The coronavirus pandemic has changed the way a lot of us live our lives. Many people are now willing to keep their distance from strangers and wear masks in public, but the kind of freedoms that many contact tracing apps are asking people to give up is a cause for serious concern.
When experts first started talking about using contact tracing apps in order to keep the spread of coronavirus under control, lots of people expressed reservations about just how much such an app might infringe on their privacy. And now that a few countries have already instituted these apps, it would appear that those fears are indeed valid.
Contact tracing apps are normally downloaded onto people’s phones, and when a user comes into contact with a person who tested positive for the virus, they receive a notification informing them of their exposure and advising them to quarantine at home for two weeks.
Authorities will know who does not comply because most of these apps will notify them if a person who is supposed to be quarantining goes outside of a certain perimeter around their home. And leaving the phone at home is not a viable option because these apps are also required to enter businesses like grocery stores.
Many of the countries using these apps are able to link information about people’s whereabouts to their identity because they are required to register for the app using a national ID number or valid phone number in places like Qatar, Kuwait, Bahrain and Norway.
The human rights group Amnesty International recently carried out a study of popular COVID-19 contact tracing apps , and they found some very dangerous security issues.
There were three that stood out for being particularly invasive: The apps used in Bahrain, Norway and Kuwait.
The “Smittestopp” App that was being used in Norway was called out for its live or near-live tracking of people’s locations by uploading their GPS coordinates frequently to a central server.
Amnesty International was so alarmed by how invasive this app was that they contacted Norwegian authorities and encouraged them to make changes. In response, the Norwegian government agreed to stop using the app in its current form in what the group characterized as “a major win for privacy.”
The fact that these apps are so invasive isn’t exactly a surprise, but the BeAware Bahrain app took an unexpected turn when the group discovered it was being used to recruit contestants in the country for a TV game show. On Are You at Home, the program’s host used data collected by the government via the app to randomly call people at home and check if they were following social distancing guidelines. If they passed the test, they received a financial reward.
It turned out that people were giving their consent to appear on the show simply by downloading the app. After the report, the Bahrain government said it would make small changes to its app, including allowing users to opt out of the game show – which, incidentally, continues to run.
Kuwait’s app pairs with a Bluetooth bracelet that is used to make sure users remain in vicinity of their phones to enforce the quarantine measures. That distance is regularly checked, uploading peoples location data to a central server every 10 minutes.
Meanwhile, Amnesty International also discovered a major security vulnerability in the EHTERAZ app being used in Qatar that exposed more than a million people’s sensitive personal details. It would have enabled hackers to access people’s names, health status, national ID number, and designated confinement locations, and it’s particularly concerning because the country made use of the app mandatory. The flaw was fixed at the end of May after the authorities were alerted by Amnesty International.
No one wants to contract a potentially deadly disease, and it is clear that some governments are exploiting that fact so they can spy on their citizens. No one can even say for sure just how much these apps can actually help stem the spread of the virus, and it’s pretty clear that they could end up doing a lot more harm than good.
Sources for this article include: