Team-BHP > Shifting gears


View Poll Results: Have you / are you going to install the Aarogya Setu app?
Yes, I already have or I will shortly 293 49.00%
No, I do not plan to 305 51.00%
Voters: 598. You may not vote on this poll

Reply
  Search this Thread
66,417 views
Old 9th May 2020, 23:54   #181
Senior - BHPian
 
trammway's Avatar
 
Join Date: Apr 2006
Location: Bridgewater USA
Posts: 1,150
Thanked: 472 Times
Re: The Aarogya Setu App : Yes or No?

Voted No. Having witnessed all the data leaks, I currently don’t see any need for it and I too don’t want to share needless data with the government of India.
trammway is offline   (2) Thanks
Old 10th May 2020, 02:19   #182
Senior - BHPian
 
Join Date: Oct 2008
Location: Bangalore/Goa
Posts: 1,300
Thanked: 2,067 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by dailydriver View Post
A marketing guy once told me how, since people are accustomed to oiling their hair, unless twin packed with shampoo sachets, conditioners won't really find ready buyers in India.

The following Government of Karnataka circular, innocuously listing the steps for re-entry to the state from anywhere else in the country, adds a very simple, mandatory condition(er) [marked in red].

Attachment 2003835

Long live freedom of choice!
What happens to people without a smartphone?

Cheers,

Jay
JayPrashanth is online now   (2) Thanks
Old 10th May 2020, 02:33   #183
BANNED
 
Join Date: May 2020
Location: Srinagar
Posts: 19
Thanked: 20 Times
Re: The Aarogya Setu App : Yes or No?

Well there are various Govt dept who have made it mandatory for there employees to use this app. In that case i would suggest to register via the phone number which is not registered with your bank accounts. I have heard this app is easily hackable, hence to be on safer side

Last edited by khan_sultan : 10th May 2020 at 06:58. Reason: No SMS language please. Please type in proper English
aamirbhat is offline   (5) Thanks
Old 10th May 2020, 08:03   #184
Team-BHP Support
 
moralfibre's Avatar
 
Join Date: Dec 2004
Location: MH-12
Posts: 8,439
Thanked: 13,947 Times
Re: The Aarogya Setu App : Yes or No?

After my previous post (The Aarogya Setu App : Yes or No?) on this topic when I had no opinion on installing this app, I did a lot of reading up and examined all potential exploits advertised by many security experts. I am convinced that low severity vulnerabilities are all that exist for the app. I haven't seen any thing that can potentially takeover data of 90 million Indians who have the app installed.

Moreover, a lot of hysteria seems to be surrounding any government initiative. I do have app, perimeter, physical and web security assessment as one of my core competencies for my job function. While I am no longer involved with direct security engagements on a tactical level, I am a key stakeholder for security assessment and decision making from a leadership standpoint. I don't see any harm in installing the app.

Here's an interesting individual's perspective I truly believe in:

1) https://blog.swaroopsy.com/2020/05/0...haar-security/

2) https://blog.swaroopsy.com/2020/05/0...ry-of-success/

If someone tells you that their commercial app is fully vulnerability free and cannot be exploited for low sev bugs, they are outright lying. It is common to have vulnerabilities, what is important is routine cadence for handling these with a pre-determined SLA for resolving them. I believe most security best practices are followed.
moralfibre is offline   (9) Thanks
Old 10th May 2020, 09:00   #185
BHPian
 
Join Date: May 2008
Location: Bangalore
Posts: 225
Thanked: 333 Times
Re: The Aarogya Setu App : Yes or No?

I must say I am a bit disappointed with many of the arguments in support of this app. Everyone in support always seems to have similar arguments, i.e,
Every App has problems
The govt has the best intention
This will be big step in the right direction to beat this virus.

