wordpress blog stats
Connect with us

Hi, what are you looking for?

Aarogya Setu vulnerability gave up users’ precise location data to Google

Aarogya Setu

COVID-19 contact tracing app Aarogya Setu had a vulnerability that released users’ precise location data to Google, the government disclosed on April 26. In its statement, the government said that it patched the vulnerability at 4am that day. The statement said developers were tipped off about the vulnerability by The New York Times. The vulnerability kicked in when users filled out a self-assessment questionnaire to determine their COVID-19 infection risk based on symptoms and contacts. The app leaked users’ location data to Google if they clicked on a YouTube link in a part of the questionnaire. The government did not say how many people took assessment tests so far, saying only that the number was “less than once per user” on average.

Of late, the government has been on the defensive when it comes to the app’s privacy. Before making this vulnerability public, the government pushed a notification to Aarogya Setu users informing them about a privacy policy change. But this only came three days after our report that the policy was changed without notice. However, privacy concerns still linger, as this disclosure underlines.

Professor Subhashis Banerjee of IIT Delhi had said in a discussion about Aarogya Setu’s privacy that the app’s code should have been made public. “Making the source code open should be mandatory,” he said. “When you are making a public application, it has to be eyeballed by many people. Basic ethics and propriety demands that to have happened.”

Advertisement. Scroll to continue reading.

ReadAarogya Setu’s privacy risks and challenges to effectiveness, and how contact tracing can be made better in India

Aarogya Setu crossed 50 million downloads within weeks of being released, with over 71 million total downloads as of date; this multiplies the potential impact of any vulnerability significantly. The government also announced telemedicine and e-passes for being outdoors during the lockdown, and indicated that the app would outlive the pandemic. This raises concerns of scope creep, features in excess of the limited purpose of contact tracing the app was originally said to be intended for. The app also has no sunset clause for the data it is collecting right now, so there is no guarantee that the vast amount of contact tracing data will ever be deleted.

The government as well as the private sector are making Aarogya Setu a key component of opening the country back up from the COVID-19 lockdown. The CISF proposed that commuters should only be allowed to use the Delhi Metro if they have the app installed. Zomato and Urban Company (formerly UrbanClap) both announced that they would now require their agents to have the app installed to be allowed to work.


Read our coverage of Aarogya Setu. 

Advertisement. Scroll to continue reading.
Written By

I cover the digital content ecosystem and telecom for MediaNama.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