While the Coronavirus contact tracing app has gained popularity it also has its share of issues, which is dismissed by the Indian Government. However, a new report has emerged that suggests the app is hack-able, thus, raising more questions on the security of Aarogya Setu.
India has made it mandatory for government and private sector employees to download it.But users and experts in India and around the world say the app raises huge data security concerns.
Aarogya Setu stores location data and requires constant access to the phone's Bluetooth which, experts say, makes it invasive from a security and privacy viewpoint.
"Aarogya Setu retains the flexibility to do just that, or to ensure compliance of legal orders and so on," says the Internet Freedom Foundation, a digital rights and liberties advocacy group in Delhi.
The app builders, however, insist that at no point does it reveal a user's identity.
"Your data is not going to be used for any other purpose. No third party has access to it," Mr Singh of MyGov said.
The big issue with the app is that it tracks location, which globally has been deemed unnecessary, says Nikhil Pahwa, editor of internet watchdog Medianama.
"Any app that tracks who you have been in contact with and your location at all times is a clear violation of privacy."
He is also worried by the Bluetooth function on the app.
"If I'm on the third floor and you are on the fourth floor, it will show that we have met, even though we are on different floors, given that Bluetooth travels through walls. This shows 'false positives' or incorrect data."
To register, users have to give their name, gender, travel history, telephone number and location.
"People can fill the form incorrectly and the government cannot verify it, so the efficacy of the data is questionable," Mr Pahwa told the BBC.
According to a Buzzfeed report, an Indian software engineer had hacked the app to bypass the registration page, and even stopped the app from gathering data through GPS and Bluetooth.
The report also mentioned a comment on Reddit suggesting phone wallpaper as a simple workaround to not downloading the app.
"The privacy conscious are likely to do this. Those who don't want to be forced to give their data to the government will look for and find workarounds. It could be by using a modified app or a screenshot, people will find ways," Mr Pahwa says.
But Mr Singh argues that "if one is staying home and not meeting anyone, it would not matter whether they have the app, or deleted it or switched the Bluetooth off or lied on self-assessment".
The Aarogya Setu team earlier in the day issued a statement saying they were alerted by an ethical hacker of a potential security issue of Aarogya Setu and they had discussed the matter with him.
Elliot Alderson (@fs0c131y) had claimed that on Tuesday, five people had felt unwell at the PMO office, two at the Indian Army Headquarters, one person was infected at the Indian parliament, and three at the Home Office. Alderson claimed that on Tuesday, a cyber-attacker could know who is infected and unwell and made a self-assessment in the area of his choice. "Basically, I was able to see if someone was sick at the PMO office or the Indian parliament. I was able to see if someone was sick in a specific house if .
Check out his detailed blog over the exploits and how did he do it here.
We Are Tech Community. We Help To Be Aware With New Technologies And Be Updated With Recent Tech News
No comments:
Post a Comment