Latest in Gear

Image credit: Valery Sharifulin via Getty Images

Qatar’s contact tracing app put over one million people’s info at risk

Authorities have fixed the flaw in the mandatory app.
141 Shares
Share
Tweet
Share

Sponsored Links

DOHA, QATAR - DECEMBER 11, 2017: A Muslim man talks on the phone at Villaggio Mall. Valery Sharifulin/TASS (Photo by Valery Sharifulin\TASS via Getty Images)
Valery Sharifulin via Getty Images

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than one million people at risk.

The flaw, now fixed, made info like names, national IDs, health status and location data vulnerable to cyberattacks. Amnesty’s Security Lab discovered the flaw on May 21st and says authorities fixed it on May 22nd. The vulnerability had to do with QR codes that included sensitive info. The update stripped some of that data from the QR codes and added a new layer of authentication to prevent foul play.

Qatar’s app, called EHTERAZ, uses GPS and Bluetooth to track COVID-19 cases, and last week, authorities made it mandatory. According to Amnesty, people who don’t use the app could face up to three years in prison and a fine of QR 200,000 (about $55,000).

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights," said Claudio Guarnieri, head of Amnesty International’s Security Lab.

For contact tracing apps like EHTERAZ to work, they need widespread adoption -- Amnesty says mandating the apps is not the right approach. Security blunders like this one could discourage people from using the apps and undermine efforts to slow the spread of the virus.

Qatar’s misstep may encourage more countries to adopt the Apple-Google model. The “decentralized” API stores sensitive info in users’ phones, rather than a centralized server. It uses Bluetooth to exchange keys and it doesn’t gather location data. While the Apple-Google API can’t identify users, the apps that use the API may be able to. So security and privacy policies should be examined on an app-by-app basis. Hopefully incidents like this will remain rare.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
141 Shares
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
Hitting the Books: What astronauts can learn from nuclear submariners

Hitting the Books: What astronauts can learn from nuclear submariners

View
Amazon Prime Video will soon have the content, but it needs a better home

Amazon Prime Video will soon have the content, but it needs a better home

View
Facebook used 86 percent renewable energy in 2019

Facebook used 86 percent renewable energy in 2019

View
Wells Fargo wants employees to delete TikTok from company phones

Wells Fargo wants employees to delete TikTok from company phones

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr