Experts find flaws in India’s COVID-19 contact tracing app

Previously, we took a detailed look at the Australian contact tracing app to reveal its various imperfections.

Today, we will be looking at the Indian approach, Aarogya Setu, which, as experts have found, also contains several flaws.

The app connects to the web and retrieves the location data of its 90 million users so that the user can check how many people in their vicinity have tested positive for COVID-19.

The Indian government claims that it has always made a full disclosure of this feature, which is considered a massive privacy protection flaw.

Examining Aarogya Setu’s privacy policy reveals that the app continuously collects your location data and stores it on the device.

If you test positive for COVID-19 or self-declare the infection based on the symptoms you are experiencing, then your digital ID is uploaded to the centralised server.

Such location tracking, despite its good intentions, is a practice that is frowned upon (and banned) by Apple and Google.

Although it could be used to pinpoint infection hotspots and better predict a possible outbreak, privacy advocates have warned about the disastrous outcome of this data ever being leaked.

Baptiste Robert, a security researcher based in France, said that anyone can view the concentration of infected individuals in a range spanning anywhere from 500 metres to 10 kilometres.

Once again, the government responded that it has addressed the issue by preventing the scripts from initiating requests in bulk.

The government also argues that COVID-19 statistics are already public by nature.

In India, all government and private sector employees are asked to install the app, and in 35 days, it has amassed 90 million users.

The local authority of Noida city said that residents who refuse to install the app can be fined or imprisoned.