Amnesty International alerts on contact tracing applications

Amnesty International alerts on contact tracing applications Cybersecurity

In terms of privacy, contact tracing applications from Norway, Bahrain and Kuwait are the most dangerous, since they track the location of their users in almost real time. These apps take a “centralized invasive approach” and pose a “great privacy threat,” according to an Amnesty International study.

Invasive surveillance tools

However, the group’s research does not include the countries of Asia or the United States. Conducted by Amnesty’s Security Lab, the study assesses contact tracing applications in Europe, the Middle East and North Africa. It includes detailed technical analyzes of 11 applications in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and the United Arab Emirates, according to a press release published this Tuesday.

The study distinguishes the applications “BeAware” in Bahrain, “Shlonik” in Kuwait and “Smittestopp” in Norway as the “most alarming mass surveillance tools” ever evaluated by the laboratory. “These three applications make it possible to locate users in real or almost real time, by frequently downloading the GPS coordinates to a central server,” he explains.

“Bahrain, Kuwait and Norway have paid little attention to people’s privacy, with highly invasive surveillance tools that go far beyond what is warranted in efforts to combat Covid-19. Privacy should not be another victim as governments rush to deploy applications, ”said Claudio Guarnieri, who heads the security lab.

Norway suspends application

Norway, however, has just withdrawn its application, Smittestopp. The country has deleted all data collected via the contact search application and is suspending its use. The country’s data protection authority had ruled that the application disproportionately violated the privacy of users.

Claudio Guarnieri welcomed the decision, saying that the laboratory had reported its findings to the Norwegian authorities. “The Norwegian app is very intrusive and endangers people’s privacy. It’s the right decision to hit pause and go back to square one to design an app that puts privacy first, ”he says. “There are better options for balancing the need to track the spread of the disease and the protection of privacy … This episode should serve as a warning to all governments rushing into application development invasive and designed to endanger human rights. Privacy does not have to be a victim in the deployment of these applications. “

He further urged the governments of Bahrain and Kuwait to follow this example, and to suspend the use of their respective applications, since they essentially broadcast the locations of users to a government database in real time. “It is neither necessary nor proportionate in the context of a response to the public health problem,” he notes. “Technology can play a useful role in finding contacts to contain the Covid-19, but privacy should not be another victim as governments rush to deploy applications.”

Security breach

Amnesty study finds apps in Bahrain, Kuwait and Norway have adopted a centralized system, collecting location data via GPS and uploading it to a central database – tracking user movements in real time. The Qatar EHTERAZ application enabled real-time tracking of the location of all users or of certain people, but this option is currently disabled.

The laboratory adds that the authorities of these countries could associate this sensitive personal data with an individual, since Qatar, Bahrain and Kuwait required that users register with a national identification number. The Norway application was registered with a valid phone number.

According to Amnesty analysis, the Qatar contact search application contains a security breach that exposes the personal data of more than a million people, allowing hackers to access data such as identity and the quarantine sites designated by the users. The application has also been made mandatory since May 22. “The security vulnerability has been corrected,” said Amnesty, after informing the authorities in late May.

A population closely monitored

The study also notes that the Bahrain app is linked to a national TV show that offered prizes to people who stayed at home during Ramadan. Using the coordinates collected through the application, telephone numbers were chosen at random and called live on the air to check if the users of the application were at home. Those who were at home received an award. Authorities have also posted personal data from suspected Covid-19 cases online, including their nationality, age and travel history.

Amnesty adds that Bahrain and Kuwait have paired their applications with a bluetooth bracelet, which is used to ensure that the wearer stays close to the phone in order to apply quarantine measures. In Kuwait, the app also regularly checks the distance between the bracelet and the phone, by downloading location data every 10 minutes to a central server.

“Governments around the world must take a break from deploying their contact tracing applications when they are faulty or excessively intrusive, and dangerous to human rights. In order for them to play an effective role in the fight against Covid-19, their users must have confidence and know that their privacy will be protected, ”warns Claudio Guarnieri.

Supervise data collection and guarantee privacy

Amnesty spokesperson contacted by ZDNet says the organization recognizes the importance of this technology to support an effective response to the pandemic, but such applications should integrate privacy and data protection as soon as they are released. design. This means that any data collected must be the minimum necessary, and must be stored securely, he said.

“Any data collection must be limited to controlling the spread of Covid-19 and must not be used for any other purpose, including by law enforcement, for national security or immigration control . The data must also not be made available to third parties or used for commercial purposes. The download and use of contact tracing applications must be entirely voluntary. “

Amnesty has published its “best practices” regarding contact tracing applications. They include in particular the guarantee of consent and transparency, monitoring by independent experts and setting deadlines – so that the data are deleted as soon as the stated objective is achieved.



Rate article