But everyone seems to forget the 2 main tenets
  • The government forcing people to install the app without any independent third party security audit. All we are getting is bit and pieces of information (mainly from the so called "voluntary developers" and their networks touting the design and privacy aspects of the app"). No one if forcing anyone to install a commercial app in your phone. It is your choice to install it. If someone points out a security vulnerability is a widely used commercial app, what will be your first action? Most likely you are going to uninstall it immediately. Can you uninstall the "setu" app if the govt says you cannot move around without it (And for people who say that is not the case, wait for a few more weeks. The govt will make it mandatory for everyone if you want to even move around and will empower police to fine you and even arrest you if you do not have it..). The question is always about choice.
  • The efficacy of the app is very very questionable. It is based on a self assessment. On case where it fails miserably is the people who are completely asymptomatic (which are large number of people who have this virus are). Someone who is asymptomatic will always mark themselves as healthy and people who came into contact with them will still get the virus. This app gives a false sense of security as I have seen many people with "green" in the app (especially the older vulnerable people) thinking that they are safe. I have quite a few senior citizens in our community who have installed this app and think that it will solve all safety issues related to virus. They trust the govt blindly and think the govt has their best interests (which is the exactly the opposite of interests of any govt.. Any govt in india only cares for its best interests and not the best interests of its citizens)
The only proven way to beat this virus or at least control it is test, test and more tests, aggressive contact tracing (not using tech) , isolation and quarantine. The central and state govts have pretty much failed in these in the 6 weeks they had during lockdown and now are looking for flawed solutions and forcing it upon hapless citizens.

If the govt wants to make it mandatory for everyone with a smartphone to install this app, ask them to do these 3 basic things
  1. Open source the code
  2. Have independent third party security researchers analyse the app
  3. Promise that the app will be sunset once the pandemic in under control and all data will be deleted and the scope of the app will not be increased beyond contact tracing.
I personally do not expect the govt do any of these things as transparency and accountability has never been part of any indian govt agenda. Only wielding of power and beating up people who question them are the things they do well. There will be a day the people who are in support today will wonder what the heck they were thinking and by that time you would have given up all your liberties and freedom. Martin neimoller and his quote "First they came.." is truly eternal.

Last edited by etrast75 : 10th May 2020 at 09:28. Reason: Fixed spelling mistakes
etrast75 is offline   (19) Thanks
Old 10th May 2020, 09:30   #186
Team-BHP Support
 
vb-saan's Avatar
 
Join Date: Feb 2010
Location: S'pore/Thrissur
Posts: 7,249
Thanked: 12,318 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by skumare View Post
My employer mandated the app to be installed in (personal) phones before resuming work at office, citing similar apps being used in other countries. No mention about people who uses a feature phone. Not sure how long this is required.
Authorities asking is one thing, but the employer mandating? You should ask which other country has mandated this and the purpose.
vb-saan is offline   (3) Thanks
Old 10th May 2020, 09:35   #187
BHPian
 
Join Date: May 2008
Location: Bangalore
Posts: 225
Thanked: 333 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by vb-san View Post
Authorities asking is one thing, but the employer mandating? You should ask which other country has mandated this and the purpose.
Employers are mandating because the govt says that all private employees have to install it if they need to come to office. I am the director of a company and I have no choice but to tell my employees who want to come to office (we have not opened office yet) to install it or continue working from home. If they do not, guess who is liable.. Me, as a director.. Since WFH is anyway working out for us, I am thinking if we should just continue till this mandatory things goes away (hopefully).
The more we work from Home, the more we are realising that it is a viable model and I am already thinking about cancelling our office expansion plans.
etrast75 is offline   (11) Thanks
Old 10th May 2020, 13:16   #188
Senior - BHPian
 
deathwalkr's Avatar
 
Join Date: Nov 2007
Location: Trivandrum
Posts: 1,278
Thanked: 4,082 Times
Re: The Aarogya Setu App : Yes or No?

NITI Aayog Program Director said the app was tested by IIT Madras and a reputed third party tech firm and it's beta version was sourced out to ethical hackers for testing.

He claims whatever data the ethical hacker says to have exposed are in public domain.

