Among many news snippets these days, there is one news item that evokes doubts about security risks in using bluetooth enabled applications, and the responses of the various Government departments are strange, to say the least. Saw this on https://www.ndtv.com/india-news/aarogya-setu-app-developed-by-government-clarifies-after-row-with-rti-body-2317106
Most of us in India are aware about the Aarogya Setu app that is a Contact Tracing App during the Covid Pandemic virus and was highly recommended by the Government of India to be downloaded by all citizens. It has also been lauded by the WHO as a good initiative by India.
A notice has been served by the Central Information Commission (CIC) on the Government stating that “evasive answers” were given by the Government and its various ministries / departments National Informatics Centre (NIC) and Information Technology ministry regarding who developed the Aarogya Setu app.
I did download the app once on my phone and uninstalled it, when it became evident to keep Bluetooth settings “on” as mandatory on during its use, which I disliked, simply because it would expose my phone to potential hacking by unrecognised devices. If you switch on the Bluetooth settings to “non-discoverable” it defeats the very purpose of the Aarogya Setu app. I also was concerned whether the settings would drain the phone battery. This is because while your phone is “awake” and not in sleep mode, it will continuously be “searching” for pairable devices.
Leaving your Bluetooth on all the time can be dangerous, and hackers are exploiting the technology to access private information, spread malicious software and more. Although manufacturers are constantly trying to improve security and provide firmware update, they may be a step behind the hackers.
“Bluebugging” and “bluejacking” are techniques used by hackers to use someone else’s phone to make calls or send text messages to other nearby Bluetooth devices, who can then misuse the “contact” information for malicious purposes.
The Government has come out with a clarification that there was a public-private partnership for the development and that since April 2, 2020, public press releases and social media posts were made and the names of all those associated with the app and source code was made available in the public domain.
Several questions come to my mind regarding data privacy issues, who stores the data collected from millions of users, whether due process was followed by Government in appointing private developers and what were the commercial terms agreed upon.
But it is strange that when it is claimed that everything is in public domain, why the RTI (Right to Information) queries have not been answered properly by the various departments and each one washing their hands off the app?
It is really surprising that amnesia has set in and nobody knows who were the private developers involved in the public-private partnership, who created this app in record time of 21 days.