On May 22nd, Qatar made mandatory the use of their COVID-19 contact tracing app #EHTERAZ, with severe penalties for those found without it. We found glaring privacy issues that left exposed personal data of more than a million users. A thread 👇.
https://www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-flaw/
#EHTERAZ fetches a colored QR code from the central server by only providing the national ID # supplied by the user at registration. The QR code contained details such as the English and Arabic name, the GPS coords of a designated confinement location, and more. 👇
Qatari national ID numbers are 11 digits with a consistent format. The first digit indicates whether the user was born before or after 2000, next 2 are the year of birth, next 3 are the M49 country code of user's nationality, then followed by a sequential counter. 👇
Because the server did not enforce any authentication or rate limiting, it was possible to retrieve the QR code of any EHTERAZ user through the API, learning their personal details and (supposedly) home location, as well as their health status as indicated by the color. 👇
Because of the severe privacy implications for hundreds of thousands, if not millions, of users, we immediately alerted the Qatari authorities who promptly mitigated the exposure of data, and on Sunday released an update to the app. 👇
In addition, #EHTERAZ performs Bluetooth-based contact tracing by broadcasting some identifiers and a UUID indicating the health status of the nearby user. When a contact is established, identifiers, a timestamp, and GPS coordinates of the encounter are uploaded to the server. 👇
#EHTERAZ is also capable of enabling GPS location tracking of all users, or of specific ones, depending on configuration values "EnableGeoTracing" and "EnablePersonalGeoTracing" retrieved from the server. However, the global location tracking is turned off at the moment. 👇
This is a cautionary example of how centralizing data on COVID-19 contact tracing apps could go wrong. Additionally, excessive tracking of users of these apps remains worrisome. These apps must remain voluntary, and ensure people's human rights are protected. 👇
Additional technical notes from our preliminary analysis can be found here: https://github.com/AmnestyTech/covid19-apps/
AmnestyTech/covid19-apps

Technical notes from investigations into COVID-19 contact-tracing apps - AmnestyTech/covid19-apps

https://github.com/AmnestyTech/covid19-apps/
You can follow @botherder.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more