Qatar’s contact tracing app put over one million people’s info at risk

Authorities have fixed the flaw in the mandatory app.

Valery Sharifulin via Getty Images

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than one million people at risk.

The flaw, now fixed, made info like names, national IDs, health status and location data vulnerable to cyberattacks. Amnesty’s Security Lab discovered the flaw on May 21st and says authorities fixed it on May 22nd. The vulnerability had to do with QR codes that included sensitive info. The update stripped some of that data from the QR codes and added a new layer of authentication to prevent foul play.

Qatar’s app, called EHTERAZ, uses GPS and Bluetooth to track COVID-19 cases, and last week, authorities made it mandatory. According to Amnesty, people who don’t use the app could face up to three years in prison and a fine of QR 200,000 (about $55,000).

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights," said Claudio Guarnieri, head of Amnesty International’s Security Lab.

For contact tracing apps like EHTERAZ to work, they need widespread adoption -- Amnesty says mandating the apps is not the right approach. Security blunders like this one could discourage people from using the apps and undermine efforts to slow the spread of the virus.

Qatar’s misstep may encourage more countries to adopt the Apple-Google model. The “decentralized” API stores sensitive info in users’ phones, rather than a centralized server. It uses Bluetooth to exchange keys and it doesn’t gather location data. While the Apple-Google API can’t identify users, the apps that use the API may be able to. So security and privacy policies should be examined on an app-by-app basis. Hopefully incidents like this will remain rare.