The Indian government’s mandatory mobile application has led to heated debates in the country, with opposition leaders calling it “a sophisticated surveillance system”, and the mandate “nothing but negative reinforcements”.

The government’s National Informatics Centre, however, describes the application, Aarogya Setu, as one for contact tracing and dissemination of medical advisories to contain the spread of COVID-19.

Since announcing the extended lockdown beyond May 3, the government has approved new guidelines that have made the app a requirement. The guidelines make it mandatory for all private and public sector employees, with the organization’s heads, responsible for ensuring it.

The app is now also mandatory for people living in containment zones, and those crossing borders with Delhi (Gurugram and Noida). It currently has a 90-million user base.

“All those with smartphones who do not have the application can be booked under Section 188 of the IPC. After that, a judicial magistrate will either decide if the person will be tried, fined, or left with a warning,” Akhilesh Kumar, the deputy commissioner of police of the Noida region, said in a press conference.

The mandate has led to comparing this with the earlier ask of the government to bring the National Population Register, which had led to huge debates and protests across India in December.

Globally, countries are coming out with COVID-19 applications. Singapore, Italy, and South Korea have released apps, but in these countries, the onus of installing the apps lies with the user and not the government.

“Aarogya Setu was meant to be voluntary, [but] has now been made mandatory. We cannot allow our armed forces and the entire country to be made to download something that compromises data security. There should be legal and technical safeguards to decentralize these apps,” Pawan Khera, the spokesperson of the main opposition Indian National Congress party, told Anadolu Agency.

Security issues

India does not have any law on data protection currently and this open-source application will thus place 90 million users at risk.

“I did a quick scan, and I can see that the app gets 7.4 level vulnerability in the CVSS [Common Vulnerability Scoring System] scoring, which is very bad. It is prone to a middle attack, meaning people can intercept the traffic and leverage it. It has three medium level vulnerabilities — use of unencrypted protocols, bad SQL queries, and clear text database — which means anyone can see data with right accesses,” a senior risk analyst in India told Anadolu Agency, on condition of anonymity.

The analyst noted that the app does not follow the EU’s data privacy laws. Any European person in India who downloads the app can sue the government for breaching the regulations and thus can apply penalties.

In a series of tweets, Robert Baptiste, a French cyber security expert, pointed out that the app has gaps.

“A security issue has been found in your app. The privacy of 90 million Indians is at stake,” tweeted Robert, who goes by the name Elliot Anderson on social media. He even mentioned opposition leader Rahul Gandhi’s words “correct in calling the app a surveillance system”.

Earlier, Baptiste had also pointed out some gaps in Aadhaar numbers, a unique 12-digit code mandatory number issued to Indian citizens. He had revealed that a government-run gas company had leaked 6.7 million of those numbers carrying private information.

Meanwhile, the Aarogya Setu Team under the Information and Broadcasting Ministry, issued a release, saying: “No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.”

Copyright 2022 Anadolu Agency. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.