Robert Baptiste, a French cybersecurity analyst who goes by the pseudonym ‘Elliot Alderson’ on Twitter, on Wednesday said he could access details of Corona-infected persons through the government-mandated Aarogya Setu app.
It was possible for a remote attacker to know “who is infected, unwell, make a self-assessment in the area of his (attacker’s) choice”, Baptiste wrote on Twitter.
Even with the latest version of the Covid-19 contact tracing app, Baptiste said he was able to see “if someone was sick at the PMO office or the Indian Parliament”.
Baptiste claimed that he could access details of positive cases at a location of his choice. However he did not present any proof in this regard; he also put up with a detailed article about the alleged security flaws in detail ..
It is to be noted earlier the same French ethical hacker Baptiste has been in the news for consistently pointing out security flaws with India’s Aadhaar system.
Pursuant to His claim , The makers of Aarogya Setu had issued a statement in response dismissing Baptiste’s earlier claims.
An earlier statement issued by the makers of the app said it was possible for a user to get data for different places by changing the latitude/longitude, which is anyway available data.
The makers, however, insisted that bulk collection of this data was not possible as “the API call is behind a Web Application Firewall”.
The official statement released by Aarogya Setu said “no personal information of any user has been proven to be at risk by the French ethical hacker”.
This application is currently getting a lot of attention in India. In Noida, if people doesn’t have the app installed on their phone, a person can be imprisoned up to 6 months or fined up to Rs 1000.
There has been a massive debate on the use of contact tracing apps by governments, Eivor Oborn, Professor of Healthcare Management at Warwick Business School, UK, told media “I think a real breach is made if the professionals are forced to use the app and then are not allowed to discontinue the monitoring after the threshold of the pandemic is over; this to me is a greater concern.”
He added that in a democratic country like India, citizens should have transparency regarding what, when and how the data is being used.
“I think it is good for the governments concerned to tangibly show benefits that accrue from data use,” Prof Oborn stressed.
Independent experts and privacy rights groups inclusive Internet freedom foundation have been advocating that the source code of the contact tracing app should be made public.
“India is the only democracy which has made the use of contact tracing app mandatory, so steps should be taken to make the codebase of the app open source, and users should be given the option to delete their data, even from the servers,” Prasanth Sugathan, legal director of Software Freedom Law Center, admitted
After BJP led Indian government made the private party developed app as mandate India’s Principle Opposition Party leader Rahul Gandhi too critiqued security lapses in the Aarogya Setu app .
In response to the growing pressure The government’s chief scientific advisor, Prof K VijayRaghavan, has told that the source code of the app will be made public very soon.