Who would have thought that an app that’s supposed to curb the spread of the pandemic by tracking your behavior would be bad for privacy, right? You only need to look at the worldwide state of contact tracing apps to see that things aren’t too rosy.
Click the link above, and you’ll find apps from over 50 countries, rated by ProPrivacy according to several different factors:
- What technology they work with – Bluetooth (least intrusive), GPS or telecom location data, QR codes, hybrids that use two or more options
- Data collection and storage practices – apps that collect any data and transfer it to an external database aren’t considered private
- Data access privileges – even apps that let health officials access your data had at least one point detracted from the total score
- The privacy framework apps are built on (if any) – Bluetooth contact tracing apps, in particular, are divided between centralization and decentralization. In other words, whether the minimal data gathered by Bluetooth-based apps should be sent to a central system for alert purposes.
All this data is adequate for research purposes, but it doesn’t drive home just how ridiculous things can get. As such, we’ve gathered a few stories that will make you think twice before using a contact tracing app. Well, at least the kind that collects location data and other private details about you.
Here are four major cases that aren’t immediately obvious like, say, China color-coding its citizens’ access privileges in public places.
NHS Scraps App Due to Security Flaws
Governments have rushed out their own contact tracing apps as more of an impulse than a calculated move. The same applies to the official NHS app or at least the version that was rolled out in May. Initially, the NHS rejected building the app on the framework suggested by Apple and Google.
So what did the NHS accomplish on their own? The result was an app plagued by security flaws, such as:
- A registration process that would allow hackers to prevent authentic Covid-19 exposure notifications and create fake ones as well
- Storing data on handsets in an unencrypted format (i.e., not masked). The police could potentially use this data for surveillance purposes (e.g., seeing when two or more people have met)
Privacy concerns aside, the app wasn’t even successful at tracking proximity to other devices. Later, the project was abandoned and – ironically – redesigned using Google and Apple’s Bluetooth-based technology. The new app debuted on the App Store and Google Play Store on September 23.
Over One Million Records Exposed in Qatar
The second example of an app that wasn’t thoroughly checked before launch comes from Qatar. EHTERAZ, which was made mandatory on May 22, was investigated by Amnesty International and found to have serious problems with the way it handled its color-coded QR system.
Investigators found that the QR codes sent to the central server contained sensitive data about app users, including:
- Full names
- Health status
- GPS data from treatment and confinement locations
None of this information was properly secured in transit, something malicious actors could have easily exploited. Luckily, the vulnerability was fixed before anyone’s personal data was illegally accessed.
Bahrain Uses Contact Tracing App in Game Show
No, you didn’t read that wrong.
Users of Bahrain’s “BeAware” app were automatically signed up for a game show called “Are You At Home?” The game show’s title is pretty self-explanatory. App users had the chance to win 1,000 Bahraini dinars (around $2650) if they were found at home during Ramadan, in compliance with lockdown rules.
This decision was thought of as an incentive for the population actually to download and use the app. Bahrain’s Information & eGovernment Authority (iGA) later added an opt-out feature for those who did not want to participate. Now, the iGA website mentions that:
“[…] the software makes available only phone numbers without revealing any other details of individuals such as their names and locations.”
However, the recording seen in the BBC article above shows the game show host saying:
“[…] from the phone number, we are able to know where [the user’s] house is because [they are] registered in the BeAware app.”
Whatever the reality is, Amnesty’s investigation of Bahrain, Kuwait, Norway, and other countries’ contact tracing apps didn’t yield positive results. These three, in particular, carried out virtually live location tracking of their users. Only Norway has suspended its digital contact tracing in response to Amnesty’s findings.
Revealing Intimate Details in South Korea
When it comes to contact tracing apps, South Korea is one of the few success stories out there. The country managed to pull through so far without resorting to lockdowns, thanks to the work of its Immediate Response Teams and the data gathered from digital contact tracing. Of course, this data was combined with traditional contact tracing methods, as well as:
- CCTV footage
- Credit card data
- Travel and location data
The South Korean “safety guidance texts” include relatively vague information about new patients: gender, age range, and a case number. This doesn’t say much about a person. Still, the texts also include the names of the shops, restaurants, and other public venues they visited before being tested.
Now, the government and health officials having access to your personal data is one thing. Exposing that data to everyone around you is another deal entirely. Well, Covid-19 alerts in South Korea managed to reveal a lot about infected peoples’ lives, including:
- Whether they had an affair
- A possible attempt at insurance fraud (later denied by the patient after the press tracked her down)
- Supposed sexual promiscuity, which attracted online scrutiny. Health authorities later revealed that the patient had eaten at a restaurant in a neighborhood known for prostitution
- The sexual preference, identities, and even workplace of frequenters of Korean “gay clubs”, who were linked to a new wave of Covid-19 in May 2020
Obviously, the “detective work” in these revelations was done by online communities and reporters. However, the fact that so much could be discovered with minimal details shows the dangers of location and personal data-driven contact tracing.