The onslaught of COVID-19 earlier this year spun countless governments into a panic, catalyzing the rushed development and deployment of contact tracing apps. Myriad privacy and data security concerns were dismissed as minor considerations in the face of the menace of COVID-19, and in many areas such apps were mandatory, leaving people with no choice to opt out. In the months that have followed, users around the world have paid the price.

“A privacy trash fire”

According to a recent report from Amnesty International, many governments have shown blatant disregard for their citizens’ privacy and data security:

Amnesty’s Security Lab reviewed contact tracing apps from Europe, Middle East and North Africa, including a detailed technical analysis of 11 apps in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and United Arab Emirates, some of which ranged from bad to dangerous for human rights. Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps stood out as among the most alarming mass surveillance tools assessed by Amnesty, with all three actively carrying out live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.

Claudio Guarnieri, Head of Amnesty International’s Security Lab called the global implementation of the apps a “privacy trash fire,” expressing extreme concern about the security of users’ data. He remarked:

Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19.

The chief offenders

After Amnesty International shared its findings with Norweigan government officials, Norway halted the deployment of its contact-tracing app, Smittestop, over privacy concerns.

Guarnieri also urged the governments of Bahrain and Kuwait to press the brakes on their apps until necessary improvements can be made:

They are essentially broadcasting the locations of users to a government database in real time – this is unlikely to be necessary and proportionate in the context of a public health response. Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps.

Qatar: Exposing “sensitive personal details” of one million people

Qatar’s app and government mandates regarding its usage were also particularly troubling, but were thankfully ameliorated following Amnesty’s discoveries. The report related:

A major security vulnerability was identified in Qatar’s EHTERAZ app, which exposed sensitive personal details of more than one million people. This was especially concerning as the app was made mandatory to use on 22 May. The vulnerability was fixed after Amnesty alerted the authorities to the discovery at the end of May. The security flaw would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and designated confinement location of users.

How should governments design contact tracing apps?

These are just a few examples of the privacy atrocities taking place around the globe; but one thing is clear: governments can do better. Gurnieri recommends that governments adopt a more decentralized approach that at the very least, lets citizens opt-in to contact tracing apps and doesn’t allow third-party access to user data:

Governments rolling out centralized contact tracing apps with real-time location tracking need to go back to the drawing board. There are better options available that balance the need to trace the spread of the disease without hoovering up sensitive personal information of millions of people.