- As more countries roll out contact tracing apps to notify citizens when they have come into contact with someone who has tested positive for COVID-19, concerns are emerging about how this data could be used.
- Human rights organization Amnesty International called out the apps from Bahrain, Norway, and Kuwait for not anonymizing end-user data.
Amnesty International is issuing a warning that some of the new COVID-19 contact tracing apps may not just be an invasion of privacy but potentially put lives at risk. Contact tracing – the process of finding and notifying people who have interacted with an infected person so they can be tested and quarantine – is vital to allowing businesses, educational institutions, and governments to resume operations that are closer to normal even as the virus continues to spread.
A number of governments are rolling out contact tracing apps that use data collected from individuals’ phones to alert registered users if they come in close proximity to someone who tested positive for the COVID-19 virus. Amnesty International security researchers evaluated 11 new apps deployed by countries in North Africa, the Middle East, and Europe and found troubling issues with some of the apps, which the human rights organization described as running the gamut from bad to dangerous because they can be used for mass surveillance. Amnesty International called out apps from Bahrain, Kuwait, and Norway as being particularly egregious. Amnesty International said that all of the apps effectively surveilled users’ locations in real time or near-real time, transmitting GPS coordinates to a central database without masking the user’s identity.
Claudio Guarnieri, head of Amnesty International’s Security Lab, said through the apps, the countries “run roughshod over people’s privacy, with highly invasive surveillance tools which go beyond what is justified to tackle COVID-19.”
In response to the criticism, the Norwegian government said it would stop using the app. Norway is looking to develop a new, less invasive app.
Amnesty International pressed Bahrain and Kuwait to follow Norway’s lead and stop using the apps. The NGO also cited issues with apps from other countries including Qatar. Qatar’s EHTERAZ app can collect the live location of all users or particular individuals, though that function is not currently activated. A security vulnerability in the Qatar app that could have leaked personal identifying information (PII) details for one million people was previously identified and fixed.
The human rights organization noted that the Bahrain app had a television connection. During Ramadan, the show offered prizes to people who were in their houses. Ten phone numbers stored in the app’s database were chosen at random and dialed during the show to verify if the users were at home.
With many countries easing COVID-19 stay-at-home restrictions and reopening shuttered businesses, contact tracing is considered a key element in the next stage of the fight against the virus. However, a number of countries struggled to develop their own contact tracing apps, with privacy and politics not mixing well.
A cross-section of vendors, including Microsoft and a coalition spearheaded by Apple and Google, is rolling out contact tracing apps that use data collected from individuals’ phones to alert registered users if they have come in close proximity to someone who tested positive for the COVID-19 virus. Vendors say the data can be anonymized. The way the Google/Apple platform works is that it stores the encrypted data of phones that were within one meter of one another for more than 15 minutes. If that user reports a positive COVID-19 test, the app can alert the other phones that were in close proximity.