Qatar World Cup apps prompt digital privacy warnings from regulators

Two apps described as 'mandatory' for attending the Qatar World Cup have been the subject of privacy complaints by multiple European data regulators, amidst claims they collect sensitive data outside of their remit.

‘Ehteraz’ and ‘Hayya’ are both apps released by Qatar’s Ministry of Interior and its Supreme Committee for Delivery & Legacy, respectively. The former is listed on Google Play as a contact tracing app for the tournament, while the latter is listed as a portal through which to book tickets, manage accommodation, and enter stadiums, but experts have argued that the permissions required by both apps go far beyond these basic functions.

In a statement, Germany’s BfDI (The Federal Commissioner for Data Protection and Freedom of Information) urged football fans looking to download the app only to do so if “absolutely necessary”.

The regulator also suggested that users should put the apps on a spare phone that contains no other personal data or contact information, and wipe the phone's storage and operating after use.

It alleged that the permissions and data processing of both apps goes beyond that described on their app store listings, that one of the apps tracks the number of phone calls made, and that data used by the apps is “transmitted to a central server” in addition to remaining on the device.

Datatilsynet, Norway's data protection authority, likewise stated that it does not know “what these apps actually do,” but that Ehteraz is required for seeking any medical treatment whilst in Qatar.

It recommended not giving the Hayya app permission to use device location and urged all businesses planing to send employees to the Qatar World Cup to carry out proper risk assessments.

“We are alarmed by the extensive access the apps require. There is a real possibility that visitors to Qatar, and especially vulnerable groups, will be monitored by the Qatari authorities.”

Google Play notes that Hayya’s security practices do not include data encryption, and the developer has neglected to provide a way for users to delete their data. The official FIFA guidance on Hayya explains that a Hayya card is “required to access the stadium on match day”.

The UK government's travel advice for Qatar states that visitors will not be required to register with Ehteraz prior to arrival, but that Hayya is a mandatory ID required not only for entering stadiums during the event, but also for entering Qatar in general.

“We are aware of media reports on this matter and we will consider the potential impact on the privacy rights of UK citizens,” an ICO spokesperson told IT Pro.

“If anyone is concerned about how their data has been handled, they can make a complaint to the ICO. We’d also always advise travellers who may be heading to Qatar to refer to our Your Data Matters page to ensure they are aware of their data rights."

The ICO declined to comment on the suggestion of using spare phones for app use.

Apps released for the promotion of, or to interface directly with, sports events have a history of security concerns. At the start of 2022, a ‘devastating flaw’ was discovered in China’s Beijing Olympics app that allowed threat actors to circumvent encryption intended to protect users’ files and voice recordings.

The MY2022 app, the use of which was mandatory for both international and domestic visitors to the games, was also found to transmit some metadata without any SSL encryption and lacked transparency over the extent to which it shared user medical data with third-party organisations.

In response, the Federal Bureau of Investigation (FBI) urged athletes to use temporary phones throughout the Beijing Winter Olympics, and advised participants and spectators not to download apps required to attend the event for fear of personal data theft, tracking, or malware.