Aarogya Setu, the Indian Covid-19 tracking app that has garnered more than 100 million downloads since its launch, is facing credibility issues one after another. Just a day after the federal government announced data and knowledge sharing protocols for the app to calm users' security tremors, a hacker now claims to have breached it. A Bangalore-based software engineer, known as Jay, claims to have hacked the app by bypassing the page that asks for personal information about a user, such as age, gender, symptom checker, and travel history. He told Buzzfeed that he, too, had successfully accessed the app without granting the necessary permissions. This is the second time that serious questions about data security and confidentiality have been raised around India's coronavirus tracking app, which has also won praise from the WHO Director-General. , Tedros Adhanom, World Bank and Microsoft founder Bill Gates. The federal government quickly refuted the accusations of a French ethical hacker, Elliot Alderson, who used his social media to contact the app's developers. The Ministry of Electronics and Information Technology (MEIT), the nodal department within the central administration, said it was impossible to hack the Aarogya Setu app, a claim that appears to have been dropped. flat now.
2 days ago, India launched a mobile app "to fight #COVID19". I installed the app and I have 1 hour left, let's see what I can find. https://t.co/KAJ6RjkQMf3 April 2020 The Bangalore hacker said that he had sued Aarogya Setu for opposing the federal government's decision to make it mandatory, especially for air and rail travel. Some regions like NOIDA, adjacent to the national capital of New Delhi, have imposed fines and even threatened arrest for not having the app on their phones. Mobile phone coverage in India currently stands at 1.15 billion out of a population of 1.3 billion, which means that around 15% of its citizens are not part of the cellular network, in addition to a substantial portion among those who own cell phones alone. you can afford basic gadgets and, at best, low-end phones.
some tough questions
Questions about the security and confidentiality of the data arose sporadically as lawyers sought to determine who would have access to the data and whether Aarogya Setu would be asleep once the Covid-19 pandemic subsides in the future. On Monday, the government proposed data and knowledge sharing protocols for the app. The executive decree issued by MEIT establishes guidelines for sharing Aarogya Setu data with government agencies and third parties. The ordinance superseded the app's privacy policy, which legal experts said was the only shield to protect citizens from unauthorized use of their personal data. However, security and legal experts were only partially convinced that the latest ordinance required the support of a personal data protection law that is currently awaiting approval by lawmakers in Parliament. They also said that the protocol was drafted in general terms, which raised concerns.
The real problem is elsewhere
The trust deficit problem is what the federal government is trying to solve, given that less than a tenth of Indian mobile subscribers have downloaded Aarogya Setu. The reason is not difficult to understand, since the crux of the success of the application to contain Covid-19 depends on the acquisition of a critical mass of users as LaComparacion had said a month ago. And it is to this end that the federal government has tried to allay the concerns of legal and security experts with the decree that defines the protocols on who could access the data, for how long and under what circumstances. According to the order signed by IT Secretary Ajay Prakash Sawhney, Aarogya Setu may collect four categories of data: demographic, contact, self-assessment, and location, which together have been referred to as response data. In addition to name, mobile phone number, age, gender, profession, and travel history, the app also tracks who all users have approached, including duration, distance, and geolocation. .
Government presents guarantees
Now, the protocol defines that the developers of the application, the National Center for Informatics, can share personal data with the health departments of central and state administrations, national and national disaster management authorities, other government departments. central and state institutions and public health. The line that legal experts object to because it is loosely formulated is: "when such sharing is strictly necessary to formulate or directly implement an appropriate health response." The protocol keeps things loosely defined, including when and how data can be shared with third parties. He says this could be done "where strictly necessary to formulate or directly implement appropriate health responses." However, there are checks and balances. The protocol states that response data can only be shared in a de-identified form, which means that, with the exception of demographic data, an individual's information is stripped from all information and assigned a randomly generated ID.
But is it enough?
The ministry also urges NIC to document all this shared data and maintain a list of the agencies that have it. Furthermore, it stipulates that no entity can keep shared data beyond 180 days from the day it was collected. It cites the 2005 Disaster Management Act to establish penalties for violating the protocol. And just when it seemed like the federal government might no longer have to twist its arms to increase downloads, comes this report from yet another ethical hacker. The Bangalore-based hacker claimed that he had created his own version of Aarogya Setu and shared it with 15 of his friends and suggested that it did not work well compared to those developed by Apple and Google because they do not store personal data. There may be a lesson that the National Center for Informatics could take in from this episode, but the fact remains that Aarogya Setu can provide valuable data once it reaches a critical mass of downloads, particularly in the red and amber zones.