- The Data of millions of Indians, collected through the Aarogya Setu app, could be vulnerable to threats from adversarial state and non-state actors and pose a national security challenge, according to cybersecurity experts and former intelligence officials.
- Indian government officials reject these concerns, saying their encryption standards have adequate protection against data or network breaches.
How does the app work?
- Since its launch in early April, Aarogya Setu has had at least 106 million sign-ups and the process requires users to declare their mobile numbers, name, gender, age, and whether they belong to a set of high-risk professions, such as law enforcement or health care.
- The application then routinely asks people to “self-assess” their health by answering questions such as whether they have any of the symptoms associated with Covid-19 or if they have a history of diabetes, hypertension or obesity – factors that make people more susceptible to the disease.
Government’s Use of Aarogya Setu App
- Aarogya Setu is meant to trace close contact between people so that they can be reached in the event any of them is infected with Covid-19.
- According to government officials, at least 110 million people have signed up on it, and while a rule making it mandatory for office-goers to install it was partially relaxed recently, with just the condition that air passengers must install it if they are taking a flight.
- Government officials has said that their data encryption standards have adequate protection against breaches.
Concerns of Threat:
- National databases in general are a huge cause of concern, as sometimes the leaks don’t even appear on the dark web. They are simply scooped away for doing passive profiling of citizens of adversarial countries.
- The threat is particularly serious due to the nature of information involved.
- The users of Aarogya Setu part with information that can directly identify them, where they have been, and what health conditions they suffer from, making it a target for common cyber criminals who can offer these up on the dark web for a price, as well as state-backed hackers for espionage.
- Cyber criminals are known to use such data to determine multiple point of information about an individual, which can then be used to bypass identity checks for crimes such as bank account theft.
How does Data breach happen?
Fundamentally, data breaches can happen in two ways:
- The most common method is deceiving someone into divulging sensitive information or giving a hacker privileged access – a tactic commonly known as a phishing attack.
- The other is code-based attacks on computer networks, which usually make use of flaws in software, or what are known as exploits.
Till now, as of 23rd May, officials have not detected such an attempt on health data in India.
- There is a 3rd risk factor associated with the Aarogya Setu push – modified or impostor applications that look like Aarogya Setu but are spying tools.
- These have been spread using the same techniques as phishing, often through messaging applications or via links sent over WhatsApp.
- While this might not expose the entire database, it could compromise individuals who are successfully targeted.
-Source: Hindustan Times