wordpress blog stats
Connect with us

Hi, what are you looking for?

Aarogya Setu vulnerability gave up users’ precise location data to Google

Aarogya Setu

COVID-19 contact tracing app Aarogya Setu had a vulnerability that released users’ precise location data to Google, the government disclosed on April 26. In its statement, the government said that it patched the vulnerability at 4am that day. The statement said developers were tipped off about the vulnerability by The New York Times. The vulnerability kicked in when users filled out a self-assessment questionnaire to determine their COVID-19 infection risk based on symptoms and contacts. The app leaked users’ location data to Google if they clicked on a YouTube link in a part of the questionnaire. The government did not say how many people took assessment tests so far, saying only that the number was “less than once per user” on average.

Of late, the government has been on the defensive when it comes to the app’s privacy. Before making this vulnerability public, the government pushed a notification to Aarogya Setu users informing them about a privacy policy change. But this only came three days after our report that the policy was changed without notice. However, privacy concerns still linger, as this disclosure underlines.

Professor Subhashis Banerjee of IIT Delhi had said in a discussion about Aarogya Setu’s privacy that the app’s code should have been made public. “Making the source code open should be mandatory,” he said. “When you are making a public application, it has to be eyeballed by many people. Basic ethics and propriety demands that to have happened.”

ReadAarogya Setu’s privacy risks and challenges to effectiveness, and how contact tracing can be made better in India

Aarogya Setu crossed 50 million downloads within weeks of being released, with over 71 million total downloads as of date; this multiplies the potential impact of any vulnerability significantly. The government also announced telemedicine and e-passes for being outdoors during the lockdown, and indicated that the app would outlive the pandemic. This raises concerns of scope creep, features in excess of the limited purpose of contact tracing the app was originally said to be intended for. The app also has no sunset clause for the data it is collecting right now, so there is no guarantee that the vast amount of contact tracing data will ever be deleted.

The government as well as the private sector are making Aarogya Setu a key component of opening the country back up from the COVID-19 lockdown. The CISF proposed that commuters should only be allowed to use the Delhi Metro if they have the app installed. Zomato and Urban Company (formerly UrbanClap) both announced that they would now require their agents to have the app installed to be allowed to work.


Read our coverage of Aarogya Setu. 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


Google has closed its deal to acquire fitness wearables company Fitbit, even as probes by competition regulators in the United States and Australia are...


WhatsApp has reiterated in a blog post on Tuesday that the service is end-to-end encrypted and neither it or Facebook can see messages. It...


Links to private WhatsApp group chats have been indexed on Google search results, the Indian Express reported. The exposure was surfaced by security researcher...


The chipmaker Intel has now launched a facial recognition solution, which the company says will work with smart locks, access control, point-of-sale devices, ATMs...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