A week after Congress MP Rahul Gandhi alleged that the ‘Aarogya Setu’ app is a threat to privacy and dubbed it a "sophisticated surveillance system", a Madhya Pradesh government’s mobile-based application, ‘Sarthak’, designed and developed to keep track of COVID-19 patients, has exposed the personal details of thousands of individuals.
The app leaked data, including real-time location and personal details, of around 5,500 individuals before it was pulled down on Sunday, 10 May, after a French computer programmer highlighted the breach in a tweet.
Sharing the screenshot of the application, the French hacker, who goes by the name ‘Elliot Alderson’ on Twitter, exposed the breach on social media.
He Tweeted, “In India, the state of Madhya Pradesh created a COVID-19 dashboard with: Name of quarantined people, their device ID and name, operating system version, app version code, the GPS coordinates of their current and office location.”
‘Sarthak’ and ‘Aarogya Setu’: Drawing Parallels
The Union government had, in an advisory on 8 April 2020, said that those affected by COVID-19 or under quarantine should not be identified publicly. The hacker also exposed a breach in the ‘Arogya Setu’ app and backed Congress leader Gandhi’s claim that 'it is a surveillance system.'
Replying to the tweet after realising the fault, the official Twitter handle of Madhya Pradesh Agency for Promotion of Information Technology (MAP-IT), which has developed the app, said, “We have taken cognisance of this issue and it is being examined in detail. Till then, the dashboard has been brought down. Thank you.”
Both the applications, ‘Sarthak’ and ‘Aarogya Setu’, were designed to help users to identify whether they are at risk of COVID-19 and provides people with important information, including ways to avoid the novel coronavirus and its symptoms.
The ‘Sarthak’ application has additional features and it contains the names of people who are meant to be quarantined, information about the type of phone they use and their last known location – at times as accurate as within 5 metres – and was available for download on the government’s website.
Nand Kumaram, the Chief Executive Officer (CEO) of MAP-IT, confirmed the same.
“The application has some personal information of the patients which should not have been there. Hence, we are going to remove it and (are) making it more secure.”Nand Kumaram, CEO, MAP-IT
MAP-IT is a part of Madhya Pradesh government’s Department of Science and Technology.
“Sarthak app is to help us in COVID-19 management and to keep track of patients. The information stored in the app is confidential and is not meant to be public. Nevertheless, we are trying to verify if names being made public on the portal are real ones or as stored in the app,” Kumaram added.
While commenting on the issue, MP-based public health expert SR Azad demanded an inquiry in the matter.
“The information of patients are for analysis and follow-up, not to stigmatise people and create terror among them. There should be a detailed inquiry and action should be taken against officials responsible.”SR Azad, MP-based public health expert
(Kashif Kakvi is a Bhopal-based freelance journalist. He can be reached @KashifKakvi.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)