📢 NEW: In the last month @amnesty Security Lab analyzed many #COVID19 contact-tracing apps. We found apps from Kuwait, Bahrain and Norway among the most problematic, although privacy and security issues are common. THREAD 👇
amnesty.org/en/latest/news…
amnesty.org/en/latest/news…
Kuwait #Shlonik, Bahrain #BeAwareBahrain and Norway #Smittestopp all conduct GPS tracking of their users. After they are installed, latitudes and longitude are recorded and later uploaded to their central servers at different frequencies: from every few minutes to every hour. 😬
Both the apps from Kuwait and Norway also conduct Bluetooth contact tracing, and both also automatically upload records of contact to a central server allowing live monitoring of people's "contacts".
Weirdly, Kuwait's #Shlonik, instead of reading device identifiers off of near-by BLE services, WRITES its own identifier to near-by devices along with its current GPS coordinates. Kinda like leaving a signature on a guestbook 🤔 
Most apps we've looked at, including those from Norway and Kuwait, exchange over Bluetooth a static identifier that is never rotated and is assigned to the user upon registration. Obviously, this could potentially be used by others to track users.
Most apps require some form of identification upon registration. For example, the apps from Bahrain, Kuwait, and Qatar all require a phone number and a national ID number. Norway requires just a phone number. Very few actually provide some form of anonymity. 😬
The apps from Bahrain and Kuwait also support pairing with Bluetooth bracelets, to track those who are supposed to be in quarantine. The apps continuously look for the bracelet, and if they don't remain in the proximity of the phone, authorities are alerted.
Bahrain's #BeAware app seems to also share data with a national TV show called "Are you at home?". During the show, app users are randomly selected and called up to make sure they are respecting lockdown measures. If they are at home, they win prizes. 🤯
bbc.com/news/av/world-…
bbc.com/news/av/world-…
Qatar's #EHTERAZ app is problematic. It is mandatory, millions use it, and weeks ago we found a glaring privacy issue that would allow an attacker to get names, location, health status and more of all users. Authorities fixed the issue after our alert.
#EHTERAZ also does centralized Bluetooth contact tracing similarly to the apps from Kuwait and Norway. In addition, it is capable of turning on GPS tracking for everyone or for specific individuals at any time.
Many apps embed analytics frameworks and additional data is therefore shared with commercial third parties. In the case of Kuwait's #Shlonik, for example, GPS coordinates of its users are also shared with @onesignal:
The Ministry of Health of Bahrain also publishes an accurate list of COVID19 cases on their website, including age, nationality, travel history and context around the infection. 😬
moh.gov.bh/COVID19/Contac…
moh.gov.bh/COVID19/Contac…
There are many flavors of contact tracing apps. Many follow a centralized architecture. Some upload data very frequently, others only upon request of health authorities or self-report by the users. You can find technical notes from our analyses here:
github.com/amnestytech/co…
github.com/amnestytech/co…
All in all, concerns over necessity and proportionality of the invasion of people's right to privacy can be found across the board. While the efficacy of these measures is still highly debated, privacy-preserving models are already available and should be explored first.
One more funny anecdote from COVID19 apps: the Egyptian app plays audio recordings of Egyptian celebrities reminding people to wash their hands and stay home, at random times, startling some of its users. 😬😂
