Bahrain, Kuwait and Norway have rolled out some of the most invasive COVID-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk, an Amnesty International investigation reveals.

Amnesty’s Security Lab reviewed contact tracing apps from Europe, Middle East and North Africa, including a detailed technical analysis of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates, some of which ranged from bad to dangerous for human rights, says Amnesty.

 Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps stood out as among the most alarming mass surveillance tools assessed by Amnesty, with all three actively carrying out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one. We urge the Bahraini and Kuwaiti governments to also immediately halt the use of such intrusive apps in their current form. They are essentially broadcasting the locations of users to a government database in real time – this is unlikely to be necessary and proportionate in the context of a public health response. Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps," notes Guarnieri.

Authorities in all these countries can easily link this sensitive personal information to an individual, says Amnesty, as Qatar, Bahrain and Kuwait require users to register with a national ID number, while Norway requires registration with a valid phone number.

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, notes, “Google and Apple are providing the ability to track when users come into contact with others using only Bluetooth, which does not show where users are located, only that their device was near another device, identifying risk of exposure if one of those users has tested positive for COVID-19."

Many contact tracing app developers are using or adding additional tracking capabilities that depend on location data, he adds. "Using GPS, cellular, and Wi-Fi positioning data to show where a user has traveled, and in some cases reporting whenever a device changes location."

It is these location capabilities that create privacy issues as they allow government agencies to collect additional information about users, where they are located, where they go, and other information that can be gleaned or inferred from a detailed history of a user's location, Hazelton explains. "Some of these apps go further in gaining access to the address book, camera, or even microphone. While apps requesting access to data on the device and sensors may be used to provide helpful services like - sharing the app with friends, or helping users document their movements more easily, it is these capabilities that can also inadvertently disclose more information to agencies about a user than the user would like or be aware of," Hazelton says.