Amnesty Int'l examines human rights violations by surveillance apps

The report shows that some of the apps pose a real risk of human rights violations.

SECURITY SURVEILLANCE monitors. Privacy advocates argue that even if the official transfer of data does not identify individuals, anyone who wants to abuse the information to invade an individual’s privacy can do so with ease (photo credit: KAI PFAFFENBACH/REUTERS)
SECURITY SURVEILLANCE monitors. Privacy advocates argue that even if the official transfer of data does not identify individuals, anyone who wants to abuse the information to invade an individual’s privacy can do so with ease
An Amnesty International report released Tuesday morning examined apps from 11 countries across the world designed for the surveillance of people who were infected with the novel coronavirus, as well as people who came in contact with them, and the human rights violations these apps cause.
The organization analyzed 11 surveillance apps in Norway, France, Iceland, Algeria, Bahrain, Kuwait, Lebanon, Qatar, Tunisia, United Arab Emirates – and also Israel. Of these apps, the ones from Kuwait, Bahrain and Norway are the most blatant violators of human rights.
The Israeli technology being tested is the Health Ministry's "Shield" app, according to Walla, which the report found to be "too centralized and invasive."
Among the 11 countries mentioned, the applications of three were particularly prominent: Bahrain, Kuwait and Norway. The apps are "BeAware Bahrain," "Shlonik" and "Smittestopp," which according to Amnesty expose serious problems with their tracking tools that violate human rights. This is because the three apps track users' location by uploading live, or almost live, waypoints to a central server.
"Bahrain, Kuwait and Norway have trampled the privacy of their citizens through the use of highly invasive surveillance tools that go far beyond what is needed to cope with the spread of the coronavirus," said Amnesty International's Information Security Lab researcher Claudio Guarneri.
The Norwegian government announced yesterday that it will suspend the use of an adhesion surveillance app. The announcement came after the organization shared the Norwegian authorities and the National Data Security Agency with the findings earlier this month, and after Amnesty representatives met with the development manager of the Norwegian "Smittestopp" application last week.
"The Norwegian app was extremely invasive and the decision to stop using it and go back to the design stages is a right decision," Amnesty said. "We urge Bahrain and Kuwait governments to also immediately stop the use of these intrusive applications in their current form. Simply, they are transmitting users' location to a real-time government database."
According to Amnesty, "Such activity is unreasonable and unjustified or disproportionate in the context of public health. While technology can help us detect infections and outbreaks, users' privacy on the altar of public health should not be sacrificed, and governments should be cautious when rushing to launch surveillance applications."
According to Amnesty's report, the tracking apps are divided into three types. The first type does not allow digital contact tracking, but allows users to document and test their symptoms of choice, such as in Lebanon in Vietnam.
The second type uses a less invasive Bluetooth contact tracking model, developed by Google and Apple. In this model, the data is stored on users' phones and not on a central database. Countries operating such a model are Austria, Germany, Ireland and Switzerland. According to Amnesty, apps from this model raise less concern in terms of user privacy.
The third type, and more serious in terms of human rights, are centralized apps – those that record data collected through the cellphone's Bluetooth sensor or GPS, or both. According to the report, the data goes to a centralized government establishment, where in some cases the state requires citizens to respond and use the app.
The report shows that through the coronavirus surveillance apps in Bahrain, Kuwait and Norway, authorities can link this sensitive personal data to the identity of every person in the country. However, Qatar, Bahrain and Kuwait require users to sign up for the service using their official IDs, as opposed to Norway, where registration is done using only an active phone number.
In the Qatar EHTERAZ app, Amnesty has identified a serious security breach that exposes personal and sensitive data to more than one million people. This is when residents are required to use the app by law. Amnesty said the security breach was fixed after the organization warned of its existence in late May. "If not fixed, cyberattacks could have been implemented that would have enabled access to highly personal and sensitive information, including names, identification numbers, medical statuses and data on isolation and traffic restrictions of users," the organization said.
According to Amnesty's report, surveillance apps in countries such as France, Iceland and the UAE have also used a centralized model, but data on contact between devices is only raised if residents choose to report themselves as symptomatic, or at the request of health authorities. According to the organization, uploading data based on free choice and user consent to some extent reduces the risk of mass surveillance, since the data is not automatically uploaded. However, Amnesty warns that the centralized model of France's coronavirus tracking app, combined with the lack of transparency when it comes to how data is stored in the system, raises concerns about the issue of user data anonymity.
Despite Amnesty International's focus on Europe, the Middle East and North Africa, research by other organizations indicates that there are digital apps and platforms in other regions of the world, such as China, Ethiopia and Guatemala. According to these organizations, the applications used by the authorities in these countries are at risk of serious human rights violations.
"Monitoring and exposure of humans is an important component of an effective and comprehensive response to the outbreak, and surveillance apps can indeed help stop the coronavirus. However, in order not to come at the expense of human rights, these apps must embed data and privacy protections in the early stages of planning," Amnesty stated.
"This means that only the minimum amount of data necessary is collected and then stored securely. Data collection must be restricted solely to control of the spread of the virus, and none of the information should be used for any other purpose – including law enforcement, state security or immigration oversight."
“Governments rolling out centralized contact tracing apps with real-time location tracking need to go back to the drawing board,” Guarnieri said.
“There are better options available that balance the need to trace the spread of the disease without hoovering up sensitive personal information of millions of people.”