Amnesty identifies most privacy-invasive Covid-19 contact-tracing apps

Bahrain, Kuwait and Norway have rolled out some of the most invasive Covid-19 contact-tracing apps, putting the privacy and security of hundreds of thousands of people at risk, an Amnesty International investigation has revealed.

The human rights group found the apps were “highly invasive mass surveillance tools”, which infringed users’ rights to privacy by collecting personal data beyond the needs for monitoring the spread of the coronavirus.

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle Covid-19,” said Claudio Guarnieri, head of Amnesty International’s Security Lab (ASL).

The Security Lab investigated the contact-tracing apps over the course of a month, including those from countries across Europe, the Middle East and North Africa. The focus was on apps used by Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates.

Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps automatically upload users’ location data onto a central database, putting people’s privacy at risk, Rasha Abdul Rahim, deputy director of Amnesty Tech told Computer Weekly.

“What we are asking governments to do is to not automatically rush towards the most intrusive means or the most intrusive model for contact-tracing apps,” he said.

Norway’s privacy regulator, Datatilsynet, has given Norway’s public health department until 23 June to cease all data collection and storage after determining that the app is infringing the privacy of citizens.   

“Governments need to press pause on rolling out flawed or excessively intrusive contact-tracing apps that fail to protect human rights. If contract-tracing apps are to play an effective part in combating Covid-19, people need to have confidence their privacy will be protected”

ASL discovered a serious security flaw in May in Qatar’s “EHTERAZ” app which exposed the data of millions of people, including sensitive personal information such as their name, health status and location.

The human rights group said that some countries, including France, Iceland and the UAE, had created apps that collect data on the population without invading privacy.

These only upload sensitive information if an individual voluntarily decides to report themselves as symptomatic, or if they are requested to do so by the health authorities.

“This means there is still significant transparency about how data is being stored,” said Rahim.

Claudio Guarnieri, head of ASL, said: “Governments across the world need to press pause on rolling out flawed or excessively intrusive contact-tracing apps that fail to protect human rights. If contract-tracing apps are to play an effective part in combating Covid-19, people need to have confidence their privacy will be protected.”

Amnesty is hoping to meet and discuss Kuwait’s Shlonik app following an approach by the country’s government.