Qatar coronavirus contact-tracing app 'fixed' to address privacy concerns
"The Ehteraz app’s user privacy and platform security are of the utmost importance. A comprehensive update of the app rolled out on Sunday 24 May with expanded security and privacy features for all users," Qatar's Ministry of Public Health wrote in a statement on Twitter, addressing the issue.
"These updates are part of the continuous work to review and improve the app's security, including issues brought to our attention by third party groups.
"#EHTERAZ is a vital component in our collective fight against COVID-19 and we thank #Qatar's citizens and residents for their cooperation," it added.
Ehteraz, the name of the app, is an Arabic word that means 'caution/safety'. With over 20,000 confirmed cases, Qatar has been hit hard by the coronavirus pandemic, but has managed to keep death rates low with stringent lockdown and testing measures.
Amnesty International had raised concerns saying it found the contact tracing app exposed users’ ID numbers, location and infection status, making the information vulnerable to hackers.
Privacy concerns about the app were raised by citizens after it became compulsory to download and use the app.
Citizens who refused to download the app risk up to three years in prison.
Last Friday, it became compulsory for people in Qatar to download and use the app, which has been downloaded more than one million times from the Google Play Store.
The app used the colour-coded “QR” system – if red, a user’s health is “Confirmed” (supposedly being diagnosed with Covid-19); if yellow, the user is in “Quarantine”, and if grey, the user is “Suspected”. Getting the colour green means the user is “Healthy”.
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact-tracing app that malicious attackers could have easily exploited,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.
“This vulnerability was especially worrying given use of the EHTERAZ app was made mandatory last Friday.”
“This incident should act as a warning to governments around the world rushing out contact-tracing apps that are too often poorly designed and lack privacy safeguards.
“If technology is to play an effective role in tackling the virus, people need to have confidence that contact-tracing apps will protect their privacy and other human rights."
Amnesty had alerted Qatari authorities to the app’s vulnerability after discovering it on 21 May, and the authorities managed to fix the weakness by 22 May.
Qatar quickly took out the names and location data from the app, and then released an update to the app that adds a new layer of authentication to prevent data harvesting.
Governments around the world are working to develop similar contact-tracing apps in an effort to suppress the Covid-19 pandemic, after China successfully deployed such platforms.
However, they will be keen to strike the right balance between protecting privacy of their users and achieving public health goals.
Last week, US tech giants Apple and Google said they were offering health authorities around the world their platform for coronavirus contact tracing, a key tool in trying to tame the pandemic.
Under their notifications system, someone exposed to a person who tests positive for COVID-19 will receive an alert on their phone.
In Europe, most countries are leaning toward use of the Apple-Google platform but France and Britain have opted to develop their own systems, currently being tested.
The two US firms said 22 countries had so far asked to use their platform and they expect more to come on board in the coming weeks.
Amid concerns about the security and use of the personal data such tracing apps will generate, Google and Apple laid down several conditions for the use of their technology.
The first is that any app based on it must be voluntary, not gather geolocation data and not be used for commercial purposes.
In addition, only one app per country is allowed so that there is no competition involved while it will be up to the individual user to declare if they have been infected with the virus or not.
When the crisis has disappeared, the system must be taken down.
(With input from AFP)