Earlier today, the hacker had tweeted saying he has found security concerns on the app, adding that Congress leader Rahul Gandhi was right about calling it a surveillance tool. While Baptiste didn’t confirm what issues he had found, he said the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) had been in touch with him about the findings.

Based on the government’s response, it seems Baptiste had raised concerns about how the app logs user data. In its response, the Aarogya Setu team said that this is in accordance with the app’s privacy policy and is already explained there. The app collects the user’s location information at the time of registration, self assessment and when a user submits their contact tracing data voluntarily through the app or if the government fetches their data once a user has been found to be Covid-19 positive.

According to the app’s privacy policy, it collects a user’s location data, name, phone number, age, sex, profession and countries visited in the last 30 days. These are stored in a server in an encrypted manner and with a unique digital id, which the app calls a DiD. The app shares this DiD between phones of users who have the app, when it sees them come within Bluetooth range of each other. While the DiDs are stored on users phones after an exposure event, it’s not visible to the users of said phones.

It’s worth noting that the app also collects the user’s location continuously in 15 minute intervals and uploads this data to the government’s server if a person tests positive for Covid-19, or if their self-assessments are yellow/orange. The privacy policy, however, states that the location data isn’t uploaded to the server as long as self assessment tests are in green.

Baptiste’s second concern seems to have been about the app allowing users to display Covid-19 stats by using automated scripts. Users can get this data by changing the latitude and longitude locations data the app is getting from their phone. This can be done using GPS spoofing programs, and would reveal the stats for a location to everyone.

However, the government argues that such data is public already and running a script on the app is no different from asking people about the situation at their location. The team said that radius parameters are defaulted to 500 metres, 1km, 2km, 5km and 10km, and any other parameter will default back to 1km. This means people cannot set custom locations to pinpoint a certain colony, or place as they want.

In response to the government’s statement, Baptiste sent out a tweet saying he will “come back” tomorrow. “Basically you said ‘nothing to see here’. We will see,” he said in his tweet….