Aarogya Setu app responds to hacker Elliot Alderson's privacy concerns; says no data at risk

Contact tracing app, Aarogya Setu on Wednesday responded to ethical hacker Elliot Alderson's concerns over data leak. It said that no personal data of any user is at risk and said that they discussed the concerns with the hacker.

It all started with Elliot Alderson tweeting that security flaws have been found in the COVID-19 contact tracing app. "The privacy of 90 million Indians is at stake. Can you contact me in private?," it tweeted to Aarogya Setu app. It also said that Rahul Gandhi was right about privacy concerns.

Hi @SetuAarogya,

A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?

Regards,

PS: @RahulGandhi was right

- Elliot Alderson (@fs0c131y) May 5, 2020

Alderson said that 49 minutes after the tweet, Computer Emergency Response Team, Ministry of Electronics & Information Technology and NIC contacted him to discuss the privacy flaws.

Aarogya Setu app soon took to social media to respond to Elliot Alderson's alerts. It said that the app pulls up a user's location by design and it is not a flaw. It said that the user's location is stored on the server in a secure, encrypted and anonymised manner.

Also read: Coronavirus Lockdown India Live Updates: Cases near 50,000; death toll-1,694, states open liquor, wine shops

They also discussed that a user can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script. Aarogya Setu responded and said that "the radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2km, 5km and 10km." It added that all this information is already available publicly and does not compromise user data.

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom

- Aarogya Setu (@SetuAarogya) May 5, 2020

On receiving the response, Elliot Alderson said that the app basically says that there is "nothing to see here". "We will see. I will come back to you tomorrow," he wrote. He also followed up the tweet in a few hours and asked the app, "Do you know what triangulation is Aarogya Setu?"

Do you know what triangulation is @SetuAarogya?

- Elliot Alderson (@fs0c131y) May 5, 2020

Aarogya Setu is a contact-tracing app developed by NIC under the Ministry of Electronics and Information Technology and is endorsed by the government. It has been pushed across government and private employees and even in COVID-19 evacuation procedures.

Also read: BT BUZZ: MHA order to make Aarogya Setu mandatory weak on legal ground

Also read: Coronavirus crisis: Despite privacy concerns, govt may make Aarogya Setu App mandatory

Also read: Coronavirus outbreak: Aarogya Setu app made mandatory for employees in India; check how to register