Aarogya Setu, India’s Covid-19 tracing app which garnered more than 100 million downloads since its launch, is facing credibility issues one after another. Barely a day after the federal government announced data and knowledge sharing protocols for the app to assuage security jitters of users, a hacker now claims he has breached it.
A software engineer from Bangalore, who goes by the name of Jay, claims to have hacked into the app through bypassing the page requesting personal information of a user such as age, gender, symptom checker and travel history. He told Buzzfeed that he had also managed to access the app without giving necessary permissions.
This is the second time that serious questions around data security and privacy have been raised around India’s coronavirus tracking app, which also received its share of accolades from the likes of the WHO director-general Tedros Adhanom, the World Bank and Microsoft founder Bill Gates.
The federal government had swiftly refuted allegations from a French ethical hacker Elliot Alderson who had used his social media handles to reach out to the developers of the app. The ministry of electronics and information technology (MEIT), the nodal department within the central administration had affirmed then that it was impossible to hack the Aarogya Setu app, a claim that appears to have fallen flat now.
2 days ago, India launched a mobile app “to fight against the #COVID19″I installed the app and I have 1 hour in front of me, let’s see what I can find. https://t.co/KAJ6RjkQMfApril 3, 2020
The hacker from Bangalore said he went after the Aarogya Setu because he opposed the federal government’s move to make it mandatory, more specifically for air and train travel. Some regions like NOIDA, adjacent to the national capital of New Delhi, have imposed fines and even threatened arrest for not having the app on the phone.
India’s mobile phone coverage currently stands at 1.15 billion out of a population of 1.3 billion, which means that about 15% of its citizens are not part of the cellular network, not to mention that a substantial chunk among those owning cell phones can only afford basic devices and at best low-end feature phones.
Some tough questions
Questions around data security and privacy came up sporadically as lawyers sought to know who would have access to the data and whether Aarogya Setu would be put to sleep once the Covid-19 pandemic eases out in the future. On Monday, the government came up with data and knowledge-sharing protocols for the app.
However, the legal and security experts were only partially convinced that the latest order needed the backing of a personal data protection law which is currently awaiting approval of lawmakers in Parliament. They also claimed that the protocol was loosely worded, which raised some concerns.
The real issue is elsewhere
The problem of trust deficit is what the federal government is out to solve, given that less than a tenth of India’s mobile subscribers have downloaded the Aarogya Setu. The reason is not tough to fathom, for the crux of the app’s success in containing Covid-19 depends on it acquiring a critical mass of users as TechRadar had said a month ago.
And it is towards this end that the federal government has attempted to assuage the concerns of legal and security experts with the executive order that defines protocols on who could access the data, for how long and under what circumstances.
As per the order signed by IT secretary Ajay Prakash Sawhney, Aarogya Setu can collect four categories of data – demographic, contact, self-assessment and location, which together have been called response data. Besides the name, mobile number, age, gender, profession and travel history, the app also tracks who all the users came in close proximity with, including the duration, distance and geo location.
Government brings in safeguards
Now, the protocol defines that the developers of the app, National Informatics Centre, can share personal data with departments of health of central and state administrations, the national and state-level disaster management authorities, other ministries of the central and state governments, and public health institutions.
The line that legal experts are objecting to as loosely worded is this: “Where such sharing is strictly necessary to directly formulate or implement an appropriate health response.”
The protocol keeps things loosely defined even in the case of when and how the data could be shared with third parties. It says this could be done “when strictly necessary to directly formulate or implement appropriate health responses.”
There are some checks and balances though. The protocol says the response data can be shared only in de-identified form meaning that except for demographic data, it gets stripped of all information of an individual and is assigned a randomly generated ID.
But, is that enough?
The department also exhorts the NIC to document all such data shared and maintain a list of agencies who have it in their possession. Additionally, it stipulates that no entity can retain the shared data beyond 180 days from the day it was collected. It quotes from the Disaster Management Act of 2005 to establish penalties in case of any violation of the protocol.
And just when it appeared as though the federal administration would no more need to twist arms to increase the downloads, comes this report of another ethical hacker. The Bangalore-based hacker claimed that he created his own version of Aarogya Setu and shared it with 15 of his friends and suggested that it performed poorly compared to the ones being developed by Apple and Google as these do not store personal data.
Maybe there is a lesson that the National Informatics Centre could imbibe from this episode, because the fact remains that Aarogya Setu can provide valuable data once it reaches a critical mass of downloads, especially in the red and amber zones.