Late-night notifications come as opposition labels app ‘surveillance system with no oversight’
The Indian government has acknowledged “potential security issues” in the Aarogya Setu contact-tracing app which its opposition labels as a “surveillance system with no oversight”, but says the code issues are not that big a deal.
A late-night tweet from the team that developed and oversees the app said it was “alerted by an ethical hacker of a potential security issue”.
The first feature called out is accessing location data – which is explained away as being a feature, not a bug. The second seems more serious and is described as allowing a user to “get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script”.
The app team’s response is that the API that makes this possible is firewalled and that the data produced is both limited and already public.
“Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics,” the notification says.
Unlike other nations’ contact-tracing apps, Aarogya Setu is not open source or known to be based on other open-source efforts. India’s government has pushed it aggressively and even made it compulsory – although one Reg reader ordered to install the app was able to brush off authorities’ insistence because his phone couldn’t access Indian app stores.
So why bother to rebut two minor issues with the app? Perhaps because India’s opposition National Congress Party has heavily criticised Aarogya Setu.
Business is also bristling at being made responsible for ensuring the app’s mass adoption by staff, while the Indian Software Freedom Law Center analysed the app and found numerous concerns, among them a liability clause that it says “exempts the Government from liability in the event of ‘any unauthorised access to the [user’s] information or modification thereof'”.
“This means that there is no liability for the Government even if the personal information of users are leaked,” the center’s lawyers argue.
Source: theregister.co.uk
