World Cup apps from the Qatari government collect more personal information than they need to, according to Germany’s data protection agency, which this week warned football fans to only install the two apps “if it is absolutely necessary.” Also: consider using a burner phone.
The two apps are Ehteraz, a Covid-19 tracker from the Qatari Ministry of Public Health, and Hayya from the government’s Supreme Committee for Delivery & Legacy overseeing the Cup locally, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.
Norway’s data protection agency, meanwhile, this week said it was “alarmed by the extensive access the apps require” and warned that Qatari authorities likely use the apps to monitors’ users location, in addition to snooping through personal data.
And France’s Junior Minister for Digital Jean-Noël Barrot tweeted a similar warning, pointing travelers to the CNIL’s checklist on how to protect mobile devices while traveling:
En France, grâce au RGPD, toutes les applications doivent garantir les droits fondamentaux des personnes et la protection de leurs données. Ce n’est pas le cas au Qatar. Supporters #Qatar2022 : suivez les recommandations de vigilance de la @CNIL. https://t.co/NmhJMjrgvU
— Jean-Noël Barrot (@jnbarrot) November 15, 2022
According to Germany’s BfDI, “the data processing of both apps probably goes much further than the descriptions of the data protection notices and processing purposes in the app stores indicate.”
The government’s warning, posted this week, says one of the apps collects data on users’ phone calls.
“The other app actively prevents the device on which it is installed from going into sleep mode,” the alert continues. “It is also obvious that the data used by the apps not only remain locally on the device, but are also transmitted to a central server.”
The German authorities advise travelers to only install the apps if “absolutely necessary,” and suggests using a separate device, such as a burner phone, for the two apps. “After using the apps, the operating system and all content on the phone used should be completely deleted.”
Security researchers and government cybersecurity authorities have sounded the alarm on both apps, which essentially give Qatari authorities control of users’ devices, exposing personal images, files, and contact lists, and even allowing moderators to remotely access phones.
Qatar’s Ehteraz contact tracking scheme came under scrutiny even before its World Cup use because it allows remote access to users’ pictures and videos, and can make unprompted calls.
Additionally, Ehteraz requires background location services to always be on and it gives the app the ability to read and write to the file system.
It’s unclear if Ehteraz is still required to enter Qatar.
According to Norway’s data protection agency, Ehteraz is no longer mandatory upon entering Qatar — but travelers who need to visit a healthcare facility in the country will be required to download the app. “The Norwegian embassy in Abu Dhabi (United Arab Emirates), which is side-accredited to Qatar, has informed us that mandatory pre-registration in this app was lifted at the beginning of November 2022,” according to the agency’s notice.
Local media reports also say the government lifted the Ehteraz requirements on commercial activities — such as attending football matches in massive stadiums — via a tweet.
The Qatar government website, however, doesn’t post any official guidance on the apps, and government officials did not immediately respond to The Register‘s inquiries.
The Register also reached out to both apps’ developers and has not received any responses.
According to FIFA, Hayya is mandatory. “The Hayaa card is essentially a visa and is required to enter the country,” a spokesperson told The Register ®.