here

Aarogya Setu makers released a statement earlier today reiterating that the app keeps user data safe and secure.

Aarogya Setu has so far amassed 90 million users ever since its launch in late March.
Aarogya Setu has so far amassed 90 million users ever since its launch in late March. (Aarogya Setu)

India's Covid-19 contact tracing app Aarogya Setu released a statement today responding to the claims of French hacker Robert Baptiste of a privacy issue in the app. While the hacker did not disclose the details of the app's vulnerability, the Aarogya Setu developers issued a statement saying that user data is safe and secure.

Here's the full statement from the Aarogya Setu makers.

Earlier today. we were alerted by an ethical hacker of a potential security issue of

Aarogya Setu. We discussed with the hacker and were made aware of the

following:

1.The App fetches user location on a few occasions.

Response: This is by design and is clearly detailed in the privacy policy. Reproducing the same for everyone's benefit. We fetch a user's location and store on the server in a secure encrypted, anonymised manner

- At the time of registration

- At the time of self-assessment

- When a user submits their contact tracing data voluntary through the App or

when we fetch the contact tracing data of a user after they have turned COVID-19 positive

2. User can get the COVID—19 stats displayed on Home Screen by changing the radius and latitude—longitude using a script

Response: The radius parameters are fixed and can only take one of the five values: 500 metres, 1km, 2km. 5km and 10km. These values are standard parameters, posted with HTTP headers. Any other value as part of the "distance" HTTP header gets defaulted to 1km.

The user can change the latitude / longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall. and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location's COVID—lg statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.

No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.

We thank this ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately at gpportaarogyasetu@gov.in. Your continued support will help us keep the App even more secure.