Article | May 14, 2020

COVID-19 tracing apps must not interfere with human rights

Speaking over rousing music in a slick promotional video, Yossi Abadi struck a would-be inspirational tone: “It is in times of crisis and difficulty that friendships are measured.” Abadi is the CEO of Tenlot Group, the multinational company which operates the Guatemalan lottery. In conjunction with Guatemala’s president, Alejandro Giammattei, he was announcing the launch of Alerta Guate, a new app designed to help the Central American country combat coronavirus.

Alerta Guate was developed by an American company and funded by Tenlot. Now, Abadi’s company – part of a conglomerate based in London and Tel Aviv – was “donating” the app to the Guatemalan government. Making the rounds of local television stations, Abadi valued the contribution at $10 million. But new research by Global Witness suggests that Tenlot’s donation may not have been as charitable as it seems.

THE CORONAVIRUS ARMS RACE

Governments and citizens around the world are desperate for safe ways to ease the lockdown conditions that COVID-19 has required. Technology firms have developed apps and other software that offer potential solutions through contact tracing, symptom tracking and even quarantine management. But, without proper safeguards in place, some of these apps may pave the way for authoritarian governments to violate civil rights and harm marginalised populations. 

This isn’t a new phenomenon – before the COVID-19 crisis the world watched these risks play out in the mass surveillance app used by police in Xinjiang in China to monitor and control millions of Uighurs and other Muslim groups. But this particular moment in time gives governments a seemingly legitimate reason to collect information that they could then seek to use beyond the current crisis to monitor and repress communities.

Alerta Guate is a new COVID-19 app that illustrates the risks. Launched on 24 March, the app was billed as an emergency alerts service, providing users with critical information from the government. While it fulfils that brief, analysis by Global Witness of the Android version of the app shows that it also sends the user’s exact location back to its developer, In-telligent LLC, at regular intervals, even when it’s closed.

In-telligent’s privacy policy loosely defines how data may be shared with third parties, such as when the company “reasonably believe[s] it is necessary to protect ... [the] safety of In-telligent, our users or others.” It also suggests that In-telligent plans to use the data gathered through its apps to facilitate targeted advertising, effectively using the COVID-19 crisis as an opportunity for marketing. Tenlot has already used the app to advertise its scratchcards. Critics suggest that there is a real risk that personal data such as location may be shared with the government.

In response to Global Witness’ request for comment, In-telligent’s CEO Allan Sutherland said that the company does not share the data from the app with the Guatemalan government or Tenlot and that the information it collects is “proprietary to In-telligent and kept ... strictly confidential.” Abadi also denies that his company or the Guatemalan government has access to any data collected through the app.

Alerta Guate was removed from both the iOS and the Android app stores in mid-April, apparently after bloggers in Guatemala and overseas picked up on some of the app’s potential privacy issues, but versions of the app already installed on users’ phones likely continue to function. Less than a week after its launch, Guatemalan TV reported that Alerta Guate had been downloaded more than 100,000 times. 

MISSION CREEP?

As tech firms scramble to produce software that will help governments to relax lockdown measures, human rights groups and privacy campaigners have flagged the risk of mission creep. Endorsements from President Giammattei suggest that Alerta Guate could have a broader set of applications in future, beyond helping to fight the current pandemic. The president has said explicitly that he hopes the app will evolve to cover “security issues” but hasn’t elaborated further.

Guatemalan President-elect Giammattei visits Tenlot’s offices in Tel Aviv, December 2019

President-elect Giammattei visits Tenlot’s offices in Tel Aviv, December 2019. Yossi Abadi/Facebook

Tenlot, which funded the app, appears to have a close relationship with Giammattei, who was pictured (above) visiting the company’s offices in Israel as president-elect in December last year. The app’s permissive privacy policy – which allows its developer to retain personal information for a decade – also raises red flags about what the data it collects could be used for in future. Over the past two months there have been three versions of In-telligent’s privacy policy, raising concerns that the policy might change regularly in future. Responding to the launch of Alerta Guate, Guatemala’s human rights ombudsman urged the government to restrict the app’s use to the current crisis period, describing it as “extremely risky for the health of democracy and civil liberties”.

