COVID-19 contact tracing app Aarogya Setu had a vulnerability that released users’ precise location data to Google, the government disclosed on April 26. In its statement, the government said that it patched the vulnerability at 4am that day. The statement said developers were tipped off about the vulnerability by The New York Times. The vulnerability kicked in when users filled out a self-assessment questionnaire to determine their COVID-19 infection risk based on symptoms and contacts. The app leaked users’ location data to Google if they clicked on a YouTube link in a part of the questionnaire. The government did not say how many people took assessment tests so far, saying only that the number was “less than once per user” on average.

Of late, the government has been on the defensive when it comes to the app’s privacy. Before making this vulnerability public, the government pushed a notification to Aarogya Setu users informing them about a privacy policy change. But this only came three days after our report that the policy was changed without notice. However, privacy concerns still linger, as this disclosure underlines.

Professor Subhashis Banerjee of IIT Delhi had said in a discussion about Aarogya Setu’s privacy that the app’s code should have been made public. “Making the source code open should be mandatory,” he said. “When you are making a public application, it has to be eyeballed by many people. Basic ethics and propriety demands that to have happened.”

ReadAarogya Setu’s privacy risks and challenges to effectiveness, and how contact tracing can be made better in India

Aarogya Setu crossed 50 million downloads within weeks of being released, with over 71 million total downloads as of date; this multiplies the potential impact of any vulnerability significantly. The government also announced telemedicine and e-passes for being outdoors during the lockdown, and indicated that the app would outlive the pandemic. This raises concerns of scope creep, features in excess of the limited purpose of contact tracing the app was originally said to be intended for. The app also has no sunset clause for the data it is collecting right now, so there is no guarantee that the vast amount of contact tracing data will ever be deleted.

The government as well as the private sector are making Aarogya Setu a key component of opening the country back up from the COVID-19 lockdown. The CISF proposed that commuters should only be allowed to use the Delhi Metro if they have the app installed. Zomato and Urban Company (formerly UrbanClap) both announced that they would now require their agents to have the app installed to be allowed to work.

*

Read our coverage of Aarogya Setu.