French ethical hacker Elliot Alderson, who sparked a fierce debate over security issues related to Aarogya Setu earlier this month, said the Indian government should convince people of the app's effectiveness instead of forcing him to use it.
In an interview with First post, Alderson, a cybersecurity expert, responded to several statements made by the Union government about Aarogya Setu, which is being widely promoted as a contact tracking application that helps combat COVID-19.
O Press office stated that the app was developed as a & # 39; public-private partnership & # 39; and according to media reports, several individual volunteers worked on it, including former Google executive India Lalitesh Katragadda and MakeMyTrip founder Deep Kalra.
"Publishing important source code to gain confidence"
Alderson said the Union government must follow the example of several other countries and make the application open source, which would allow it to be examined for security holes by independent coders and researchers.
He said: “To be potentially useful, a contact tracking application needs to be downloaded and used by many people. To ensure large-scale application adoption among the population, you need to earn their trust. Publishing the source code is one way to gain that confidence. "
On a interview for Hindustan Times, The CEO of MyGov, Abhishek Singh, said that the application was not made open source, because there were changes in the code, as the developers would receive new ideas.
Singh said that, unless the application is stable, releasing its source code may not help, as there would always be someone setting false alarms.
However, several countries have developed similar applications to facilitate contact tracking and have made applications open source: Israel, Singapore and the United Kingdom being prominent examples.
Alderson noted these examples in a tweet and urged the Indian government to do the same.
Another concern raised by Singh was that making the application open source could lead to its misuse by non-state actors.
Responding to that concern, Alderson said First post, “This fear is totally illegitimate. Many countries have created their open source applications and nothing bad has happened. Making an application's source code public is something that has been done for years and is quite standard practice. "
Another point of contention between the government and privacy activists is whether the app guarantees anonymity. O Economic Times quoted a senior government official as saying that all data is anonymized and after an anonymous device ID is created, "all future interactions" happen with the anonymous device ID.
Alderson does not agree. He said: “After you are declared infected with COVID-19, your GPS data from the past few weeks will be sent to the Indian government. This system is not absolutely anonymous. Therefore, this application is a surveillance system to track people infected with COVID-19. "
On a blog post at Medium on May 6, Alderson showed that it is possible to modify the application's location, which allows identifying how many people are sick or infected, even without being physically present nearby.
Based on the data obtained, he was able to show that five people felt bad in the Prime Minister's Office (PMO), two people felt bad at the army headquarters and one person was infected in Parliament.
In the blog post entitled "Aarogya Setu: The story of a failure", Alderson also showed that it was possible to modify the radius of the application to a figure that is not normally available to users, although the government denied the claim.
Alderson also said that in an earlier version of the application, it was possible for an attacker to open any internal file, including an area's local database.
However, he said that in the subsequent version, this problem was "silently fixed" by the developers. Commenting on this, Alderson said: “I sent them my report and they solved the problems I flagged. That is the most important thing. "
"Forcing people to install an app is no good"
The Union's internal ministry, in its latest guidelines in blocking coronavirus, it does not make it mandatory for office goers to install the Aarogya Setu app. The new guidelines, dated May 17, state that employers must ensure that the application is downloaded by all employees with compatible mobile phones "with the best possible effort".
The previous guidelines, from May 1, stated that “the use of Aarogya Setu will be mandatory for all employees, private and public. It will be the responsibility of the head of the respective organizations to guarantee 100% coverage of this application among employees. "
Commenting on this, Alderson said: “This is a step in the right direction. Forcing people to install an app is never a good thing. You can legally force them to install an application, but you cannot force them to use it. Instead of forcing people, the Indian government should spend its energy convincing people that this app is really useful (if that’s what it believes). "
However, after air and rail travel was partially restored, was made mandatory for people planning to travel by plane and train to install the Aarogya Setu app. In addition, some private companies such as Zomato and Xiaomi made it mandatory for employees to download the app.
In the Gautam Budh Nagar district, which includes Noida, Greater Noida and Dadri, local authorities have made it mandatory for people to install the app on a May 3 application. However, the order was reversed on May 20, after some residents sent a representation to the additional deputy commissioner (law and order) contesting the legal basis of the directive.