Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than one million people at risk.
The flaw, now fixed, made info like names, national IDs, health status and location data vulnerable to cyberattacks. Amnesty’s Security Lab discovered the flaw on May 21st and says authorities fixed it on May 22nd. The vulnerability had to do with QR codes that included sensitive info. The update stripped some of that data from the QR codes and added a new layer of authentication to prevent foul play.
Qatar’s app, called EHTERAZ, uses GPS and Bluetooth to track COVID-19 cases, and last week, authorities made it mandatory. According to Amnesty, people who don’t use the app could face up to three years in prison and a fine of QR 200,000 (about $55,000).
“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights,” said Claudio Guarnieri, head of Amnesty International’s Security Lab.