Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one million

Serious security vulnerabilities in Qatar’s mandatory contact tracing app, uncovered by Amnesty International, must act as a wake-up call for governments rolling-out COVID-19 apps to ensure privacy safeguards are central to the technology.

An investigation by Amnesty’s Security Lab discovered the critical weakness in the configuration of Qatar’s EHTERAZ contact tracing app. Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.

While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited.

Amnesty alerted the Qatari authorities to the vulnerability shortly after making the discovery on Thursday 21 May. The authorities acted swiftly to fix the weakness by the end of Friday 22 May.

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited. This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”

Currently more than 45 countries have, or plan to, rollout COVID-19 contact tracing apps. Amnesty International is concerned that governments around the world, including Australia, France, Italy, the Netherlands and the UK, are rushing to embrace digital tools which undermine privacy, have not yet been proved to be effective, and could put individuals’ security at risk.

EHTERAZ was developed by Qatar’s Ministry of Interior and uses GPS and Bluetooth technology to track COVID-19 cases. The app, like many being introduced, remains highly problematic due to its lack of privacy safeguards. Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time.

All governments must ensure contact tracing apps remain entirely voluntary and in line with human rights.

Last Friday, it became compulsory to download and use the app, which has been downloaded more than one million times from the Google Play Store alone. People who do not use the app could face up to three years in prison and a fine of QR200,000 (approx. US$55,000).

“The Qatari authorities must reverse the decision to make use of the app mandatory, and all governments must ensure contact tracing apps remain entirely voluntary and in line with human rights,” said Claudio Guarnieri.

Amnesty International’s Security Lab was able to access sensitive information, including people’s name, health status and the GPS coordinates of a user’s designated confinement location, as the central server did not have security measures in place to protect this data.

While Amnesty International recognizes the efforts and actions taken by the government of Qatar to contain the spread of the COVID-19 pandemic and the measures introduced to date, such as access to free healthcare, all measures must be in line with human rights standards.

The vulnerabilities were uncovered as part of a wider global analysis of contact tracing apps, aimed at assessing their human rights compliance.

Contact tracing is an important component of effective pandemic response, and contact tracing apps have the potential to support this objective. However, in order to be consistent with human rights obligations, these apps must build in privacy and data protection by design, meaning any data collected must be the minimum amount necessary, and securely stored. All data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose – including law-enforcement, national security or immigration control. It must also not be made available to any third party or for commercial use. Any individual decision to download and use contact tracing apps must be entirely voluntary.

 

Source: Amnesty International