COVID-19 contact-tracing apps in MENA: a privacy nightmare

Read in French.

Read in Arabic.

At the outbreak of the COVID-19 global pandemic, a number of countries in the MENA region turned to technology to help track and prevent the spread of the virus, using apps, drones, and even robots to monitor the movement of citizens under quarantine. Now, as countries are looking to slowly return to life and lift lockdown measures, more are jumping on the bandwagon, including developing their own contact-tracing apps, as seen most recently in Morocco and Tunisia.

While contact-tracing apps have potential to help limit the spread of the virus and ongoing transmission, without adequate legal protections and privacy safeguards in place, these apps can open the path for authoritarian governments to violate human rights and harm marginalized populations. 

We took a look at five countries that deployed contact-tracing apps to highlight the privacy concerns they raise.

Tunisia

On May 19, the Ministry of Health, in partnership with Wizzlabs, a startup specialized in digital marketing tools for foreign companies, launched a contact-tracing mobile phone app called E7mi that gained tens of thousands of users in three weeks. Downloading the app is voluntary, but if downloading rates remain low, it is possible it will become mandatory for people in public spaces.

The app uses Bluetooth signals and GPS location data to detect and alert users who may have had contact with others infected with the virus. It also collects personal information such as the phone numbers of users, which is required for registration.

The Ministry stated that it has consulted the Independent Authority on Data Protection (INPDP), and the latter confirmed that the app complies with Tunisia’s data protection law of 2004, but there are concerns related to the law. It is outdated and does not account for technologies developed since it was written. Additionally, in 2017, Tunisia ratified the Council of Europe’s Convention for the Protection of Individuals with regard to the processing of personal data. Moreover, last year, the country officially signed the protocol amending the convention, meaning that it has committed to reforming the law to align with international standards. But this has not happened yet. A bill introduced in 2018 to make changes is evidently no longer a priority for the Tunisian Parliament. 

Furthermore, the app has other flaws related to data protection. It has neither a sunset clause to determine when it will be removed from phones and app stores, nor an indication of a limit for the use of data once the app is no longer necessary. This is an important issue given that the country has not reported any new local cases — apart from cases among incoming passengers from affected areas and countries — since early May. 

Qatar

The government of Qatar rolled out a contact-tracing app called EHTERAZ, developed by the Ministry of Interior. The app uses GPS and Bluetooth technology to track COVID-19 cases. Despite the government’s assurance that the app is “completely confidential” and accessible only to health professionals, a recent investigation by Amnesty Tech’s Security Lab found a critical vulnerability that would allow malicious actors to access sensitive personal information, such as names, national ID number, health status, and location data, for more than a million users in the country.

While the government moved quickly to fix the security flaw, according to Amnesty’s investigation, the information continues to be stored in a central database, making it vulnerable to unlawful access. Centralized databases of personal information can serve as “honeypots” that attract cyber attackers and malicious actors. Perhaps even more worrisome, the government is able to turn on real-time location tracking of users via the app. 

The app is also compulsory for all users in Qatar. Those who don’t comply face a disproportionate penalty of up to three years in prison and a fine of approximately 55,000 USD (200,000 Qatari Riyal).

Bahrain

The government of Bahrain requires self-isolating individuals and people arriving in the country to download the BeAware app, which is paired with a wristband to notify the government if they leave their dwelling. Therefore, their phones track their movements and collect location data. Those who don’t comply with these instructions would be subject to harsh and inappropriate penalties, including facing imprisonment for no less than three months, a fine ranging from 1,000–10,000 Bahraini Dinar (approximately 1,000––26,000 USD), or both penalties.

The Ministry of Health may also require all self-isolating individuals to take random selfies showing their face and bracelet to prove that they did not break their quarantine. While government authorities claim that use of the contact-tracing app is to contain the spread of the virus, in effect they are using it to restrict the movement of their citizens. With the rapid increase of confirmed cases in the country to date, the efficacy of the app to help fight COVID-19 is questionable.

