The Indian government on Wednesday said no personal information of any user has been proven to be put at risk by the Aarogya Setu app, which has been launched to contain COVID-19, after a famous French hacker claimed there were certain security issues.
The government, in a statement, said the app only uses information for administrating COVID-19-related health interventions and not for any other purposes, adding that it never reveals anyone's personal identity to anyone else.
“Upon signing up, every user is assigned a unique randomised anonymous device ID. All communication between two devices and between device and server id done using the device ID, no personal information is used for any communication,” the statement read.
Clarifying the hacker’s claim that the app had fetched user locations on a few occasions, the government stated that it fetches the user location and stores them on the server in a “secure, encrypted, anonymised manner".
“The app stores an encrypted signature when you come in proximity with other registered devices. This interaction information is not pushed to the server unless you turn COVID-19 positive. While all unique interaction stored is only for 30 days while the data on the server is deleted in 45 days for non-risk users and 60 days from the data of cure for COVID-19 positive patients,” it stated.
The government has also stated that user data location is used, in case a person has tested positive, only to map places they visited in the last 14 days for sanitisation and the testing of people to prevent the further spread of the disease.
“We have been continuously testing and upgrading our system and team Aarogya Setu assures that no data or security breach has been identified,” the statement read.
Following the statement, the hacker responded saying that he will reveal more details later.
Basically, you said "nothing to see here"— Elliot Alderson (@fs0c131y) May 5, 2020
We will see.
I will come back to you tomorrow. https://t.co/QWm0XVgi3B
“A security issue has been found in your app. The privacy of 90 million Indians is at stake,” he previously tweeted.
The government of India had launched the contact-tracing app Aarogya Setu earlier in April. The app has been made compulsory for all government and private sector enterprises across the country while everyone in the containment zone will also have to download it.