For a respectable reason, tracking app should at least be able to access user location, and in case of coronavirus tracking apps, they also need to access Bluetooth. But what if the app asks much more than that? And it's forced by the government?
Qatar is making it mandatory for all of its citizens and residents to install and turn on its coronavirus tracking app when leaving the house, or face a hefty QR200,000 (about $55,000) fine, or even a possible three-year jail time.
“All citizens and residents are obligated to install the Ehteraz app on smartphones when leaving the house for any reason,” wrote state-run news agency Qatar News Agency (QNA) in a tweet. “This decision is effective from Friday, 22 May, 2020 until further notice.”
The move is part of larger lockdown measures, which include limiting the number of people going out of the house, as well to restrict the number of people inside vehicles to two (and a maximum of three in certain cases), and closing all non-essential shops.
Ehteraz was only introduced back in April, designed to notify people if they’ve been in close contact with anyone exposed to COVID-19. Although installing the app was initially optional, the government has changed its approach.
First:
1- All citizens and residents are obligated to install the EHTERAZ app on smartphones when leaving the house for any reason.
2- This decision is effective from Friday 22/5/2020 until further notice. #QNA— Qatar News Agency (@QNAEnglish) May 18, 2020
People have criticized Ehteraz due to its extremely invasive permission requirements. On its Google Play download page, the app can be seen to have the following permission:
Location
- Approximate location (network-based).
- Precise location (GPS and network-based).
Phone
- Directly call phone numbers.
- Read phone status and identity.
Photos/Media/Files
- Read the contents of your USB storage.
- Modify or delete the contents of your USB storage.
Storage
- Read the contents of your USB storage.
- Modify or delete the contents of your USB storage.
Device ID & call information
- Read phone status and identity.
Other
- Receive data from Internet.
- View network connections.
- Pair with Bluetooth devices.
- Access Bluetooth settings.
- Disable your screen lock.
- Full network access.
- Run at startup.
- Draw over other apps.
- Prevent device from sleeping.
On its Google Play page:
“Why this app wants [sic] to access my photos and media and phone,” complained one Android user on Google Play. “I am accepting the location only. Its [sic] not working unless I will accept everything and this is not logic [sic] for me. So I will not use it unless it will be respecting my privacy.”
"When downloading this app my phone crashed! I couldn’t get it back on for awhile it was like a virus or Trojan intercepted," said an iOS user. "Once back on it took a long time to upload my settings again. Also, they asked for access to my pictures, my contacts, Bluetooth & my location.
"There are glitches in this app I had to delete it as it destroyed my phone."
“Storage permission required to check the rooted or jailbreaken [sic] device for your security,” Qatar’s Ministry of Interior says, responding to concerns over privacy. “Bluetooth and Location required for your security to identify the person near to you is quarantined or infected.
Despite the government’s reassurance, users have every right to be cautious about the app’s intrusive permission requirements.
Concerned citizens and residents say that the app can be made to track every people's movement, a tool for social control, as well as a capable surveillance tool.
But due to the mandatory rule the government has imposed, Qatar citizens and residents have little to no choice to accept the app on their phones, or risk a hefty fine and imprisonment.
About a week later, it was discovered that the Ehteraz app had a serious security hole.
Amnesty‘s Security Labs found a critical vulnerability in the software, which would have allowed hackers to obtain lots of highly sensitive personal information, including the name, national ID, health status, and location data of more than 1 million users.
The issue was caused by the Ehteraz app that requested a QR code from a central server by providing a user’s national ID. Since no authentication was required, anyone could have requested a QR code for any Ehteraz user. This would’ve made it possible for hackers to generate all possible ID combinations and retrieve all user data.
Fortunately, the issue has since been patched after Amnesty informed about the issue to the Qatari government on May 21. The authorities responded swiftly by releasing a fix on the next day, on May 22.
“While the Qatari authorities were quick to fix this issue, it was a huge security weakness and a fundamental flaw in Qatar’s contact tracing app that malicious attackers could have easily exploited,” said head of Amnesty‘s Security Labs, Claudio Guarnieri. “This vulnerability was especially worrying given use of the Ehteraz app was made mandatory last Friday.”
“This incident should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards,” added Guarnieri.
“If technology is to play an effective role in tackling the virus, people need to have confidence that contact tracing apps will protect their privacy and other human rights.”