EHTERAZ is a COVID-19 contact-tracing app developed by Qatar’s Ministry of Interior. In May, the government made installation mandatory at risk of up to three years in prison and a $55,000 fine.
The app allows the Qatari authorities to keep track of coronavirus infections using GPS and Bluetooth technologies. It also provides people with COVID-19 safety information and situational updates.
EHTERAZ requires users to register with their national personal identification number and has more than 1 million downloads on Google Play alone.
The developers describe the app as: “[Y]our trusted smart application to follow up on the latest updates of COVID-19 Coronavirus in Qatar.”
The claim is misleading, as are similar claims about apps in some other countries.
In a June 16 report, the Amnesty International Security Lab listed EHTERAZ among the contract-tracing apps that are “most dangerous for privacy” used by governments in the pandemic.
An earlier AI Security Lab study criticized the app for a “huge security weakness” and failure to protect personal data collected by the app and housed on a central computer server.
“Amnesty International’s Security Lab was able to access sensitive information, including people’s name, health status and the GPS coordinates of a user’s designated confinement location, as the central server did not have security measures in place to protect this data,” AI said in its May 26 report.
Amnesty said the Qatari authorities quickly fixed the issue after it notified them concerning the problem. Qatar’s Ministry of Interior described EHTERAZ’ latest update on June 24 as “[m]inor bug fixes and enhancement.” But Amnesty said that still fell short.
The fixes did not eliminate the options that allow for possible mass surveillance, Amnesty said. “The app is capable of optionally activating live location tracking of all users or of specific individuals,” the lab reported, while noting that the feature was turned off for now.
The American Civil Liberties Union (ACLU) has said coronavirus tracing apps, whether designed by governments or private enterprises like Google and Apple, should meet five “minimal” safeguards: consent, limitations on use, minimal data collection, data destruction when finished, transparency about what’s being collected and how the collected data is being stored and used, and termination once the pandemic passes.
In addition to the Amnesty investigations, the Massachusetts Institute of Technology created a database of 25 COVID-19 contact tracing apps used by governments. MIT said its COVID Tracing Tracker is intended “to capture details of every significant automated contact tracing effort around the world.”
MIT reported that nearly all coronavirus tracing apps in its database breach either one or all of the ACLU safeguard policies. The AI Security Lab identified dozens of governments that use COVID-19 tracing apps with “highly invasive surveillance” capabilities.
China uses technology to “tighten” the government’s “grip on citizens,” an AI report on Chinese tracing apps concluded.
Amnesty faulted Bahrain and Norway for use of centralized tracking in their apps, saying the countries are running “roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19.”
Norway paused its contract-tracing app, called Smittestopp, after consultations with Amnesty International. In mid-June, after the country’s Data Protection Agency raised concerns that it was constantly uploading users’ data without their consent, Norwegian health authorities deleted data and halted uploads. According to a report by Tech Crunch, the app had been downloaded 1.6 million times and was in use by 14 percent of Norwegians older than 16.
In a statement, Norway’s health minister, Camilla Stoltenberg, defended the app: “With this, we weaken an important part of our preparedness for increased spread of infection, because we lose time in developing and testing the app. At the same time, we have a reduced ability to fight the spread of infection that is ongoing.”
As for other countries:
- Iran claims its popular coronavirus app Mask is a safe tool to protect people from being infected. The app, however, has been banned from Google Play for “collecting more data than its rules allowed.”
-
Turkey requires citizens to download the Hayat Eve Sığar app developed by its health ministry. The app does not inform users that the data they upload is being shared with the police.
-
Bahrain’s government promises to safeguard personal data collected by its COVID-19 app, BeAware. There is no indication Bahrain has responded to Amnesty listing the app as among those “most invasive” and “dangerous for privacy.”
Amnesty said countries such as France, Iceland and United Arab Emirates let users choose whether or not to upload personal data and explain how their data will be stored and used.
IT security firms report that COVID-19 related cyberattacks are “global and increasing,” with malicious cyber actors seeing the pandemic as an opportunity for mass hacking.
“We’ve seen significant rises in COVID19-related ransomware specifically since February, with some reporting indicating as much as a 900 percent rise in ransomware targeting the financial sector in particular,” AJ Nash, senior director of cyber intelligence strategy at the U.S. based private cyber security firm Anomali, told Polygraph.info.
A recent report by Anomali identified 12 fake Android contact-tracing apps – identical to the government-required apps but equipped with malware that steals personal data.