World Cup apps pose a data security and privacy nightmare • The Register


With mandated spyware downloads to tens of thousands of surveillance cameras equipped with facial-recognition technology, the World Cup in Qatar next month is looking more like a data security and privacy nightmare than a celebration of the beautiful game.

Football fans and others visiting Qatar must download two apps: Ehteraz, a Covid-19 tracker, and Hayya, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.

Qatar's Ehteraz contact tracking scheme came under scrutiny even before its World Cup use because it allows remote access to users' pictures and videos, and can make unprompted calls.

Additionally, Ehteraz requires background location services to always be on and it gives the app the ability to read and write to the file system.



"Ehteraz is able to install an encrypted file which claims to hold a unique ID, QR code, infection status, configuration parameters and proximity data of other devices using the app," Tom Lysemose Hansen, CTO and co-founder of app security firm Promon told The Register. "Essentially, it is clear that the app is taking data from the end user for more reasons than are expressed by the given consent button."

After reviewing the two apps, France's data protection agency CNIL suggested bringing a burner phone to keep your information safe from prying eyes — and ears. And Norway's head of security offered similar advice, telling the Norwegian Broadcasting Company:

"I would never bring my mobile phone on a visit to Qatar."

Additionally, some 15,000 cameras using facial recognition will monitor the event and attendees, ostensibly to keep footballers and fans safe. But considering the country's dismal human rights' record, it's probably not a bad idea to approach this surveillance with a healthy dose of skepticism.

When asked about security concerns related to the two apps, a spokesperson for Germany's data protection agency BfDI told The Register it is working with the the German Foreign Ministry and the German Federal Office for Information Security to investigate Etheraz and Hayya.

Additionally, the UK Information Commissioner's Office is "aware of media reports on this matter and we will consider the potential impact on the privacy rights of UK citizens," a spokesperson told The Register, referring travelers to the agency's data rights page. "If anyone is concerned about how their data has been handled, they can make a complaint to the ICO."

The spokesperson declined to comment on the use of burner phones.

Papa John's sued for 'wiretap' spying on website mouse clicks, keystrokes
TikTok accused of covert plot to track specific US citizens' every move
Booting up: Footballers kick off GDPR case for 'misuse' of their performance data
Is it any surprise that 'permacrisis' is the word of the year?
The bottom line, according to Hansen, is that by downloading these apps, which are required to visit Qatar and attend the World Cup, users are forced to "hand over all sensitive IP on a silver platter upon arrival."

"After accepting the terms of these apps, moderators will have complete control of users' devices," he continued. "All personal content, the ability to edit it, share it, extract it as well as data from other apps on your device is in their hands. Moderators will even have the power to unlock users' devices remotely."

And what will state snoops do with this unfettered access? Authoritarian regimes are keen to track who you meet in country, and who you know.

"With this in mind, they'll most likely be using these apps to scrape all your contacts, check your call and SMS history, track your location through GPS and device radio interfaces (bluetooth and wifi) and probably pillage your social media contacts," Hansen said, noting this also puts friends and acquaintances at risk.

Plus, once you accept the terms and conditions, the apps can continue spying on you and your contacts even after you leave Qatar. The only real solution is to get a burner phone, Hansen added, echoing government officials' warning.

Even with a new SIM, don't import any settings or contacts, or log in to your social media accounts, he said. Otherwise, expect to be tracked by Qatar, and possibly other countries' snoops. "The phone's unique IMEI number and SIM's identifier will be tracked by mobile networks in that country and probably shared with other autocratic regimes which means they can continue to track you, in those countries, even after you uninstall the app."

We've asked the app makers and the government for their views. No word yet. ®