Bahrain, Kuwait and Norway Contact Tracing Apps Among Most Dangerous for Privacy

June 18, 2020

Bahrain, Kuwait and Norway have rolled out some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk, an Amnesty International investigation reveals.

Amnesty’s Security Lab reviewed contact tracing apps from Europe, Middle East and North Africa, including a detailed technical analysis of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates, some of which ranged from bad to dangerous for human rights, says Amnesty.

Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps stood out as among the most alarming mass surveillance tools assessed by Amnesty, with all three actively carrying out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one. We urge the Bahraini and Kuwaiti governments to also immediately halt the use of such intrusive apps in their current form. They are essentially broadcasting the locations of users to a government database in real time – this is unlikely to be necessary and proportionate in the context of a public health response. Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps," notes Guarnieri.

Authorities in all these countries can easily link this sensitive personal information to an individual, says Amnesty, as Qatar, Bahrain and Kuwait require users to register with a national ID number, while Norway requires registration with a valid phone number.

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, notes, “Google and Apple are providing the ability to track when users come into contact with others using only Bluetooth, which does not show where users are located, only that their device was near another device, identifying risk of exposure if one of those users has tested positive for COVID-19."

Many contact tracing app developers are using or adding additional tracking capabilities that depend on location data, he adds. "Using GPS, cellular, and Wi-Fi positioning data to show where a user has traveled, and in some cases reporting whenever a device changes location."

It is these location capabilities that create privacy issues as they allow government agencies to collect additional information about users, where they are located, where they go, and other information that can be gleaned or inferred from a detailed history of a user's location, Hazelton explains. "Some of these apps go further in gaining access to the address book, camera, or even microphone. While apps requesting access to data on the device and sensors may be used to provide helpful services like - sharing the app with friends, or helping users document their movements more easily, it is these capabilities that can also inadvertently disclose more information to agencies about a user than the user would like or be aware of," Hazelton says.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Bahrain, Kuwait and Norway Contact Tracing Apps Among Most Dangerous for Privacy

Related Articles

Report Abusive Comment