Germany says no to Qatari World Cup Spyware, er, apps • The Register

Qatari government World Cup apps collect more personal information than necessary, according to Germany’s data protection authority, which warned football fans this week not to install the two apps unless absolutely necessary. Also: consider using a burner phone.

The two apps are Ehteraz, a Covid-19 tracker from the Qatar Ministry of Health, and Hayya from the government’s Supreme Committee for Delivery & Legacy, which monitors the Cup on-site, allowing ticket holders entry to the stadiums and access to free subway and Bus enables transportation services.

Norway’s data protection regulator, meanwhile, said this week it was “concerned about the extensive access the apps require” and warned that Qatari authorities are likely using the apps to monitor users’ location, in addition to sniffing through personal data.

And France’s Junior Minister for Digital Jean-Noël Barrot tweeted a similar warning directing travelers to the CNIL’s checklist for protecting mobile devices when travelling:

In France, thanks to the RGPD, toutes les applications doivent garantir les droits fondamentaux des persons et la protection de leurs données. Ce n’est pas le cas au Qatar. supporter #Qatar2022 : Suivez les recommendations de vigilance de la @CNIL.

— Jean-Noël Barrot (@jnbarrot) November 15, 2022

According to the BfDI, “the data processing of both apps probably goes far beyond the descriptions of the data protection notices and processing purposes in the app stores.”

The government warning, released this week, says one of the apps is collecting data on users’ phone calls.

“The other app is actively preventing the device it’s installed on from going to sleep,” the warning said. “Of course, it is also obvious that the data used by the apps not only remain locally on the device, but are also transferred to a central server.”

German authorities are advising travelers to only install the apps if it’s “absolutely necessary” and suggest using a separate device such as a burner phone for the two apps. “After using the apps, the operating system and all content on the phone used should be completely wiped.”

Security researchers and state cybersecurity agencies have sounded the alarm over both apps, which essentially give Qatari authorities control over users’ devices, exposing personal pictures, files and contact lists, and even allowing moderators remote access to phones.

Qatar’s Ehteraz contact-tracing system was under scrutiny even before its use at the World Cup, as it allows remote access to users’ pictures and videos and the ability to make unsolicited calls.

Additionally, Ehteraz requires location services to always be on in the background and gives the app the ability to read and write to the file system.

It is unclear whether Ehteraz has yet to enter Qatar.

Ehteraz is no longer mandatory when entering Qatar, according to Norway’s data protection authority – but travelers who need to visit a health facility in the country will need to download the app. “The Embassy of Norway in Abu Dhabi (United Arab Emirates), which is accredited alongside Qatar, informed us that the mandatory pre-registration in this app was lifted at the beginning of November 2022,” the agency’s statement reads.

Local media reports also say the government has lifted Ehteraz requirements for commercial activities – like attending football matches in giant stadiums – via a tweet.

However, the Qatar government website does not publish any official notices about the apps, and government officials have not immediately responded The registry‘s requests.

The registry has also reached out to the developers of both apps and has not received any replies.

According to FIFA, Hayya is mandatory. “The Hayaa card is essentially a visa and is required to enter the country,” a spokesman said The registry ®.