- Aarogya Setu in a statement said that a bug exposed some user data to YouTube.
- The app said that the bug was minor and did not reveal the identity of users to YouTube.
- The bug was fixed on April 26 after reports of it came out in the media.
Aarogya Setu, the contact-tracing app which is the talk of the town and has gotten over 75 million downloads, recently exposed some users' data, including location data, to YouTube. The security bug came to light when the New York Times wrote about it. It has now been fixed, Aarogya Setu noted in a statement.
The app potentially exposed location data, including longitude and latitude, of a user in certain usage conditions. "Recently, Team Aarogya Setu was made aware that if a user performed a very specific set of actions, YouTube could access the anonymised latitude and longitude of the user," the statement by Aarogya Setu noted.
But it said that only the location data was revealed. No other data, and particularly no data that could have revealed the identity of a user, was leaked to YouTube.
"When a user filled a self-assessment in the app, and then immediately scrolled down to the YouTube iframe, a referral header containing latitude-longitude information with no other personal identifier was visible to Google," noted the app.
The statement said that the Aarogya Setu team identified the source of the vulnerability and fixed it at 4 AM on April 26.
Aarogya Setu has become one of the key tools for the government in its efforts to curb coronavirus infections in the country through contact-tracing. The government is making a lot of effort to popularise the app and has repeatedly asked Indians to download it on their phones. But there are privacy concerns as well, around the usage of the app.
Unlike the contact-tracing apps that many other countries are using, the Aarogya Setu app captures both Bluetooth and location data. Many other such apps, including the ones based on Google and Apple's contact tracing technology, only use Bluetooth.
At the same time, there are reports that the government plans to use the Aarogya Setu app as an access control app through its e-pass feature, which is supposed to be rolled out soon. The e-pass feature is likely to grade people into Green, Orange and Red categories, with people with the Green e-pass getting access to all public areas, while people in Red and Orange will be asked to go in self-quarantine.
Recently, there was a report that the app will be used by Central Industrial Security Force (CISF) and Delhi Metro to screen people who wish to use the service once lockdown is lifted. Also, recently Zomato and Urban Company made the app mandatory for their delivery and service executives.
Microsoft co-founder Bill Gates has lauded the Indian government for utilising technology in the fight for COVID-19. "I'm glad (Indian) government is fully utilising its exceptional digital capabilities in its COVID-19 response and has launched the Aarogya Setu digital app for coronavirus tracking, contact tracing, and to connect people to health services," the Microsoft co-founder said in a letter. If you remember, Bill Gates is also a fan of India's Aadhaar project and has praised it, although many experts believe Aadhaar too has privacy implications.