Aarogya Setu, India’s own contact tracing app built for keeping a check on people who may have been infected with Coronavirus has been in the limelight ever since it was announced by the Indian government on April 2. With the app being scrutinized for collecting an immense amount of personal data, privacy features and government access, we might just be scraping the tip of the iceberg that is Aarogya Setu.
French security researcher Robert Baptiste who goes by the pseudonym Elliot Alderson (a character from the TV show Mr. Robot) on the Internet has warned the Indian government of the security lapses in the said contact tracing app. In a blog post published by Baptiste, he details the security and privacy flaw discovered in Aarogya Setu as he navigated around the app and used the various features it offers.
Contact tracing apps have seen a rise in various countries owing to the ongoing health crisis. Aarogya Setu as such uses your phone’s Bluetooth and GPS to generate a social graph in order to ascertain whether you have been near a COVID-19 positive person. The flaw in the app is that any malicious attacker can access a person’s information from anywhere including details about their self-assessment test and can even change their location and search radius to gather more Coronavirus related information from different regions.
In a statement to Wired, Robert said, “The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area. With [location] triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app."
The National Informatics Centre that has developed Aarogya Setu was quick to issue a public statement denouncing the findings by Alderson. The Indian government says that Aarogya Setu does fetch a user’s location by design but the information is stored in a secure and encrypted manner on the server. As for the triangulation vulnerability, the developers categorically denied that the location radius cannot be changed to any other arbitrary value, something that Alderson did as part of his analysis. Even though the government states that a user can change their latitude and longitude to gather data from multiple locations, it dismissed Alderson’s claims as an in-built feature of the app.
“All this information [COVID-19 statistics] is already public for all locations and hence does not compromise on any personal or sensitive data,” the statement reads.
Triangulation and Trilateration are two techniques that can be used to determine the location of Coronavirus positive people in a targeted area from Aarogya Setu. The attacker can create a boundary around a particular area by using either of these techniques to determine the number of infected people with much more precision.
Aarogya Setu allows users to check the number of people performing self-assessment test in their areas and Alderson found that a user’s location (latitude and longitude) is sent to the servers and returns with statistics on the number of infected people, unwell persons, users declared “Bluetooth positive”, self-assessment test performed and the total number of Aarogya Setu users nearby.
This led to the discovery of the privacy issue that lets anyone in the world check who’s infected in India around a particular location. Alderson, who lives somewhere in France was able to find out the number of infected or unwell people in the Prime Minister Office, Ministry of Defence, the Indian Parliament and the Indian Army Headquarters. This information allows hackers to perform a triangulation attack that can provide them with precise information about the status of Aarogya Setu users in a particular area.
Notwithstanding its security and privacy lapses, the Indian government is determined to make it’s citizens install the app on their Android and iOS smartphones (there’s a feature phone version incoming as well) and in cities like Noida and Greater Noida, not having the app on your phone can result in criminal prosecution under Section 188 of the Indian Penal Code by local authorities.
India doesn’t have data protection laws and rules in place to check something like a privacy violation yet, however, the Constitution grants the right to privacy as a fundamental right. The Personal Data Protection Bill that safeguards citizens private data is currently under review by a Parliament committee. Once passed, the bill has a provision for setting up a Data Protection Authority as the central point of contact for ensuring the safety of personal data of users. Taking this into account, the Internet Freedom Foundation has already challenged the order under Section 144 for mandatory imposition of Aarogya Setu in Noida and Greater Noida.
As Aarogya Setu collects extensive personal data such as name, age, gender, profession, countries visited in the past 30 days and smoking habits (if at all), sharing user’s private data with the government isn’t currently based upon the consent of a citizen as it has already directed states and companies to ensure it’s employees install the apps on their smartphones.
Having said all of that, the issue at hand cannot be resolved by installing just an app on your smartphone when more than half of Indian citizens use a feature phone. The concept of data privacy in India is a pretty distant thought as you can easily get any person to install an app on their smartphones these days. And when you make it as mandatory and involuntary as Aarogya Setu, the general consensus overlooks the security lapses.
As for the privacy issues, people need to first understand what data privacy means in the larger scheme of things and how their data can be misused by people who may not seem very different from them. Until that happens and the Data Protection Bill is passed to monitor the privacy and security of the Indian citizens, they need to take precautions while giving away their personal data to anyone.