Norway, Bahrain, and Kuwait are amongst the "most dangerous" for privacy in their deployment of COVID-19 contact tracing apps, as they track their citizens' locations on a live or near real-time basis. These apps adopt an "invasive centralised approach" and pose a "great threat to privacy", according to an Amnesty International study.
The group's research, however, does not include countries in Asia or the US. Conducted by Amnesty's Security Lab, the study assessed contact tracing apps from Europe, Middle East, and North Africa, and included detailed technical analyses of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia, and United Arab Emirates, it said in a statement Tuesday.
It noted that Bahrain's BeAware Bahrain, Kuwait's Shlonik, and Norway's Smittestopp apps stood out as amongst the "most alarming mass surveillance tools" it evaluated. "All three actively carrying out live or near-live tracking of users' locations by frequently uploading GPS coordinates to a central server," it said.
Claudio Guarnieri, who heads the security lab, said: "Bahrain, Kuwait and Norway have run roughshod over people's privacy, with highly invasive surveillance tools that go far beyond what is justified in efforts to tackle COVID-19. Privacy must not be another casualty as governments rush to roll out apps."
Norway, though, just pulled its Smittestopp app, deleting all data collected via the contact tracing app and suspending further use of it. The country's Data Protection Authority had ruled that the app disproportionately intruded users' privacy.
Guarnieri welcomed the move, saying the lab had shared its findings with Norwegian authorities. "The Norwegian app is deeply intrusive and put people's privacy at risk. It is the right decision to press pause and go back to the drawing board to design an app that puts privacy front and centre," he said. "There are better options available that balance the need to trace the spread of the disease with privacy... This episode should act as a warning to all governments rushing ahead with apps that are invasive and designed in a way that puts human rights at risk. Privacy doesn't need to be a casualty in the rollout of these apps."
He further urged the Bahraini and Kuwaiti governments to follow suit and halt the use of their respective apps, as these were essentially broadcasting the locations of users to a government database in real-time. This was neither necessary nor proportionate in the context of a public health response, he noted.
"Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps," he said.
According to the Amnesty study, the apps from Bahrain, Kuwait, and Norway adopted a centralised system, collecting location data through GPS and uploading this to a central database -- effectively tracking the movements of users in real-time. It noted that Qatar's EHTERAZ app had an option to activate live location-tracking of all users or of specific individuals, though, this currently was turned off.
The lab added that authorities in these countries could associate such sensitive personal data to an individual, since Qatar, Bahrain, and Kuwait required users to register with a national ID number, while Norway's app was registered with a valid phone number.
In Amnesty's analysis, Qatar's contact tracing app contained a security vulnerability that it said exposed personal details of more than one million people, enabling hackers to access data such national ID and users' designated quarantine locations. The app also was made mandatory since May 22.
The security vulnerability was fixed, said Amnesty, after it informed the authorities about it in end-May.
The study also noted that Bahrain's app was linked to a national television show that offered prizes to individuals who stayed at home during Ramadan. Using contact details gathered through the app, phone numbers were randomly selected and called live on air to check if the app users were at home. Those who were won a prize. Authorities also published online personal data of suspected COVID-19 cases, including their nationality, age, and travel history.
Amnesty added that Bahraini and Kuwaiti paired their apps with a Bluetooth bracelet, which was used to ensure the wearer remained in the vicinity of the phone in order to enforce quarantine measures. The Kuwait app also regularly checked the distance between the Bluetooth bracelet and the device, uploading location data every 10 minutes to a central server.
Guarnieri said: "Governments across the world need to press pause on rolling out flawed or excessively intrusive contact tracing apps that fail to protect human rights. If contact tracing apps are to play an effective part in combating COVID-19, people need to have confidence their privacy will be protected."
Asked why its study did not include Asian nations or the US, an Amnesty spokesperson told ZDNet its research was focused on Europe and MENA.
He noted that the group acknowledged the importance of contact tracing in supporting effective pandemic response, such apps should build in privacy and data protection by design. This meant that any data collected must be the minimum necessary and securely stored, he said.
"All data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose, including law enforcement, national security or immigration control. It must also not be made available to any third party or for commercial use. Any individual's decision to download and use contact tracing apps must also be entirely voluntary."
Amnesty has laid out what it believes to be seven best practices for contact tracing apps, including ensuring consent and transparency, having independent expert oversight, and implementing time limits so data must be deleted as soon as it had served its declared purpose.