Coronavirus: Qatar tracing app flaw 'exposed one million people's details'
Serious security vulnerabilities in Qatar’s mandatory coronavirus contact tracing app have exposed the personal details of a million people, Amnesty International said on Tuesday.
The flaw must act as a wake-up call for governments rolling out Covid-19 apps to ensure privacy safeguards are central to the technology, the rights group added.
An investigation by Amnesty’s Security Lab discovered the critical weakness in the configuration of Qatar’s contact tracing app Ehteraz, meaning "precaution".
Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users, Amnesty said.
Last Friday, it became compulsory to download and use the app, which has been downloaded more than one million times from the Google Play Store alone.
People who do not use the app could face up to three years in prison and a fine of 200,000 Qatari riyals ($55,000).
The UK-based organisation alerted the Qatari authorities to the vulnerability shortly after making the discovery on Thursday.
The authorities acted swiftly to fix the weakness by the end of Friday, Amnesty said.
'Warning to governments'
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited," said Claudio Guarnieri, head of Security Lab.
"This vulnerability was especially worrying given use of the Ehteraz app was made mandatory last Friday.”
Guarnieri warned "governments around the world" are "rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards".
"If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights,” he said.
Almost 44,000 of Qatar's 2.75 million people have tested positive for the respiratory disease, 1.6 percent of the population, and 23 people have died.
Security forces manned checkpoints across Qatar on Sunday to ensure use of the app, local media reported, alongside checking for use of masks.
According to Amnesty, more than 45 countries have, or plan to, roll out Covid-19 contact tracing apps.
The organisation said it was concerned that governments around the world, including Australia, France, Italy, the Netherlands and the UK, are rushing to embrace digital tools which undermine privacy, have not yet been proved to be effective, and could put individuals’ security at risk.
Ehteraz was developed by Qatar’s interior ministry and uses GPS and Bluetooth technology to track Covid-19 cases.
The app's simple interface displays coloured bar codes containing the user's ID number - green for healthy, red for COVID-19 positive and yellow for quarantined cases.
Grey indicates suspected cases or those who have come into contact with infected individuals.
The app, like many being introduced, remains highly problematic due to its lack of privacy safeguards.
Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time.
“The Qatari authorities must reverse the decision to make use of the app mandatory, and all governments must ensure contact tracing apps remain entirely voluntary and in line with human rights,” said Guarnieri.
Justin Martin, a journalism professor based in Qatar, warned authorities in a tweet not to "erode" trust by enforcing "an app with such alarming permissions".
Amnesty said that while it recognised the efforts and actions taken by the government of Qatar to contain the spread of the Covid-19 pandemic and the measures introduced to date, such as access to free healthcare, all measures must be in line with human rights standards.
The app's vulnerabilities were uncovered as part of a wider global analysis of contact tracing apps, aimed at assessing their human rights compliance, the organisation said.