Read his interview here:
https://timesofindia.indiatimes.com/...w/75650510.cms
deathwalkr is offline   (1) Thanks
Old 10th May 2020, 13:59   #189
Distinguished - BHPian
 
mayankk's Avatar
 
Join Date: Apr 2010
Location: New Delhi
Posts: 5,139
Thanked: 8,119 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by deathwalkr View Post
NITI Aayog Program Director said the app was tested by IIT Madras and a reputed third party tech firm and it's beta version was sourced out to ethical hackers for testing.

He claims whatever data the ethical hacker says to have exposed are in public domain.

Read his interview here:
https://timesofindia.indiatimes.com/...w/75650510.cms
There's a lot of claims and counters, but where's the validation of those? Anderson, on the other hand, posted code to show what he was talking about. For starters, me thinks, niti aayog should make the report of IITM and the tech firm public, or at least name it(?).
mayankk is offline   (5) Thanks
Old 10th May 2020, 17:39   #190
BHPian
 
Join Date: May 2008
Location: Bangalore
Posts: 225
Thanked: 333 Times
Re: The Aarogya Setu App : Yes or No?

The madhya pradesh govt has exposed the private details of every single person who has been quarantined including name, their mobile phone, OS version, their current coordinates and the office location through their government portal.
Please tell me how this would have been possible without installing the "arogya setu" app.

search for geoportal.mp.gov.in in google. The cherry on top is that the page is not even SSL secured. (not that it matters, but it goes to show how much the govt knows about security and privacy)
Still want to argue that the govt has no other motive and will not misuse your data from the app?

Update:

On reading more, it looks like MP govt has another app called sathrak which covid-19 cases are foced to download into their phones. But the concerns are the same. Here is a govt entity forcing an app on to people with no legal backing and then exposing their data to the whole wide world without their express consent.

Last edited by etrast75 : 10th May 2020 at 17:58. Reason: fixed spelling mistakes.
etrast75 is offline   (7) Thanks
Old 10th May 2020, 18:09   #191
BHPian
 
Join Date: Mar 2012
Location: KA03
Posts: 809
Thanked: 2,850 Times
Re: The Aarogya Setu App : Yes or No?

It's not the app, it's the government, silly!

Security and the technical aspects of the app are just one aspect of the app. What do you do if someone enters the government as an employee of this department, copies all the data and gives it to the "enemy" and quits? Isn't this what happened to banks? You have numerous checks before you can withdraw money from your bank and the bank has a good lock and security. But what if the bank manager approves a huge loan, transfers the money and then the beneficiary of the loan defaults?

Sorry, "trust me" isn't good enough for me.

I would like an app where no one has any access to the data at any time. Just as one user is walled off from the other users, so should the developers, the ISP, the government, and any others, in fact, consider every single party an adversary of the other. None has any special rights, consider it a zero trust situation. I don't know if this is even possible. Blockchain is somewhat like this, but I don't think it lends itself to solving such problems.
mvadg is offline   (5) Thanks
Old 10th May 2020, 20:52   #192
Senior - BHPian
 
dailydriver's Avatar
 
Join Date: Feb 2017
Location: Cynical City
Posts: 1,213
Thanked: 6,365 Times
Re: The Aarogya Setu App : Yes or No?

The Indian Express reports that the Aarogya Setu app might actually be on to something good.

Quote:
...a test analysis conducted between April 13 and April 20 had identified 130 hotspot predictions, each of which was declared a real hotspot by the Ministry within 3-17 days.

These potential hotspots of 6-9 km area each were determined by using the previous two-week location history of the over 12,500 COVID-19 patients on the app as well as self-assessment information
Quote:
More than 23 per cent of the 85,000 individuals deemed to be the highest risk by the application have turned out to be COVID-19 positive after the information was sent to ICMR.
Quote:
THE HEALTH Ministry is passing on to states a list of over 600 potential hotspots at the sub-post office-level that were identified in an analysis conducted by developers of the Aarogya Setu app — none of these locations had been deemed as hotspots earlier.

