Vulnerability in Qatar's COVID-19 app put its users' private information at risk

According to an Amnesty International investigation, personal information, including names, national ID numbers, health status and location data could have been exposed.
By Laura Lovett
03:54 pm
Share

The government of Qatar’s mandatory COVID-19-tracing app has come into question after an Amnesty International investigation exposed a weakness in its configuration that could have left it open for cyberattacks. 

Once the vulnerability was flagged, authorities in Qatar updated and fixed the issue within a day, according to Amnesty International. However, if there had been an attack, it was possible that app users' personal information, including their name, national ID number, health status and location data could have been exposed, the nonprofit explained.

The app, dubbed EHTERAZ, was designed by Qatar’s Ministry of Interior to help track the spread of the virus in the country. The app includes a bar code that reflects each individual’s health status – ranging from healthy to confirmed infected. The app was developed to employ both GPS and Bluetooth tracking. 

Use of the app is not optional for Qatari residents. Those not downloading the app can face up to three years in prison or a fine of QR200,000 ($55,000), according to the Amnesty International release. 

WHY IT MATTERS 

Coronavirus-tracing apps have cropped up as one possible avenue to help curb the spread of the virus and track where it's heading next. The World Health Organization says that contact tracing is important because it helps identify individuals that are at risk of becoming infected and could then go on to spread the disease.

While public health organizations and governments have been looking to employ the tech, it’s no secret that tracing apps have caused some concern. 

“Contact tracing apps collect and combine two highly sensitive categories of information: location and health status,” Ryan Calo, a professor of law at the University of Washington, and Kinsa CEO Inder Singh, said during a U.S. Senate committee hearing on big data and privacy protections. “It seems fair to wonder whether these apps, developed by small teams, will be able to keep such sensitive information private and secure. To the extent digital contact tracing – or any private, technology-driven response to the pandemic – involves the sharing of healthcare data with private parties, there is also the specter of inadequate transparency or consent.”

More recently, news has been emerging that the tracing efforts could be used for more than just COVID-19-related illness in the future. In Hangzhou, China, officials are proposing to make a health-tracking system permanent, according to CNBC. As part of the proposal citizens would get a score based on their medical records and lifestyle choices, like exercising or smoking. 

THE LARGER TREND 

We’ve seen a surge in contact-tracing apps across the world, from India to France and beyond. In early April, Apple and Google announced that they were teaming up on a project to introduce health-data-sharing and COVID-19-contact-tracing technologies to the lion's share of the smartphone market. In the longer term, the two companies have committed to building a Bluetooth-based contact-tracing functionality into their underlying operating systems.

Many countries are opting for a Bluetooth-based tracing functionality versus a GPS-based tracing tool for privacy reasons. Bluetooth signals between phones in order to detect other participating users in close proximity, instead of tracking locations. 

For example, in March, Singapore launched its Bluetooth-enabled app called TraceTogether, to help support and supplement current contact-tracing efforts in the nation-state in an effort to reduce the spread of COVID-19.

 

Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.

Share