Until last Friday, there has been a leak in the app that the inhabitants of Qatar must use to prevent the spread of the coronavirus. Amnesty International reports this on the basis of its own research.
In the app, it is possible to request a QR code by entering a Qatari BSN number. It contains personal medical information. The Amnesty research lab discovered that, without additional authentication, it was possible to enter random personal numbers – which work in a fixed format – and thus request private data.
This allowed researchers to access names of individuals, to see if someone was infected, and to see where they are in isolation and the hospital where they are being treated.
Warning to governments
The Dutch app works differently from Qatar’s, but according to Amnesty, this incident should serve as a warning to all governments not to build an app too quickly. In a press statement, the organization writes that it is concerned about the speed with which apps are being worked on, including the Netherlands by name.
Where Qatar uses a central database and works with GPS locations in addition to Bluetooth, the intention is that the data remain on the Dutch app and that only Bluetooth is used.
Amnesty International reported the leak to the Qatari authorities on Thursday last week. A day later it was no longer possible to request names and location data, according to the organization. An extra security layer was added last Sunday, although Amnesty cannot say whether it meets standards.
The human rights organization is “grateful” for the speed at which the problem was solved, but points out that it was a major problem. “The weakness is especially worrying, as the app has been mandatory since last Friday,” said Amnesty’s Claudio Guarnieri.
The app in Qatar has been downloaded over a million times from the Google Play Store. Those who do not use the app can receive up to three years’ imprisonment and a fine of converted 50,000 euros.