Saudi Arabia

Saudi authorities have also turned to technology in response to the pandemic. The Ministry of Health launched the app Teetamman, which collects health data for those who are in quarantine or self-isolation. People can use it to assess their health condition, speak to medical staff, and seek their advice. Recently, the app was made compulsory for those who are returning from abroad, and individuals are forced to wear a bracelet paired with the phone app via Bluetooth. The user must wear the bracelet at all times during the quarantine period, not change any of its settings, and keep the phone on for 24/7 hrs and within 10 meters proximity. Any attempt to remove or damage the bracelet or change any of these settings is punishable by up to two years in prison, a fine of 53,268 USD (200,000 Saudi Riyal), or both. Just like the measures taken in Bahrain, these measures are disproportionate for the intended purpose, and they interfere with people’s right to freedom of movement. 

Morocco

On June 1, the government of Morocco launched its contact-tracing app Wiqaytna developed by the Ministry of Interior. The voluntary Bluetooth-based app was downloaded more than a million times in less than a week according to the Ministry of Health. Earlier in April, civil society in Morocco objected to deployment of the app over allegations that it uses Israeli surveillance technology. The Moroccan data protection authority (“CNDP”) responded, issuing a statement that the contact-tracing app complies with Law No. 09-08 on the Protection of Individuals with Regard to Processing of Personal Data and that only authorized persons have access to the data.  

Unfortunately, Law No. 09-08 does not provide sufficient protection for people’s personal data and some of its articles are open to broad interpretation. For instance, the law carves out from protections “personal data collected and processed in the interest of national defense, the internal or external security of the state and the prevention or repression of crime.” Article 4 of the law also does not require authorities to get a person’s consent for processing their personal data if it’s used for the broad mission of protecting the public interest.

Our warning: technology can turn a public health crisis into a human rights crisis

When governments consider use of COVID-9 tracing apps for fighting the pandemic, they must start with the facts. There is no evidence that the use of such technology is effective in containing the spread of the disease. According to the World Health Organization’s interim guide on the use of COVID 19 contact-tracing apps, “this technology cannot capture all the situations in which a user may acquire COVID-19, and it cannot replace traditional person-to-person public health contact tracing, testing, or outreach which is usually done over the phone or face to face.” 

In countries with a record of targeted and mass surveillance, attempts to trace the virus can quickly turn into surveillance of people, especially in the absence of robust laws, safeguards, and independent oversight. The fact that in some cases, the Ministry of Interior is involved in developing and deploying these apps, as in Qatar and Morocco, is a telling sign that the objective for use may be to control the population rather than solely to implement a public health measure.

Notably, in many countries in the region, data protection laws do not exist, or if they do, they were drafted before the digital era and therefore do not address today’s data-processing risks, such as cyber attacks or identity thefts.  

Furthermore, the lack of transparency and access to information in some countries makes it difficult to exercise oversight and accountability for the use of such technologies, or to ensure the data collected and processed are secure and accessed only by public health professionals, and will be deleted according to a clear and fixed timeframe. In politically repressive contexts, citizens do not have access to remedy or venue for redress if the government violates their privacy and misuses their data.

What can we do to stop the nightmare? Suspend use of contact tracing apps in MENA

To assist governments and technology developers in adhering to human rights standards, we developed a list of dos and don’ts for contact-tracing apps. Those who develop or deploy these apps can follow these guidelines to limit their interference with human rights, especially the right to privacy. 

In the COVID-19 pandemic, people’s health and lives are at stake. The top priority is to take evidence-based steps to control the transmission of the virus; however, this work should go hand-in-hand with ensuring that any technology-based solutions do not deepen the harm of the pandemic by needlessly violating human rights.

Given the lack of sufficient legal and policy safeguards for privacy and data protection in countries across the MENA region, we call on governments in the region to suspend the deployment of contact-tracing apps and focus on evidence-based methods for fighting COVID-19. They must also engage in urgent reform of the law to better protect people’s privacy and other fundamental rights. In many cases, contact-tracing apps leave the door wide open for privacy invasions, mass surveillance, and misuse or abuse of personal data. When apps are not necessary, are not fit-for-purpose, are not designed to protect privacy, and pose a threat to privacy that is disproportionate for the purpose, governments should not use them.

Rather than rushing to haphazard technological solutions that lack evidence for efficacy, governments in the MENA region should seek in the pandemic an opportunity to increase transparency and build trust among their citizens, including through demonstrating respect for their privacy and other fundamental rights.