Qatar: 'huge' security weakness in COVID-19 contact-tracing app

Amnesty’s Security Lab alerts authorities to serious privacy flaws in mandatory EHTERAZ app

People who do not use app can face up to three years in jail

Privacy concerns remain over UK’s intended contact-tracing app

‘People need to have confidence that contact-tracing apps will protect their privacy and other human rights’ - Claudio Guarnieri

Serious security vulnerabilities in Qatar’s mandatory coronavirus contact-tracing app, uncovered by Amnesty International, must act as a wake-up call to other governments to ensure privacy safeguards are central to the roll-out of similar apps. 

A recent investigation by Amnesty’s Security Lab discovered significant weakness in the configuration of Qatar’s EHTERAZ contact-tracing app, which has been developed by the Ministry of Interior using GPS and Bluetooth technology to track COVID-19 cases. 

Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users. 

Last Friday, it became compulsory for people in Qatar to download and use the app, which has been downloaded more than one million times from the Google Play Store alone. People who do not use the app can face up to three years in prison. The app uses a colour-coded “QR” system - if red, a user’s health is “Confirmed” (supposedly having been diagnosed with COVID-19); if yellow, the user is “In Quarantine”; if grey, the user is “Suspected”; and if green the user is “Healthy”. 

However, before the authorities took action to address the vulnerability, the QR code included sensitive personal information such as names (in English and Arabic), the location of confinement and of treatment. Amnesty was able to access sensitive personal information - including names, health status and GPS coordinates of a user’s designated confinement location - as the app’s central server did not have security measures to protect such data. 

While Amnesty acknowledges efforts made by the government of Qatar to contain the spread of the COVID-19 pandemic - including access to free healthcare - all measures must be in line with human rights standards. 

Claudio Guarnieri, Head of Amnesty International’s Security Lab, said:

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact-tracing app that malicious attackers could have easily exploited. 

“This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday. 

“This incident should act as a warning to governments around the world rushing out contact-tracing apps that are too often poorly designed and lack privacy safeguards.

“If technology is to play an effective role in tackling the virus, people need to have confidence that contact-tracing apps will protect their privacy and other human rights.

“The Qatari authorities must reverse the decision to make use of the app mandatory, and all governments must ensure contact-tracing apps remain entirely voluntary and in line with human rights.”

How the security alert unfolded

Amnesty alerted the Qatari authorities to the app’s vulnerability shortly after making the discovery on 21 May, with the authorities acting to fix the weakness by the end of 22 May. 

When alerted to the privacy failings, the Qatari authorities stripped out names and location data. Then, on Sunday, the authorities released an update to the app that adds a new layer of authentication to prevent data harvesting. While these changes appear to fix the issue, Amnesty has been unable to fully verify whether they have. 

Even now, Qatar’s app, like many being introduced, remains highly problematic due to its lack of privacy safeguards. Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time.

UK among countries seeking to use similar apps

The UK is also in the process of introducing a contact-tracing app for coronavirus based on a controversial central database model, something Amnesty has questioned on human rights grounds. 

The UK and Qatar are among more than 45 countries currently using - or intending to use - COVID-19 contact-tracing apps. Vulnerabilities in Qatar’s app were uncovered as part of Amnesty’s global analysis of such apps aimed at assessing their human rights compliance. 

Contact tracing is an important component of effective pandemic response, and contact-tracing apps have the potential to support this objective. However, in order to be consistent with human rights obligations, these apps must incorporate privacy and data protection by design, meaning any data collected must be the minimum amount necessary and securely stored. Data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose - including law-enforcement, national security or immigration control. It should not be made available to any third party or for commercial use. Any individual decision to download and use contact-tracing apps must be entirely voluntary.