Bahrain, Kuwait and Norway's contact-tracing apps among most privacy-infringing

COVID-19 apps putting privacy and security of hundreds of thousands at risk

U-turn from Norwegian Government yesterday welcomed

‘Privacy must not be another casualty as governments rush to roll out apps’ - Claudio Guarnieri

Bahrain, Kuwait and Norway have rolled out some of the most invasive COVID-19 contact-tracing apps putting the privacy and security of hundreds of thousands of people at risk, an Amnesty International investigation revealed today.

Amnesty’s Security Lab reviewed contact-tracing apps from various European and Middle Eastern countries, including a detailed technical analysis of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and the United Arab Emirates. 

Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps stood out as among the most alarming mass surveillance tools, with all three actively allowing live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server. 

Yesterday, the Norwegian government announced it would halt the use of its Smittestopp app after Amnesty shared its findings with the Norwegian Government and the country’s data protection agency.

Claudio Guarnieri, Head of Amnesty International’s Security Lab, said: 

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19.

“The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one. We urge the Bahraini and Kuwaiti governments to also immediately halt the use of such intrusive apps in their current form. They are essentially broadcasting the locations of users to a government database in real time.

“Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps.

“Governments across the world need to press pause on rolling out flawed or excessively intrusive contact-tracing apps that fail to protect human rights. If contact-tracing apps are to play an effective part in combating COVID-19, people need to have confidence their privacy will be protected.”

Qatar’s ‘EHTERAZ app

Qatar’s “EHTERAZ” app is capable of optionally activating live location tracking of all users or of specific individuals (at the time of writing it remains turned off). Authorities in all these countries can easily link this sensitive personal information to an individual, as Qatar, Bahrain and Kuwait require users to register with a national ID number, while Norway requires registration with a valid phone number.

Other apps assessed by the Security Lab - such as Tunisia’s “E7mi” - also follow a centralised model, but instead of recording GPS coordinates they use Bluetooth proximity scanning to monitor contact between users in real time. Qatar’s “EHTERAZ” records and uploads Bluetooth contact between users’ devices, along with the GPS coordinates of the encounter.

Meanwhile, Amnesty identified a major security vulnerability in the Qatari app, showing how it exposed sensitive personal details of more than one million people. This was especially concerning as the app was made mandatory to use on 22 May. The vulnerability was fixed after Amnesty alerted the authorities to the discovery at the end of May. The security flaw would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and designated confinement location of users. 

Bahrain’s BeAware app

Bahrain’s app was linked to a national television show called “Are You at Home?”, which offered prizes to those who stayed at home during Ramadan. Using contact details gathered through the app, every day ten phone numbers were randomly selected daily called live on air to check if the app users were at home. Those who were won a prize. Inclusion in TV programme draw was initially mandatory. The Bahraini authorities have also published online sensitive personal information of suspected COVID-19 cases, including an individual’s health status, nationality, age, gender and travel history. 

Both the Bahraini and Kuwaiti apps can pair with a Bluetooth bracelet which is used to ensure the user remains in the vicinity of the phone, in order to enforce quarantine measures. The Kuwait app regularly checks the distance between the Bluetooth bracelet and the device, uploading location data every ten minutes to a central server. 

Location data and additional diagnostic information from the Bluetooth bracelet linked to the BeAware Bahrain app is frequently sent to a central server. It is mandatory for all individuals registered for home quarantine to wear the bracelet and those who do not can face legal penalties.

UK’s NHSX app

The UK’s NHSX contact-tracing app has yet to be rolled out. On 18 May, Amnesty wrote to the Health Secretary Matt Hancock setting out the seven key principles that should inform the UK Government’s decision about any nationwide roll-out of the current choice of COVID-19 contact-tracing app.