Contact Tracing Apps
|Contact Tracing Apps|
|Short Title||Contact Tracing Apps Based on Real Time Location Tracking|
|Solove Harm||Surveillance, Aggregation, Insecurity, Identification, Disclosure, Increased Accessibility|
|Information||Location, Identifying, Contact, Behavioral, Medical and Health|
|Threat Actors||Bahrain government, Kuwait government, Norway government, Qatar government|
|Affected||Bahrain residents, Kuwait residents, Qatar residents, Norway residents|
|High Risk Groups||Medical Patient|
Bahrain’s, Kuwait’s and Norway’s contact tracing apps considered to be the most dangerous in terms of privacy, primarily because they all use of near-real-time GPS tracking of user GPS location data.
In Spring and Summer 2020 countries all over the world make efforts to roll out contact tracing app programs to fight the pandemic of COVID19.
Amnesty International’s Security Lab investigated such apps from 11 countries, limiting their research to Europe, the Middle East and North Africa.
They identified Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ contact tracing apps as the most dangerous in terms of privacy, primarily because they all use real-time or near-real-time GPS tracking of user GPS location data to keep constant tabs on the locations of people Surveillance and identified them individually, e.g. via a registered phone number. Identification
This data is then fed to a central server controlled by the government. Aggregation
Bahrain, Qatar and Kuwait take the additional step of requiring users to tie the app to a national ID number, which is also an example of Aggregation and Identification.
Norweigian Data Protection Authority had ordered the contact tracing app to be suspended by June 23, 2020 due to concerns about potential General Data Protection Regulation (GDPR) personal data collection violations.
The country has announced that it is suspending the operation of its contact tracing app and will re-evaluate its function before re-activating it.
However, health authority has advised Norwegian citizens to leave the app on their phones for the time being. Given the knowledge imbalance, such advises coming from a Health Authority in a time of pandemic can be interpreted as Interrogation.
The report also shows insecurities in at least one of the contact tracing apps. Qatar’s app contained a vulnerability related to its use of QR codes that potentially exposed the sensitive personal information of over a million users.
The app uses QR codes to track users and assign a color code depending on their current diagnosis status. These codes could be retrieved by simply providing any citizen’s national ID number, and it was possible to scrape the database for every possible national ID combination. This create the possibility of viewing the status of others and fraudulently using or altering their codes, and also made an array of personal information accessible: quarantine location addresses, medical facilities accessed, and full names in both English and Arabic. Disclosure Increased Accessibility
Laws and Regulations
General Data Protection Regulation (GDPR)