Qatar is turning to technology to help contain the coronavirus.
Although the country has only seen 23 confirmed deaths to date, its infection rate remains stubbornly high, with more than 40,000 people infected amid a population of roughly 2.8 million.
The new Ehteraz app is seen by government officials as the latest salvo in its attempts to curb the transmission of the virus.
Starting late last week, citizens and residents have been required to have the Ehteraz contact-tracing app installed on mobile devices when leaving their homes, allowing the government to track if the user has been in touch with an infected person.
Not having the app installed could lead to a maximum fine of $55,000 or three years in prison.
But the announcement, days before the Eid al-Fitr holiday, led users to raise privacy concerns as the app requires access to files on the phone and permanent use of its GPS and Bluetooth for location tracking.
In response, a government spokesperson told Al Jazeera that user data would be safe and accessible only to health professionals.
The government has asserted that other agencies, such as law enforcement, cannot access personal data on the app, and any data collected would be deleted after two months.
“We confirm that all user data on Ehteraz app is completely confidential and is only accessible to relevant, specialised teams when necessary,” Qatar’s Director of the Public Health Department Dr Mohamed bin Hamad Al Thani said.
Amnesty International reported on Tuesday that they uncovered security vulnerabilities in the Ehteraz app, which have since been fixed after the rights group alerted the Qatari authorities.
The Ehteraz app’s user privacy and platform security are of the utmost importance. A comprehensive update of the app rolled out on Sunday 24 May with expanded security and privacy features for all users.
— وزارة الصحة العامة (@MOPHQatar) May 26, 2020
Despite these assurances, the World Health Organization (WHO) and several independent studies have called the use of apps into doubt, with the WHO saying there is “only anecdotal evidence” they are effective, adding they should not replace manual contact tracing.
MIT Technology Review’s Tate Ryan-Mosley, who has created a database of government-backed COVID-19 apps, told Al Jazeera the idea of contact tracing is old, but that digital tracing, which started to gain traction during the Ebola outbreak, has not proven to be effective yet.
“What we’re seeing now is a type of tech solutionism, meaning that these new technologies are seen as a panacea to all issues,” Ryan-Mosley told Al Jazeera.
Another reason privacy experts call such apps into question is because they say the technology used is simply not that effective.
“These and other technologies like Bluetooth can be combined for better accuracy, but there’s no guarantee that a given phone can be located with six-foot precision at a given time,” the Electronic Frontier Foundation (EFF), one of the world’s leading digital rights and privacy organisations, told Al Jazeera.
Even the creator of Bluetooth, the technology considered most useful for such apps, said recently that there are several downsides to using the technology, calling it “not accurate” enough.
However, the government of Qatar has told local media: “The application enables the competent authorities to track the areas where this person was present since downloading the application until the moment of infection and thus all people or a large percentage of the people who mix with them can be known as long they are using the same application.”
Eva Blum-Dumontet, senior researcher at privacy organisation Privacy International, questioned why Ehteraz needs a phone number and personal identification number to work, while others countries put out apps that do not need that type of personal information.
“Any app that requires a personal ID number, especially when it is stored in a centralised database, is at risk of outside people getting access to these databases,” Blum-Dumontet said, also referring to Singapore’s app, which uses a similar database system containing contact information.
“ID numbers are often almost like biometric data, and you can’t change them easily. So if it’s out there after a leak or a hack, for example, consequences are a lot bigger,” she added.
A better way to do this, the EFF and others say, is using so-called “decentralised anonymised systems”, which collect the least amount of personal information, that is then only stored on the device and not in a central database.
MIT’s Ryan-Mosley added that making any app mandatory might not actually work.
“There’s research done that if a government makes something compulsory, like an app, for instance, the likelihood of people putting their trust in it is less,” she said, adding: “If people don’t trust them, they are going to be looking for workarounds, not using these apps in good faith.”
However, Qatari officials maintain that there is no reason for the public to distrust the app.
“Ehteraz will never undermine the privacy of the users, and the stored information will not be kept beyond two months before being deleted forever,” Dr Mohammed bin Hamad Al Thani said.