India acknowledges, but brushes aside, features-not-bugs in Aarogya Setu virus contact-tracing app

Late-night notifications come as opposition labels app 'surveillance system with no oversight'


The Indian government has acknowledged "potential security issues" in the Aarogya Setu contact-tracing app which its opposition labels as a "surveillance system with no oversight", but says the code issues are not that big a deal.

A late-night tweet from the team that developed and oversees the app said it was "alerted by an ethical hacker of a potential security issue".

The first feature called out is accessing location data – which is explained away as being a feature, not a bug. The second seems more serious and is described as allowing a user to "get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script".

The app team's response is that the API that makes this possible is firewalled and that the data produced is both limited and already public.

"Getting data for multiple latitude longitude this way is no different than asking several people of their location's COVID-19 statistics," the notification says.

police

India makes contact-tracing app compulsory in viral hot zones despite most local phones not being smart

READ MORE

Unlike other nations' contact-tracing apps, Aarogya Setu is not open source or known to be based on other open-source efforts. India's government has pushed it aggressively and even made it compulsory – although one Reg reader ordered to install the app was able to brush off authorities' insistence because his phone couldn't access Indian app stores.

So why bother to rebut two minor issues with the app? Perhaps because India's opposition National Congress Party has heavily criticised Aarogya Setu. Here's MP Raul Gandhi – who leads the largest opposition party – in action:

Business is also bristling at being made responsible for ensuring the app's mass adoption by staff, while the Indian Software Freedom Law Center analysed the app and found numerous concerns, among them a liability clause that it says "exempts the Government from liability in the event of 'any unauthorised access to the [user's] information or modification thereof'".

"This means that there is no liability for the Government even if the personal information of users are leaked," the center's lawyers argue.

And here's the full not-a-bug report from the Aarogya Setu team.

Also in India ...

Also in India, and also announced by tweet, Wipro will turn over one of its vacant campuses to local health authorities for use as a hospital. The Pune buildings will be converted to a 450-bed facility before reverting back to become a Wipro office in a year. ®


Biting the hand that feeds IT © 1998–2020