Amnesty International Investigation Identifies the World’s Most Privacy-Invasive Contact Tracing Apps
Aside from relatively minor technical issues, the lone obstacle to a global rollout of Covid-19 contact tracing apps has been privacy concerns. These apps would unquestionably be a potent tool in reducing the impact of the pandemic, but they also have the potential to be a potent entrenched tool for any government inclined to implement a surveillance state.
Each country continues to grapple with implementing its own approach to contact tracing apps, even as the pandemic moves into the fourth month since drastic lockdowns in Italy prompted a wave of global panic. Some have decidedly higher concern for privacy and human rights than others, as a recent Amnesty International investigation reveals. The report finds serious issues of this nature among a collection of contact tracing apps from 11 countries, with some going so far as to track user GPS locations in real time.
The world’s worst contact tracing apps
Conducted by Amnesty International’s Security Lab, the investigation was geographically limited to Europe, the Middle East and North Africa. The countries examined ran the political gamut from representative democracies (France, Israel) to mixed and absolute monarchies (Qatar, United Arab Emirates). One might assume the latter to be less concerned about privacy and human rights issues, but the picture that the report paints is more complex than that. It’s true that Bahrain is among the most concerning of the current crop of contact tracing apps, but so is Norway. And Kuwait, which is widely regarded as one of the most democratic countries in the Middle East, has an app that is flagged as being more problematic than those of Qatar and UAE.
Amnesty identified Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ contact tracing apps as the most dangerous of the bunch, primarily because they all make use of real-time (or near-real-time) tracking of user GPS location data. In each case this data is fed to a central server controlled by the government. “Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab. The report notes that Qatar’s “EHTERAZ” app also has this ability as an option, but it has yet to be activated; the app is presently using Bluetooth contacts instead.
Paul Bischoff, privacy advocate with Comparitech, points out that GPS is not optimal from either a privacy or efficacy standpoint: “GPS tracking is not the most effective or safe way to go about contact tracing because it is not accurate enough in most cases to determine whether two people came within a close enough distance to spread disease. GPS data is also difficult to anonymize, impacting the privacy of data subjects. That’s why more privacy-conscious contact tracing apps opt for Bluetooth, which is better for checking proximity.
Bahrain, Qatar and Kuwait take the additional step of requiring users to tie the app to a national ID number. For those that have received a quarantine order, the Bahrain and Kuwait contact tracing apps also incorporate the option to require a Bluetooth-based “handcuff” bracelet that the user must wear in order to ensure that they do not stray too far from their phone.
In Norway, Smittestopp users are required to register with a valid phone number. Norway is the only country thus far to respond to the Amnesty study, halting the use of its contact tracing app while it re-evaluates security and privacy measures.
Security issues in contact tracing apps
The report also unearthed security flaws in at least one of the contact tracing apps. Qatar’s app contained a vulnerability related to its use of QR codes that potentially exposed the sensitive personal information of over a million users. The app uses QR codes to track users and assign a color code depending on their current diagnosis status. These codes could be retrieved by simply providing any citizen’s national ID number, and it was possible to scrape the database for every possible national ID combination. Not only did this create the possibility of viewing the status of others and even fraudulently using or altering their codes, it made an array of personal information accessible: quarantine location addresses, medical facilities accessed, and full names in both English and Arabic.
And though it is not a cybersecurity feature, the Bahrain government has been publishing sensitive personal information of those diagnosed with Covid-19 online through its public-facing website.
This report follows a mid-May revelation that the source code of the planned UK contact tracing app was riddled with potential security flaws, something that has contributed to ongoing delays in its rollout. Data security issues have surfaced in other areas, such as India and North Dakota.
Even among the apps that received relatively high marks from Amnesty, there are some questions about the potential for security breaches. For example, France’s app requires that data from Covid-19 cases be fed to a centralized server. There is no transparency in this system, making it very difficult to determine if the data could be de-anonymized in some way.
Can contact tracing apps be improved?
Apple and Google have presented a neutral alternative to centralized contact tracing apps that mostly neutralize the possibility of government abuse of the data collected, but also raise the possibility of abuse by Apple and Google.
Amnesty has proposed a seven-point plan for the development of independent contact tracing apps to tackle the spread of Covid-19. This proposal includes elements such as anonymity, data minimization and strict time limits for data retention.
All of this relies on countries prioritizing effective contact tracing over surveillance, however. Chris Hauk, consumer privacy champion with Pixel Privacy, observes that some of the privacy invasion may be by design: “Amnesty International’s investigation uncovers the unfortunate fact that many governments have absolutely no respect for the privacy of their citizens. These countries have chosen to exploit the COVID-19 pandemic, seeing it as an opportunity to increase the tracking and surveillance of their citizens. These apps go far beyond what is required to perform COVID-19 contact tracing, violating the privacy of all users. This sadly discourages users from installing contact tracing apps on their devices, limiting the effectiveness of such apps.”