Aarogya Setu is an open-source COVID–19 “contact tracing, syndromic mapping, and self-assessment” mobile app, developed under the Ministry of Electronics and Information Technology (MeitY). The app reached more than 100 million installs in the first 40 days.
What is the security level of the data of millions of Indians, collected through the Aarogya Setu app? The data could be vulnerable to threats from combative state and non-state players and pose a national security challenge, according to cybersecurity experts and former intelligence officials. This is the result of issues in India’s security capabilities and cyber privacy practices. The Government of India rejected these concerns, stating that the encryption standards have satisfactory security against data or network breaches.
Aarogya Setu is a contact tracing app to trace close contact between people so that they can be identified in the event any of them is infected with Covid-19. “National databases in general are a huge cause of concern. Sometimes, leaks don’t even appear on the dark web. They are simply scooped away for doing passive profiling of citizens of adversarial countries,” said Pukhraj Singh, a cybersecurity intelligence expert, who was involved in the detection of the breach at the Kudankulam Nuclear Power Plant last year.
The worries voiced by Singh are also endorsed by two former intelligence officers who have held senior positions in the National Intelligence Grid (Natgrid) and the National Technical Research Organisation (NTRO) – two of India’s main agencies tasked with digital intelligence gathering. Since its launch in early April, Aarogya Setu has had at least 120 million sign-ups, according to government officials. The process requires users to declare their mobile numbers, name, gender, age, and whether they belong to a set of high-risk professions, such as law enforcement or health care. This is sensitive information that jeopardizes the privacy and security of an individual.
Cybercriminals use such data to determine points of information about an individual, which they use to bypass identity checks for crimes such as bank account theft. There is another risk factor associated with the Aarogya Setu app – fake applications that look like Aarogya Setu but are actually spying tools. These have been spread using the same techniques like phishing, often through messaging applications or via links sent over WhatsApp. While this might not expose the entire database, it could compromise individuals who are successfully targeted.
Data minimization refers to the principle of collecting only the basic information required for a tool’s purpose. In Aarogya Setu’s case, privacy activists say the collection of location records and tracing profession details, and demographic data does not follow this principle. This makes it a major security threat.