Qatar Forces Its Citizens To Install An Invasive Coronavirus-Tracking App

20/05/2020

For a respectable reason, tracking app should at least be able to access user location, and in case of coronavirus tracking apps, they also need to access Bluetooth. But what if the app asks much more than that? And it's forced by the government?

Qatar is making it mandatory for all of its citizens and residents to install and turn on its coronavirus tracking app when leaving the house, or face a hefty QR200,000 (about $55,000) fine, or even a possible three-year jail time.

“All citizens and residents are obligated to install the Ehteraz app on smartphones when leaving the house for any reason,” wrote state-run news agency Qatar News Agency (QNA) in a tweet. “This decision is effective from Friday, 22 May, 2020 until further notice.”

The move is part of larger lockdown measures, which include limiting the number of people going out of the house, as well to restrict the number of people inside vehicles to two (and a maximum of three in certain cases), and closing all non-essential shops.

Ehteraz was only introduced back in April, designed to notify people if they’ve been in close contact with anyone exposed to COVID-19. Although installing the app was initially optional, the government has changed its approach.

People have criticized Ehteraz due to its extremely invasive permission requirements. On its Google Play download page, the app can be seen to have the following permission:

Location

  • Approximate location (network-based).
  • Precise location (GPS and network-based).

Phone

  • Directly call phone numbers.
  • Read phone status and identity.

Photos/Media/Files

  • Read the contents of your USB storage.
  • Modify or delete the contents of your USB storage.
Ehteraz app

Storage

  • Read the contents of your USB storage.
  • Modify or delete the contents of your USB storage.

Device ID & call information

  • Read phone status and identity.

Other

  • Receive data from Internet.
  • View network connections.
  • Pair with Bluetooth devices.
  • Access Bluetooth settings.
  • Disable your screen lock.
  • Full network access.
  • Run at startup.
  • Draw over other apps.
  • Prevent device from sleeping.

On its Google Play page:

"EHTERAZ is your trusted smart application to follow up on the latest updates of COVID-19 Coronavirus in Qatar. EHTERAZ has been designed and developed in the Ministry of Interior to support all categories of the Qatari community to spread the health awareness tips and techniques as well as the protection methods that are necessary to halt the outbreak of Coronavirus. This smart tool is also meant to give a hand to those people that are responsible for their families in their endeavors to protect their love ones, and to support healthcare and related entities in order to protect the safety of individuals and that of the Qatari community from this pandemic virus at large."
Ehteraz app

“Why this app wants [sic] to access my photos and media and phone,” complained one Android user on Google Play. “I am accepting the location only. Its [sic] not working unless I will accept everything and this is not logic [sic] for me. So I will not use it unless it will be respecting my privacy.”

"When downloading this app my phone crashed! I couldn’t get it back on for awhile it was like a virus or Trojan intercepted," said an iOS user. "Once back on it took a long time to upload my settings again. Also, they asked for access to my pictures, my contacts, Bluetooth & my location.

"There are glitches in this app I had to delete it as it destroyed my phone."

“Storage permission required to check the rooted or jailbreaken [sic] device for your security,” Qatar’s Ministry of Interior says, responding to concerns over privacy. “Bluetooth and Location required for your security to identify the person near to you is quarantined or infected.

Despite the government’s reassurance, users have every right to be cautious about the app’s intrusive permission requirements.

Concerned citizens and residents say that the app can be made to track every people's movement, a tool for social control, as well as a capable surveillance tool.

But due to the mandatory rule the government has imposed, Qatar citizens and residents have little to no choice to accept the app on their phones, or risk a hefty fine and imprisonment.

Qatar coronavirus
A man with face mask on is checking his phone in Qatar, where residents and citizens have been required by law to install Ehteraz, a coronavirus contact tracing app. (Credit: KARIM JAAFAR AFP)

About a week later, it was discovered that the Ehteraz app had a serious security hole.

Amnesty‘s Security Labs found a critical vulnerability in the software, which would have allowed hackers to obtain lots of highly sensitive personal information, including the name, national ID, health status, and location data of more than 1 million users.

The issue was caused by the Ehteraz app that requested a QR code from a central server by providing a user’s national ID. Since no authentication was required, anyone could have requested a QR code for any Ehteraz user. This would’ve made it possible for hackers to generate all possible ID combinations and retrieve all user data.

Fortunately, the issue has since been patched after Amnesty informed about the issue to the Qatari government on May 21. The authorities responded swiftly by releasing a fix on the next day, on May 22.

“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited,” said head of Amnesty‘s Security Labs, Claudio Guarnieri. “This vulnerability was especially worrying given use of the Ehteraz app was made mandatory last Friday.”

“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards,” added Guarnieri.

“If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”