The team discovered that they have the analytical ability to say that some regions could be stronger locations of positive people. Once they saw that plausibility, they immediately conveyed it to the Health Ministry. And that is now constantly being done.
Quote:
The idea now is that the ability to predict a potential hotspot must be translated into preventing that hotspot from happening... to stop that prediction from happening by your intervention. That’s what they will be doing now
The men behind the app
Quote:
Apart from government entities, a team of industry volunteers from companies like MakeMyTrip, Indihood and 1Mg, and academics at IIT Madras and IISc Bangalore, are involved in its operations.
Who gets to see the data analysis
Quote:
The dashboard is made available securely by Aarogya Setu to central health ministry, state health departments, district collectors, district chief medical officers and district surveillance officers.
Minimum requirements
Quote:
Wherever people have been able to download and keep their Bluetooth and GPS active, the predictions work. If people have not done this, then you can’t help it.
dailydriver is online now   (1) Thanks
Old 10th May 2020, 21:42   #193
BHPian
 
theMandarin's Avatar
 
Join Date: Jan 2016
Location: Vormir
Posts: 93
Thanked: 348 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by etrast75 View Post
The madhya pradesh govt has exposed the private details of every single person who has been quarantined including name, their mobile phone, OS version, their current coordinates and the office location through their government portal.
Please tell me how this would have been possible without installing the "arogya setu" app.

search for geoportal.mp.gov.in in google.
.
.
.

Update:

On reading more, it looks like MP govt has another app called sathrak which covid-19 cases are foced to download into their phones. But the concerns are the same. Here is a govt entity forcing an app on to people with no legal backing and then exposing their data to the whole wide world without their express consent.
I tried searching for this data but didn't find it in the search initially. But a look at Twitter provided an explanation where it went:


It seems the same guy who found vulnerabilities in the Aarogya Setu app tweeted about it which probably triggered the authorities to remove the data:
In India, the state of Madhya Pradesh created a #Covid19 dashboard with... - Elliot Alderson @fs0c131y

But as they say, "the internet never forgets" and you can find traces of this "beneficent" endeavor:
Quarantined Monitoring System | Based on Sarthak - Wayback Machine



Another member posted details about the SOP that is to be followed for people returning to Karnataka

One point in the footnote is quite noteworthy and i quote:
"4. All passengers/returnees should download Arogya Setu, Quarantine Watch and Apthamitra Apps on their mobile phones irrespective of category"

So there's two more apps that you probably need to have. It's interesting to see the app permissions that are needed by the Quarantine Watch app.

We might get to know where our forum members live pretty soon.

Food for thought.
theMandarin is offline   (2) Thanks
Old 10th May 2020, 21:50   #194
Team-BHP Support
 
moralfibre's Avatar
 
Join Date: Dec 2004
Location: MH-12
Posts: 8,439
Thanked: 13,947 Times
Re: The Aarogya Setu App : Yes or No?

Couldn't resist spotting this:

The Aarogya Setu App : Yes or No?-splitpoll.png

We are equally divided in our opinion
moralfibre is offline   (1) Thanks
Old 10th May 2020, 23:45   #195
Senior - BHPian
 
Join Date: Jul 2009
Location: Calcutta
Posts: 4,668
Thanked: 6,213 Times
Re: The Aarogya Setu App : Yes or No?

Quote:
Originally Posted by moralfibre View Post

We are equally divided in our opinion
And my vote would have tipped it over!

I didn't vote because the choices do not cover real scenarios.
On my own, as things stand now, I wouldn't touch it with multiple bargepoles.
But I have to function in the current environment in India, so I know at some point I will have to download and activate it. It is being shoved down our throats, much like Aadhar.
If our concerns were properly met (and that will start another long thread - what does properly mean), I would use it. Perhaps not enthusiastically, but philosophically. Rather than kicking and screaming. As needed for the current environment.

Sutripta
Sutripta is offline   (5) Thanks
Reply

Most Viewed
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Copyright ©2000 - 2024, Team-BHP.com
Proudly powered by E2E Networks