The FIFA World Cup is set to begin in Qatar, and European data regulators are issuing a warning for those planning to attend: the tracking apps that the country is pushing for visitors are vacuuming up much more data than they appear to be. Privacy concerns extend to Qatari authorities potentially accessing photos and videos, as well as logging lists of phone numbers that users make calls to.
There are two tracking apps that visitors are being steered to: Hayya, which replaces the physical card version of the permit needed to enter the country for the event, and Ehteraz, a Covid-19 tracking app that will be required for visits to health care facilities. The data protection commissioner of Germany and France’s lead privacy regulator CNIL are both warning that these apps collect much more data from user phones than their privacy notices indicate.
Tracking apps not easily avoided, may be spying on users
The Hayya card is a special permit issued by Qatar for foreign attendees of the World Cup. A physical Hayya card was available by mail for some time, but the deadline has long since passed; FIFA fans are now being steered to the digital Hayya app instead. A physical card can still be picked up once in Qatar, but at this point those without one will need to use the app to enter the country at minimum.
The Hayya app has some other elements meant to woo visitors: it provides free rides on public transit in the country on game days, and stores a digital version of the ticket needed to enter the event venue. But the price appears to be allowing Qatar authorities the ability to rifle through your phone. Germany’s data protection authority says that the app is collecting information on phone numbers that the user calls, as well as location information, and that its data is being transmitted back to a central server. The French authorities are warning that photos and videos may be accessed by either of the tracking apps, and that vulnerable groups may be actively monitored. CNIL also noted that the apps do not meet General Data Protection Regulation (GDPR) requirements.
The Ehteraz app also locks phones out of sleep mode, something that certain Covid-19 tracking apps have been known to do. This app also asks for more permissions that raise privacy concerns than the Hayya app does: read/modify and delete access to all data on the phone, as well as the ability to override other apps and automatically connect to WiFi or Bluetooth. It also tracks precise location data.
German authorities suggest that visitors obtain a burner phone to install these apps on if they need to use them while visiting, while French authorities suggest that users only install them right before arriving and delete them as soon as they leave. Privacy concerns extend beyond the period of app installation, however, as copious identifying data could be extracted during that period for future use by Qatar or its intelligence partners.
Richard Bird, CSO at Traceable AI, believes that the only real winning move is for those that have privacy concerns to simply stay home and watch the game on TV: “With all the noise about the apps being promoted in Qatar for the World Cup, no one in cybersecurity should be feigning shock that these applications are rife with tracking and monitoring capabilities. Personal freedoms aren’t respected or treated the same way everywhere in the world and if you feel threatened or concerned about the Qatari stance on allowing these types of apps to be used, then frankly, don’t go to the World Cup. I’m not suggesting that what Qatar is doing is appropriate, I’m just saying we should stop suggesting that technology freedoms supersede situational awareness. The situation in Qatar is that privacy for citizens and visitors alike, are not a concern of the government or the state-sponsored corporations in that region.”
“For tourists traveling to Qatar, the answer to maintaining your privacy and security really boils down to one of two options. The first? Stay at home and watch the World Cup in your living room or local bar or pub. The second? As every CISO that operates across a global footprint knows, you take a burner phone to Qatar, or China, or Russia. If you balk at the idea of having to pay extra for security and privacy, then it is doubtful that security or privacy are really that important to you at a personal level. In many nations, privacy and security come at a premium cost. Expecting those nations to act differently simply because we expect technology rights and privileges to be respected is naïve,” added Bird.
Privacy concerns fueled by level of app access, Qatar government history
The tracking apps merely give the Qatar authorities the ability to do these things, with no “smoking gun” indication that they actually plan to do them. However, privacy concerns are founded in the government’s general history. Human Rights Watch and similar groups have accused the government of arbitrarily detaining LGBT people, in some cases unlawfully searching their phones or beating them while in custody. The country has a “morality police” force similar to the ones found in Iran and Saudi Arabia and has been known to force LGBT people to sign pledges agreeing to cease “immoral” behavior.
The country also has a checkered history with foreign laborers, particularly those brought in to set up the World Cup. Since winning the bid for the games in 2010, the country has imported tens of thousands of migrant workers to build stadiums, hotels, expansions to roads and public transit systems, and some 100 new hotels. At least 6,500 have died thus far, and 37 have died at World Cup stadium construction sites, with heatstroke from high temperatures and long shifts often implicated as the cause. Amnesty International has accused some of the construction companies of housing laborers in squalid conditions resembling homeless shelters, forcing employees to pay huge “recruitment fees” to be allowed to work, and confiscating passports to prevent them from leaving.
Google and Apple have not made a public comment about the tracking apps or associated privacy concerns, though they are available through the official app stores of both.
Mark Lambert, Vice President of Products at ArmorCode, notes that this is another reminder that an app being present on an “official” app store is not an automatic guarantee of its safety: “Consumers expect that they are protected with “official apps” but the app store providers are not able to keep up with the volume and pace of apps being published to their marketplaces.”
Joseph Carson, chief security scientist and Advisory CISO at Delinea, advises visitors to also be wary of rampant hacking attempts during this period: “During all major events, such as the upcoming World Cup in Qatar, we always see a major increase in cybercrime targeting unsuspecting fans and followers. Many fake, fraudulent websites, apps or emails that appear official will come loaded with an abundance of scams.”
“Today, many scams are so good that they are almost impossible to detect. During the World Cup, I would advise people to avoid clicking on suspicious emails or website links, downloading suspicious apps, use the latest web browsers, and do not enter credentials, passwords or credit card information into these websites,” advised Carson.
The World Cup is expected to bring about a million and a half visitors to Qatar, as it runs for nearly a month from November 20 to December 18.
