French ethical hacker Elliot Alderson, who sparked off a fierce debate on security issues related to Aarogya Setu earlier this month, said that the Indian government must convince people of the app's efficacy rather than force them to use it.
In an interview with Firstpost, Alderson, a cybersecurity expert, replied to several assertions made by the Union government about Aarogya Setu, which is being widely being promoted as a contact-tracing app that help to combat COVID-19.
The Press Information Bureau has said that the app was developed as a 'public-private partnership' and as per media reports, several individual volunteers have worked on it, including former Google India executive Lalitesh Katragadda and MakeMyTrip founder Deep Kalra.
'Publishing source code important to gain trust'
Alderson said the Union government should follow the example of several other countries and make the app open source, which would enable it to be scrutinised for security flaws by independent coders and researchers.
He said, "To potentially be useful, a contact-tracing app needs to be downloaded and used by a lot of people. To ensure adoption of the app on a large scale among the population, you need to gain their trust. Publishing the source code is one way to get this trust."
In an interview to Hindustan Times, MyGov's CEO Abhishek Singh said the app was not made open source because there were changes being made to its code as the developers would get new insights.
Singh said that unless the app is stable, releasing its source code may not help as there would always be someone raising false alarms.
Alderson noted these examples in a tweet and urged Indian government to do the same.
Another concern raised by Singh was that making the app open source may lead to its misuse by non-State actors.
Responding to this concern, Alderson told Firstpost, "This fear is totally illegitimate. A lot of countries made their apps open source and nothing bad happened. Making the source code of an app public is something that has been done for years and is quite a standard practice."
Another point of contention between the government and privacy activists is whether the app ensures anonymity. The Economic Times quoted a senior government official as saying that all data is anonymised, and after an anonymous device ID is created "all future interactions" happen with the anonymised device ID.
Alderson doesn't agree. He said, "Once you are declared infected with COVID-19, your GPS data of the past few weeks is sent to the Indian government. This system is absolutely not anonymous. So, this app is a surveillance system to track people infected with COVID-19."
In a blog post on Medium on 6 May, Alderson showed it possible to modify the location of the app, which can enable one to identify how many people are unwell or infected even without being physically present in their vicinity.
On the basis of the data obtained, he was able to show that five people felt unwell at the Prime Minister's Office (PMO), two people felt unwell at the army headquarters and one person was infected at the Parliament.
In the blog post entitled "Aarogya Setu: The story of a failure" Alderson also showed that it was possible to modify the radius of the app to a figure that is not available normally to users, although the government denied the claim.
Alderson also said that in an earlier version of the app, it was possible for an attacker to open any internal file, including the local database of an area.
However, he said that in the subsequent version, this issue was 'fixed silently' by the developers. Commenting on this, Alderson said, "I sent them my report and they fixed the issues I flagged. That is the most important thing."
'Forcing people to install app not good'
The Union home ministry, in its latest guidelines on the coronavirus lockdown, no longer makes it mandatory for office-goers to install the Aarogya Setu app. The new guidelines dated 17 May state that employers should ensure that the app is downloaded by all employees having compatible mobile phones "on best effort basis."
The earlier guidelines, dated 1 May, stated, "Use of Aarogya Setu shall be mandatory for all employees, private and public. It shall be the responsibility of the head of the respectively organisations to ensure 100 percent coverage of this app among the employees."
Commenting on this, Alderson said, "This is a step in the right direction. Forcing people to install an app is never a good thing. You can legally force them to install an app but you cannot force them to use it. Instead of forcing people, the Indian government should spend its energy on convincing people that this app is really useful (if this is what it believes)."
However, after air and rail travel has been partially restored, it has been made mandatory for people planning to travel by flights and rail to install the Aarogya Setu app. Also, some private companies such as Zomato and Xiaomi have made it mandatory for employees to download the app.
In Gautam Budh Nagar district, which includes Noida, Greater Noida and Dadri, local authorities made it mandatory for people to install the app in a 3 May order. However, the order was reversed on 20 May after some residents submitted a representation to the Additional Deputy Commissioner (Law and order) challenging the directive's legal basis.