On June 16, Amnesty International released a report by its Security Lab after testing eleven contact-tracing apps intended to assist governments in finding COVID-19 infections. Three countries stood out as having produced “alarming mass surveillance tools”: Bahrain, Kuwait, and Norway all used methods that the NGO considers “dangerous for human rights.”
“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19,” the head of Amnesty’s Security Lab stated. “Privacy must not be another casualty as governments rush to roll out apps.”
Norway stops app
Out of the three countries, one has already halted the use of its app. The Norwegian government made the decision hours after Amnesty International published the report. “The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one,” Amnesty stated on their website.
The Norwegian app, Smittestopp, had not yet seen wide implementation but the invasive nature of the app’s design had prompted Norwegian data agency Datatilsynet to issue a warning. The agency said it would no longer allow Norway’s Institute of Public Health to access data generated by the app.
Camilla Stoltenberg, director of Norway’s public health institute, disputed the privacy claims and warned that the contact tracing app was needed in order to halt the local spread of coronavirus. “The pandemic is not over,” Stoltenberg stressed. The director’s concerns did not stop the government from halting the app and removing the data of its 600,000 users.
The central issue with the Norwegian app is similar to those regarding Bahrain and Kuwait’s apps, as well as those of apps in development for the governments of France and the UK. The apps feature a constant stream of data reported on users and uploaded to a national database, allowing the government to know where its citizens are at all times.
A similar issue arose with Qatar’s contact-tracing app, which similarly captured and shared GPS data. Outside sources could have accessed this data as a security vulnerability had the potential to expose the information to over one million Qataris. Qatari officials say they have since fixed the issue.
The Bahraini and Kuwaiti apps both record GPS data into a centralized database instead of using a method based on Bluetooth, which would only activate when the user is in close proximity with an infected person. But Bluetooth is far from a flawless technology, prompting countries like France and the UK to opt for a similar method to that of Bahrain and Kuwait.
Amnesty International fears that governments could misuse the wealth of data recorded by the apps. Bahrain attempted to provide a positive incentive to stay home by using its app’s data to produce “Are You Home?” The national television show would offer families prizes for staying home during Ramadan, verified using data from the BeAware Bahrain contact-tracing app.
While the show’s idea to provide positive incentives for COVID-19 adherence is commendable, the use of a public health database for such entertainment is not. Allowing anyone but the most qualified public health experts to access the recorded data highlights the potential for abuse.
Bahrain also published online data that revealed much about the demographics and personal details of people infected by COVID-19.
The Kuwaiti app used similarly centrally recorded data with vulnerabilities for potential abuse. The Kuwaiti app even used proximity reports between phones and Bluetooth bracelets to ensure people carried their phones with them.
After Norway’s quick response to Amnesty International’s analysis, the question remains as to what action Bahrain and Kuwait will take to prevent misuse of their contact-tracing apps.