FIFA World Cup apps have privacy experts on edge


Joy for football fans, a nightmare for their data security. The FIFA World Cup in Qatar starts in less than a week, and privacy experts are calling out the event organizers for planning to snoop on the participants’ devices.

Qatar is already losing the PR battle prior to World Cup. It has to do with the country’s anti-LGBTQ policies, the deaths of thousands of migrants who built venues for the tournament, and, of course, the suspicious circumstances under which Qatar was chosen to host the event.

There’s more to come. Privacy and data security experts are raising the alarm over two official apps required to attend the World Cup festivities.

ADVERTISEMENT

The first one, Ehteraz, is a COVID-19 tracking system, while Hayya is an app that allows – or not – fans entrance to stadiums, schedule viewing, and free public transportation.

Bruce Schneier, American computer security professional, Harvard Kennedy School lecturer and board member of the nonprofit Electronic Frontier Foundation, recently wrote that “everyone visiting Qatar for the World Cup needs to install spyware on their phone.”

How come? Well, Ehteraz, which is used in Qatar already, asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data.

Meanwhile, Hayya's permissions include full network access and unrestricted access to personal data. It also prevents the device from going into sleep mode and views the phone’s network connections. Both track users’ locations.

“It’s not my job to give travel advice, but personally, I would never bring my mobile phone on a visit to Qatar,” Øyvind Vasaasen, the head of security at the Norwegian Broadcasting Corporation (NRK), said.

“When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone. You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do.”

Even though it’s not actually clear how mandatory these apps will be for attendees. But France’s influential data protection authority CNIL advised football fans traveling to Qatar to bring blank smartphones – or old devices that had been reset.

ADVERTISEMENT

Alternatively, CNIL recommends to install the Qatari apps only just before the departure and delete them as soon as fans return from the country. Using a strong password is also strongly advised. Finally, it’s always possible to use burner phones.

Supporters of the national teams, who will arrive in Qatar, will also be monitored extensively by CCTV cameras armed with facial recognition technology. Fifteen thousand cameras are installed across eight stadiums where matches will be held.

Digital Shadows, a cybersecurity company, recently published a report by its Photon Research Team. It said that cyber threat actors were highly interested in Qatar World Cup – for example, they impersonate official World Cup websites and mobile apps using malicious domains.