“Jio,” the Mumbai-based telecommunications company, has exposed the core database of its Coronavirus symptom checker app. The database was left open on the Internet, without a password. This means that practically anyone could have accessed the database, which contained millions of logs and records generated by the users of the app. Jio has created and promoted the symptom checker app to help people determine their chances of having been infected and to seek medical help if needed. Being the largest operator in India, millions of people opted to use Jio’s app on their mobile phones without giving it much thought.
Anurag Sen discovered the exposed database on May 1, 2020, and after some back-and-forth communication involving TechCrunch as well, the leaky system was taken offline. Although the response was almost immediate, the period of exposure and the number of people who managed to access the database remain unknown. The oldest records date back to April 17, so if the misconfiguration happened from the very first setup, the period of exposure would be of about two weeks. If that is the case, what kind of information has been exposed anyway? Unfortunately, this was quite revealing information about the users of the app.
The database contained symptom records, specific answers to the in-built quiz questions, people the users may have contacted in the previous days, and their precise geographic location. This latter is only available for the users who allowed the app to access their device’s location data - and a large percentage of the userbase did. TechCrunch tested out random samples of this data and managed to locate the homes of specific users by using the latitude and longitude information found in the database. Jio has decided not to comment any further on what happened, and until now, they haven’t made any effort to inform those who have had their sensitive information exposed online.
This is another example of the privacy risks that arise from the use of data-logging apps, especially those that don’t have robust data anonymization, masking, and encrypting system in place. Interestingly, these apps are used voluntarily, using people’s fear in order to collect data for helping protect society from the spreading of the Coronavirus. Even if this was the sole purpose behind the development of these apps, the privacy risks remain grave. If you think that you may have been infected with COVID-19, don’t use an app to figure it out. Instead, call your doctor and describe your symptoms to your physician, and they will guide you on what to do next.