How secure is the medical history of 90 million Indians, asks French ethical hacker
French ethical hacker who goes by the pseudonym Eliot Alderson has raised a red flag on Arogya Setu app, tweeting ‘Rahul Gandhi was right”, But Arogya Setu team, claims all’s well
A fascinating exchange on Twitter between well known ethical hacker Eliot Alderson (a pseudonym) and the Arogya Setu team in India has put a fresh question mark on the contact tracing and reporting app made mandatory in India. 90 million Indians have already downloaded the app about which Congress MP and past president Rahul Gandhi had said that it was a sophisticated surveillance tool.
The exchange began on Tuesday with Alderson addressing @SetuArogya on Twitter. “Hi, a security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards, PS: @RahulGandhi was right.”
A couple of hours later, he tweeted again, “49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them…to be super clear: - I'm waiting a fix from their side before disclosing publicly the issue. Putting the medical data of 90 million Indians is not an option. - I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not.”
A Twitter user in India asked, “Do you believe it is intentional and by design?” The cryptic answer from Alderson was in the affirmative. Yes.
Some Indians were outraged at the suggestion that Indians’ data were compromised. One of them tweeted back to Alderson, “Arogya Setu team has clarified in no time. No fix is required. App bug fix & security updates are common & releases every month. Setu is the need of the hour. Not luxury. Obsession to prove something wrong for political reason is unethical.”
Indeed, the Arogya Setu team issued a statement, and posted it on Twitter acknowledging that they had been contacted by the ethical hacker and that nothing was really amiss. This is the statement they posted:
The statement elicited another cryptic response from Alderson, who tweeted, “Basically, you said "nothing to see here" We will see. I will come back to you tomorrow.”
Even as we wait to see what Alderson reveals about the app, he has already spoken of the medical history of 90 million Indians, disclosed voluntarily by those who downloaded the app, which will be invaluable not only to medical researchers but also to big pharma companies and multinational corporations.
Since the app is expected to be downloaded by defence personnel also, a security dimension has also crept in.
In the meanwhile, BBC in a report on Tuesday raised more questions about mobile contact-tracing apps and quoted experts saying that such apps are “imprecise”. The BBC report made the following points:
- Digital contact tracing will be vulnerable to all forms of fraud and abuse - from people using multiple devices, false reports of infection, to denial-of-service attacks by adversarial actor
- Smartphone software to alert users when someone they were recently near becomes infected. Ada Lovelace Institute says "an absence of evidence" such tools are practical, accurate or technically capable. Others say initiative must be backed up by an army of human checkers.
- American Civil Liberties Union: We have spoken to engineers and executives at a number of the largest US companies that hold location data on Americans' movements and locations and they said their data is not suitable for determining who was in contact with whom.
Some phones detect signals from up to 30m (98ft) away without being able to determine the distance. Interference can also prevent two phones noticing each other when within 2m. Thus many matches would be missed, others recorded by mistake.
The BBC report can be read here:
Follow us on: Facebook, Twitter, Google News, Instagram
Join our official telegram channel (@nationalherald) and stay updated with the latest headlines
Published: 06 May 2020, 11:17 AM