Phone numbers and names of people getting COVID-19 tests were left exposed to on a Karnataka government website for several months. Anyone with a little bit of programming experience could, in theory, get these sensitive details off of the Karnataka COVID War Room website. This mechanism was disabled earlier this week, after a city-based Twitter user and media outlets highlighted the issue. Additionally, MediaNama has learnt that the website will soon have an OTP-based authentication system to address further privacy concerns (more on this further down).
The website, launched in August this year, was meant to serve as means for people to access their COVID-19 results easily. People who have undergone a test are given a specimen referral form (SRF) ID. Users have to enter this 13-digit SRF ID, along with a CAPTCHA, and they get the result, along with their names. However, as Twitter user Shashi Kumar found out this week, the can reveal a lot more with a bit of nudging:
- The SRF IDs are the only information needed to check results. Additionally, they are not generated randomly but sequentially, i.e., if your ID is 001, you can add “1” and check the result for patients with SRF IDs 002, 003 and so on. Essentially, the website allows to you access test results of other people, without any authentication.
- To make things worse, the website code used to run an application programming interface (API) that could fetch additional details of the person such as their age, gender and contact number. Granted, this data wasn’t available readily on the website, and users did need some programming knowledge to access the API. However, the API itself was open to the public without any authentication mechanism, according to Kumar. In theory, anyone could write a rudimentary program that can fetch details using virtually any number of SRF IDs.
There is no limit to what you can do with this. You can just write a simple python script and run a loop over SRF IDS and you can have the entire database of all patients with their personal details in less than half an hour.
I tried that, it took me less than five minutes. pic.twitter.com/M7uFAv0UId
— shashi (@devzoy) November 10, 2020
Such data would be a goldmine for telemarketers, who would be able to target people based on their diagnosis. For instance, you test positive, and a few days later you get a call on your phone number asking if you are interested in a sanitising your home. Something similar is already being seen in Bengaluru where, according to a Bangalore Mirror report, citizens are getting unsolicited phone calls from businesses trying to sell sanitation, fumigation servers, oxygen cylinders and other medical devices. It isn’t clear if this is because of data leaking from the War Room website, or from elsewhere, but the end result in either case is likely the same.
The Karnataka government has since acknowledged this problem. Munish Moudgil, a senior IAS officer who is heading the state’s COVID-19 War Room, told The News Minute that a “tech team” has filed the issue. The API that was throwing the sensitive data has been disabled, tweeted Kumar. He subsequently told MediaNama that the API now needs encoded values of SRF ID and CAPTCHA to be called, meaning that it cannot be accessed publicly.
What’s next?
Even now, the original functionality of the website remains unchanged. SRF IDs are still enough to get you the person’s first name, and their test result. In most of the cases, the only the first name of the person is shown. But in a select few, their full names are shown as well, which would qualify as personally identifiable information (PII).
MediaNama spoke to Munish Moudgil to understand if the state government has any plans to add a new check, to ensure that people can access only their tests and not others. At the outset, he disagreed with the notion that the website was violating the citizens’ privacy, and that there is nothing wrong with it. He said that the present issue has already been fixed.
At the same time, Moudgil admitted that some people do have privacy concerns with the system. We are considering an OTP-based authentication system, but “it will only complicate things”, he said. He explained that making citizens go through an OTP-based check would cause many issues for citizens.
“See the problem of OTP is: one, the delivery [of the message] is delayed, or in case people have given someone else’s mobile number, who is not with them — they will not be able to access their test result. [The system] is for citizens’ convenience. The more checks we put, the more inconvenience the citizen will feel” — Munish Moudgil, head of Karnataka’s COVID-19 War Room
The senior bureaucrat estimated that these problem will lead to accessibility issues for at least 10-20% of people trying to access their results each day. Within the government, there are 10,000 employees for whom OTPs, pertaining to various applications, gets delayed, he added. There is also a cost angle: “Imagine there are one lakh OTPs every day, I will end up spending ₹10,000 every day to send these messages. This is public money that we will have to spend,” he said.
“We will introduce OTP. We will see the response, and then see. We are taking a confirmation from E-governance department, in writing, that there will no delay in the delivery of OTP,” added Moudgil.
