https://saudigazette.com.sa/uploads/images/2020/05/27/1571203.jpg
The app permissions listed include “access precise location only in foreground,” “directly call phone numbers,” “read phone status and identity,” modify or delete the contents of your shared storage,” and “read the contents of your shared storage.” — Courtesy photo

Qatar's coronavirus app prompts questions of privacy breach

Lauren Holtmeier

DUBAI — Qatar’s new coronavirus contact tracing app was unveiled with a security risk that allowed for the data of more than 1 million users to be potentially harvested and requests a slew of odd and seemingly unnecessary app permissions.

Following rare backlash, officials were forced to offer reassurance and concessions, revising the app.

The app permissions listed include “access precise location only in foreground,” “directly call phone numbers,” “read phone status and identity,” modify or delete the contents of your shared storage,” and “read the contents of your shared storage.”

Contact tracing apps, including Qatar’s, use Bluetooth radio signals to “ping” nearby devices, which can be contacted subsequently if a user they have been near develops symptoms or tests positive, but the resultant unprecedented access to users’ location data has prompted fears about state surveillance.

Now updated, the app is mandatory for Qatari citizens and residents as the government tries to suppress the spread of coronavirus in the country. The country today reported 1,740 new coronavirus cases, and cases are still on the rise in the country. Almost 44,000 of Qatar’s 2.75 million people have tested positive for the respiratory disease — 1.6 percent of the population — and 23 people have died.

A new version of the software was released for Apple and Android on Sunday, promising “minor bug fixes,” but without indicating that the invasive aspects had been removed.

“The vulnerability (in the app) would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users,” an Amnesty International report on the app read.

“There are two key concerns... with the app,” said Human Rights Watch researcher Hiba Zayadin.

It “is highly invasive, with a range of permissions allowing the government access to things that are not needed for the purpose of contact tracing, permissions that are unnecessary and present a concerning invasion of privacy.”

But also “many migrant workers in the country don’t have compatible phones that would allow them to download the app and comply.”

The app has so far been downloaded more than 1 million times, and those who do not use the app can face up to three years in prison.

The app relies on a color-coded QR system to alert Qataris of their health, but Amnesty reported that before authorities addressed the security issue, the QR code included personal information.

“Amnesty was able to access sensitive personal information — including names, health status and GPS coordinates of a user’s designated confinement location — as the app’s central server did not have security measures to protect such data,” the report read.

The government fixed the security flaw and added an extra layer of protection, but the watchdog group said it still had concerns about the app and its lack of privacy safeguards.

“Even now, Qatar’s app, like many being introduced, remains highly problematic due to its lack of privacy safeguards. Sensitive personal information continues to be uploaded to a central database and the authorities can enable real-time location tracking of users at any time,” the organization said.

Qatar is one of 45 countries currently using or planning to introduce contact tracing apps that are designed to help identify how coronavirus spreads, according to Amnesty.

“Contact tracing is an important component of effective pandemic response, and contact-tracing apps have the potential to support this objective. However, in order to be consistent with human rights obligations, these apps must incorporate privacy and data protection by design, meaning any data collected must be the minimum amount necessary and securely stored,” Amnesty said. — Al Arabiya English