Experts Cite Privacy Risks From Two Qatari Apps Required for FIFA World Cup Visitors
Cybersecurity professional Bruce Schneier: “Everyone visiting Qatar for the World Cup needs to install spyware on their phone.”
Security heads of a Norwegian government-owned media company have sounded an alert about a couple of apps that people visiting Qatar to attend the upcoming FIFA World Cup will be obligated to download on their phones.
Øyvind Vasaasen, the head of security at Norsk Rikskringkasting AS (NRK) or the Norwegian Broadcasting Corporation, discovered that people visiting Qatar to attend the FIFA World Cup, which would kick off in November instead of May, would be required to download and install two apps on their devices: Ehteraz and Hayya.
Ehteraz is a Covid-19 tracking app required for everyone over 18 years of age. Hayya enables visitors to keep track of the footballing event’s schedule and access Qatar’s metro transit system for free. “It’s not my job to give travel advice, but personally, I would never bring my mobile phone on a visit to Qatar,” Vasaasen said.
“When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone. You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do.”
Vasaasen’s strong opinions are based on the access permissions (listed below) associated with the two apps. Both apps are available on the Apple App Store and Google Play Store.
|
Permissions |
Apps |
|
|---|---|---|
| Hayya | ||
| Read or modify (delete/change) all content on the device | Y |
N |
|
Share unrestricted personal information |
N | Y |
| Access to connect to WiFi | Y |
N |
|
Access to connect to Bluetooth |
Y | N |
| Full network access | N |
Y |
|
Override other apps |
Y | N |
| Prevent the device to enter sleep mode or from switching off | Y |
Y |
|
Overview of the exact device location |
Y | Y |
| Make direct calls from the phone | Y |
N |
|
Disable the phone screen lock |
Y | N |
|
GPS access |
Y | Y |
| Force device reboot | Y |
N |
| Control vibration | Y |
Y |
See More: Meta Lists 400 Credential-Stealing Mobile Apps That Compromised 1M Facebook Users
He’s joined by Bruce Schneier, American computer security professional, Harvard Kennedy School lecturer and board member of the nonprofit Electronic Frontier Foundation. “Everyone visiting Qatar for the World Cup needs to install spyware on their phone,” Schneier wrote.
It is unclear whether downloading Ehteraz and Hayya is mandatory or not. However, just the basic app permissions were enough for Tor Erling Bjørstad of managed detection and response provider Mnemonic, Martin Gravåk of IT services and consulting company Bouvet, and Naomi Lintvedt, a research fellow at the Faculty of Law at the University of Oslo, to express deep concern. Lintvedt told NRK:
“You cannot consent to parts of the use, just everything. If I understand the apps correctly, there will also be limited options to change permissions there. This means that if you want to go to the WC, you have no choice. This is a mandatory app with no options.”
Qatar has previously earned scrutiny for its human rights track record, including the preparation for this event. The middle-eastern country, located in the Arabian Peninsula, also has strict regulations (though some have been relaxed for the FIFA World Cup), failure to abide by which can earn violators up to three months of jail time and a $2,750 (QAR 10,000) fine.
Qatari authorities expect modest clothing that covers shoulders and knees, no public smoking or drinking (fair enough), adherence to stringent LGBT policies and unmarried heterosexual couples, etc.
“They can cross-link the information and find out who you are meeting and talking to. If you’re hunting the opposition, gays, or others you don’t like, an app like this will make it much easier for you,” Gravåk told NRK.
Bjørstad also mentioned the apps aren’t all that alarming but added, “They process data, particularly linked to GPS and position, which has a high potential for abuse. In a way, you have to trust the people who develop or own the apps, and it is not a given that you particularly want to trust the authorities in Qatar.”
“I know people who visited Saudi Arabia when that country had a similarly sketchy app requirement. Some of them just didn’t bother downloading the apps, and were never asked about it at the border,” Schneier added.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON PRIVACY