That the app and the personal data it collects could be put to different uses beyond the crisis is of particular concern in Guatemala. In 2018, the Nuestro Diaro newspaper published evidence that suggested that the Guatemalan government under Giammattei’s predecessors had waged a large-scale cyber-surveillance operation against “businessmen, politicians, journalists, diplomats and social leaders”. The campaign was allegedly conducted using technology including NSO Group’s Pegasus hacking software, its acquisition facilitated by a former arms dealer and veteran of the Israeli special forces.

In a country where levels of government impunity are high and attacks against human rights defenders are on the rise, there is a heightened risk that surveillance infrastructure can be used in ways that violate human rights. According to Global Witness data from 2018, 16 environmental activists were killed in the country that year, making it one of the most dangerous places on earth for land and environmental defenders.

Giammattei was elected in 2019 and took office in January. He takes a highly militaristic approach to governing and promised to bring back the death penalty throughout his presidential campaign. He was previously charged with extrajudicial killings while running the country’s prisons; the charge was later dropped due to lack of evidence but local civil society organisations remain concerned.

THE COMPANIES BEHIND ALERTA GUATE

Alerta Guate was developed by In-telligent LLC, a software firm registered in Chicago. It makes off-the-shelf emergency alert software which has been customised for use in a number of other countries around the world. Responding to questions posed by Global Witness, In-telligent’s CEO said that it had started working with Tenlot in March 2019 and intended to produce alert apps for a number of Tenlot’s “government customers”, of which Alerta Guate is the first. In-telligent also stated that the location data will only be used to target advertising.
Alerta Guate screenshot

Screenshot of Alerta Guate, 29 April 2020

Ad banners for Tenlot’s scratch cards were clearly visible on the Android version of the app Global Witness analysed, raising questions about Tenlot’s motives for bankrolling the project. According to In-telligent’s privacy policy, data may be shared with third-party advertisers, raising the possibility that Tenlot may receive information about the app’s users. In his response to Global Witness, In-telligent CEO Allan Sutherland strongly denied that any data is shared with them.

Tenlot’s connections to two cyber-surveillance and defence firms, Cytrox and Inpedio, raise further concerns about its potential access to personal data. Tenlot’s sister company, Elenilto Group, is a global investment corporation. They are both owned by the Israeli billionaire Jacob Engel, and Tenlot CEO Yossi Abadi serves on Elenilto’s global management team. In 2017 Elenilto took a stake in Cytrox and Inpedio via its Atooro Fund. Cytrox and Inpedio sell cyber-intelligence services to governments. Elenilto still retains a stake in Inpedio, but has since sold its equity in Cytrox.

The COVID-19 outbreak is a new commercial opportunity for cyber-surveillance companies. A recent Reuters report highlights the risk that pandemic response technology can serve as a means for such firms to win contracts for more controversial forms of government surveillance. This is illustrated by the example of Intellexa, an alliance of spyware firms which includes Cytrox, and now markets “pandemic solutions” for governments. Intellexa’s CEO has expressed the desire to “upgrade” governments to his company’s espionage and security technology in future. Tenlot’s proximity to cyber-intelligence firms raises similar questions about how government connections acquired through the provision of pandemic response technology might be used to sell other forms of surveillance.

Tenlot did not respond to requests to comment from Global Witness. In-telligent’s CEO strongly denied that the company shares information with the Guatemalan government and said that Tenlot was “making a very generous donation to the people of Guatemala” by paying for the development and maintenance of Alerta Guate.

Given the potential for governments to misuse technical infrastructure rolled out for fighting pandemics, a much higher level of scrutiny should be applied to the firms developing these applications, particularly where these companies are connected – directly or indirectly – to the business of providing intelligence to governments in normal times. Any data collected needs to be kept to the minimum needed, and there should be limits on how long the data can be used to help counter the risk of mission creep.

HOW WE INVESTIGATED THE APP

Global Witness downloaded the Android version of the Alerta Guate app and installed it on an emulator – a virtual Android phone running on a laptop, with its location set to a section of a main road in Guatemala City. Information being sent in and out of the phone via the internet could then be monitored using forensic cyber-security software.

When started for the first time, the app asked the user’s permission to access their location. Once this was granted, it would regularly send this location back to a server controlled by the app’s developers, even when the app was closed or the phone was rebooted. Analysis of network traffic showed that in the course of an hour the virtual phone sent out its exact location five times.

Each time the phone’s location was sent, the response from the server showed that it was linked directly to a user account in a centralised database. For Global Witness’s test user, this only included an email address, but fields for the user’s name, age, gender, postal code and language were also present.