An Amnesty International study of 11 Covid-19 contact tracing apps from Europe, the Middle East and North Africa found identified apps from Bahrain, Kuwait and Norway as the most dangerous to users' privacy.
In a news release published on Tuesday, the human rights organization's Security Lab said Bahrain’s ‘BeAware Bahrain’, Kuwait’s ‘Shlonik’ and Norway’s ‘Smittestopp’ apps essentially act as mass surveillance tools by conducting live or near-live tracking of users’ locations via regular uploads of a device's GPS coordinates to a central server. Bluetooth-based proximity scanning is considered a more preferred method of tracking for privacy reasons, the release explains.
Qatar's "EHTERAZ" contact tracing app, the use of which the country made mandatory last May, also has an option to track all or specific users with a GPS-based tracking feature, but this feature has so far remained off, the release noted. Amnesty International warned that authorities in these countries can "easily link" sensitive location information to an individual, because "Qatar, Bahrain and Kuwait require users to register with a national ID number, while Norway requires registration with a valid phone number."
Additionally, Amnesty reported that EHTERAZ was found to contain a security bug that could have exposed the personal details of users. This bug was fixed after Amnesty privately disclosed the issue.
A day before the Amnesty report going live, Norway's government on Monday announced it would stop using the Smittestopp contract tracing app. The announcement reportedly came just weeks after Amnesty International privately disclosed its findings on June 2 and after organization officials met with Smittestopp's head of development on June 10.
“The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one," said Claudio Guarnieri, head of Amnesty International’s Security Lab, in the news release. "We urge the Bahraini and Kuwaiti governments to also immediately halt the use of such intrusive apps in their current form. They are essentially broadcasting the locations of users to a government database in real time -- this is unlikely to be necessary and proportionate in the context of a public health response. Technology can play a useful role in contact tracing to contain COVID-19, but privacy must not be another casualty as governments rush to roll out apps."
The other studied apps operate in Algeria, France, Iceland, Israel, Lebanon, Tunisia and the United Arab Emirates.
In some cases, malicious actors have weaponized and distributed their own unofficial, malicious versions of Covid-19 tracing apps in order to infect device users with malware, or they have used to promise of a tracing app or other helpful pandemic tools as a phishing lure of subject line.
With that in mind, McAfee on Thursday published a COVID-19 threat dashboard that displays the number and classifications of coronavirus-themed threats perpetrated by bad actors , plus which countries and sectors are being targeted the most.
As of June 18, 4 p.m. Eastern Time, there were 573,299 total malicious detections related to Covid-19 since Jan. 1, 2020, according to McAfee's data. Additionally, Spain has had the most malicious detections (167,016), followed by the U.S. (115,405) and Germany (50,088).
The top three verticals with the largest shares of malicious detections are finance (45.2 percent), transportation (9.9) and industrial (9.4).