Amnesty names and shames countries with most invasive contact tracing apps

Amnesty says Bahrain, Kuwait and Norway contact tracing apps “most dangerous” for privacy

A security review of Covid-19 contact tracing around the world has singled out Bahrain, Kuwait and Norway for rolling out the most invasive tracking applications.

Amnesty International’s Security Lab analysed contact tracing apps from Europe, Middle East and North Africa, although stopped short of looking at apps from Asia.

As part of this review, 11 apps from Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates received a detailed technical analysis. The UK’s attempt was not given heavy treatment (although there are doubts that the application will even be fully rolled out.)

Mass surveillance

Amnesty described Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps as “the most alarming surveillance tools” out of the 11 the organisation analysed in detail.

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” said Claudio Guarnieri, head of Amnesty International’s Security Lab.

The Norwegian government decided to pause using its contact tracing app hours before Amnesty published the research after the organisation shared its findings with the country’s data protection agency on 2 June. Meanwhile, the Bahrain and Kuwait applications are still live, with Amnesty calling on the governments to “immediately halt” their use.

Amnesty’s main metric here was the degree to which these apps actively live or near-tracked user locations and uploaded the coordinates to a central server, an approach it argued was “unlikely” to be a necessary and proportionate response to the pandemic.

Privacy advocates and lawmakers have repeatedly called for such information to be stored in a decentralised fashion, in other words on user devices themselves, to prevent mass surveillance and reduce the risk of a data breach. Many also claim contact tracing can be performed effectively without GPS tracking, arguing Bluetooth proximity scanning, which monitors contact between users, is sufficient.

Different counties have adopted none or some of these approaches. Tunisia’s “E7mi” app for instance only tracks Bluetooth contact but follows a centralised model, while Qatar’s centralised “ETHERAZ” app records both Bluetooth contact and the location of the encounter.

Meanwhile, applications rolled out by France, Iceland and United Arab Emirates store contact data centrally, but users are not obliged to upload the information.

Amnesty’s security team also revealed it discovered a vulnerability in Qatar’s app that exposed the details of more than one million people and which could have allowed hackers to access individuals names, national IDs, health statuses and locations. The organisation alerted the authorities to the flaw and it has since been fixed.

It’s not just the applications themselves that Amnesty criticised. Alarmingly, the organisation revealed Bahraini authorities published the personal information of suspected Covid-19 cases online. This information included the individual’s health status, nationality, age, gender and travel history.

What’s the solution? Amnesty called for counties to revisit contact tracing applications and ensure they build in privacy and data protection by design. This involves only collecting the minimum amount of necessary data, storing that data securely, anonymising it, and preventing its commercialisation by third-parties. Using the apps must also be voluntary, Amnesty added.