Qatar’s contact tracing app put over one million people’s info at risk

Qatar’s contact tracing app put over one million people’s info at risk

Sponsored Links

DOHA, QATAR - DECEMBER 11, 2017: A Muslim man talks on the phone at Villaggio Mall. Valery Sharifulin/TASS (Photo by Valery SharifulinTASS via Getty Images)

Valery Sharifulin via Getty Images

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than one million people at risk.

The flaw, now fixed, made info like names, national IDs, health status and location data vulnerable to cyberattacks. Amnesty’s Security Lab discovered the flaw on May 21st and says authorities fixed it on May 22nd. The vulnerability had to with QR codes that included sensitive info. The update stripped some of that data from the QR codes and added a new layer of authentication to prevent foul play.

Qatar’s app, called EHTERAZ, uses GPS and Bluetooth to track COVID-19 cases, and last week, authorities made it mandatory. According to Amnesty, people who don’t use the app could face up to three years in prison and a fine of QR 200,000 (about $55,000).

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards. If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights,” said Claudio Guarnieri, head of Amnesty International’s Security Lab.

For contact tracing apps like EHTERAZ to work, they need widespread adoption — Amnesty says mandating the apps is not the right approach. Security blunders like this one could discourage people from using the apps and undermine efforts to slow the spread of the virus.

Qatar’s misstep may encourage more countries to adopt the Apple-Google model. The “decentralized” API stores sensitive info in users’ phones, rather than a centralized server. It uses Bluetooth to exchange keys and it doesn’t gather location data. While the Apple-Google API can’t identify users, the apps that use the API may be able to. So security and privacy policies should be examined on an app-by-app basis. Hopefully incidents like this will remain rare.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.







Go to Source

Author: {authorlink} Engadget RSS Feed

Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics