Experts have pointed out technical flaws in the Union government’s contact-tracing Aarogya Setu app that allegedly puts the personal data of the almost 90 million Indians who downloaded it, at risk. The app — launched on April 2, 2020 to inform the public about the novel coronavirus disease (COVID-19) pandemic — was said to have a security issue by a French hacker, who goes by the alias Elliot Alderson.

The hacker — taking to social media site Twitter on May 5 — said the privacy of the users who downloaded the app, was at stake and asked the app’s operators to contact him in private.

The private conversation took place around 50 minutes later, after which the hacker disclosed the issue to the Indian computer emergency response team of the Union Ministry of Electronics and Information Technology (MEIT) and the National Informatics Centre (NIC).

The Aarogya Setu app tells a person if she is at risk of contracting COVID-19 by taking a simple test. It needs the user’s global positioning system (GPS) location and requires the smartphone’s Bluetooth function to be switched on, after which it traces people who have come in contact with the user and if they have COVID-19.

An internal file of the app that hosted private information was opened up with just a single command, the hacker had claimed on April 4. He said, on May 5, that this particular issue was fixed by the app’s operators.

The NIC team that developed the Aarogya Setu app released a statement on May 6, to counter the claims made by Alderson. “No personal information of any user has been proven to be at risk” as claimed by the hacker, the statement said, adding that the team continuously tested and upgraded its systems and did not identify any data or security breaches.

Ravi Shankar Prasad, the Union minister of Electronics and Information Technology, said May 6 that Aarogya Setu was an “absolutely robust app in terms of privacy protection and safety, security of data”.

In a detailed article on May 6, however, Alderson explained the problems with the app and claimed to have easily bypassed some of its security restrictions and received information on the following:

• Number of infected people
• Number of unwell people
• Number of people said to be COVID-19 positive, according to the app
• Number of self-assessments made around the user
• Number of people using the app around the user

Alderson also claimed that the information on “who is infected anywhere in India, in the area of their choice” can be discovered with a little more probing.

The hacker also claimed to have found out that about five people who were unwell in the Prime Minister’s Office, an infected person in the Parliament and two unwell individuals in the Indian Army headquarters.

“The funny thing is they (Aarogya Setu) also admit a user can get data for multiple locations. Thanks to triangulation, an attacker can get the health status of someone within a metre’s precision,” said Alderson.

The NIC team’s statement said the fetching of any user’s location on a few occasions was by design and clearly detailed in the privacy policy. This data that can be retrieved from the app using its location-based filtering and was already available to the public, the statement said.

Experts, however, have pointed out major issues with the app’s privacy policy and the user terms of agreement.

The app was closed source, which means the algorithms run by the app cannot be viewed by anyone, said Divij Joshi, an independent lawyer and a Mozilla Foundation Tech Policy Fellow. “It makes it more difficult to uncover and discover vulnerabilities,” Joshi said. “This simply shows it is very easy to obtain personal information from the back end (where data is stored and most of the processing occurs) of the app,” he added.

Alderson, on Twitter, also called for opening up the source code of the app to the public. “When you ask (force) people to install an app, they have the right to know what the app is really doing”, he said, citing examples of countries including Singapore, Israel and Iceland that made the source codes of their contact tracing apps open to the public.

The Union government has made the downloading of the app mandatory for those who want to commute and work during the lockdown, despite reservations from several quarters. Political leaders have expressed reservations over the privacy concerns surrounding the app and questioned the government on the possible creation of a surveillance state through the app.

The implications of making the app mandatory “are that people will be jailed for not having a smartphone,” said Joshi. “Ultimately, it means that the police and executive can routinely abuse their authority and discriminate and target people for any reason. It also means that they are likely planning on using it as a broader digital government-citizen platform,” he added.