Official FIFA World Cup Apps Raise Privacy Concerns

Posted on Dec 5, 2022 by Kristi Hansen

As the 2022 Football World Cup kicks into high gear, privacy experts have raised the alarm over the two apps required to attend the World Cup festivities — the official World Cup app Hayya and Covid-tracking app Ehteraz. 

Ehteraz is a Covid-19 tracking app, while Hayya is the official World Cup app used to grant access to stadiums and the free Metro in Qatar.

After analyzing the apps’ access permissions, French data protection authority CNIL found the apps place fans’ privacy and data security at risk

According to CNIL, the apps’ permissions provide the Qatari authorities with the ability to read and edit content, and even make direct calls from visiting football fans’ phones. 

The General Prognosis Isn’t Good

Other European regulators and privacy experts have echoed these concerns. After all, Qatar’s heavy-handed digital monitoring is no secret

“It’s not my job to give travel advice, but personally, I would never bring my mobile phone on a visit to Qatar,” Øyvind Vasaasen, head of security at the Norwegian Broadcasting Corporation (NRK), wrote.

“They go far too far in terms of what data is recorded and used,” says Naomi Lintvedt, research fellow at the Faculty of Law at the University of Oslo, who has also reviewed the apps. “They get far too broad of access to change and take over functionality on your mobile phone, which appears to be completely unnecessary.” 

Downloading the two apps on your device gives Qatari officials the ability to:

  • Get your exact location, as well as the location of any phones near you.
  • Extract your personal data from the device, as well as information from other apps on your device.
  • Make phone calls.
  • Unlock your screen.
  • Prevent your device from going into sleep mode.
  • View your network connections.
  • Retrieve anything on your phone.
  • Change the entire contents of your phone.

“Essentially, it is clear that the app is taking data from the end user for more reasons than are expressed by the given consent button.” Tom Lysemose Hansen, CTO and co-founder of app security firm Promon told The Register

Hansen adds, “… they’ll most likely be using these apps to scrape all your contacts, check your call and SMS history, track your location through GPS and device radio interfaces (bluetooth and wifi) and probably pillage your social media contacts.” 

Protect Yourself from Qatari Surveillance

The CNIL made some suggestions to help fans protect themselves from the Qatar World Cup apps’ snooping. These include using a blank burner phone for the duration of the visit, and deleting the apps as soon as you return home. 

“Special care should be taken with photos, videos, or digital works that could place you in difficulty with respect to the legislation of the country visited,” the CNIL spokesperson added.

Apart from online surveillance, some 15,000 cameras are monitoring the crowds using facial recognition. While the organizers say the cameras are to keep footballers and fans safe, Qatar’s dismal privacy and human rights’ record suggest this surveillance may have other objectives as well.

Football fans in Qatar face other online threats as well. A recent report by cybersecurity firm Digital Shadows claims cybercriminals are sure to also be aiming to cash in on the Qatar World Cup. Tactics may include using malicious domains impersonating official World Cup websites and apps to phish for data. That’s why it’s best to always check the url you’re opening to see if it looks right. 

Stay Safe at the 2022 World Cup 

It remains unclear what the Qatar authorities plan to do with all the permissions their apps ask for. All requests for official comment have so far gone ignored. 

The bottom line? If you’re in Qatar for the World Cup, you need to take measures to protect yourself from spying and other online risks.

The only way to limit this invasion of privacy if you’re attending the 2022 FIFA World Cup is to use a burner phone, never offer more information than absolutely necessary, opt out of data collection whenever possible, and overall practice good cyber hygiene

You can use Private Internet Access to encrypt your traffic and hide your IP, but it will not help against apps that have been given such broad permissions. 

FAQ

Is there a 2022 World Cup app?

The two apps you need to attend the World Cup festivities in Qatar are the official World Cup app Hayya and Covid-tracking app Ehteraz. Be warned, however, as both were flagged by privacy experts as possible spyware for the local authorities.

Are the 2022 FIFA World Cup apps unsafe?

Not if you trust the Qatari authorities with the keys to your digital life. Both apps have raised concerns among privacy experts due to the extensive permissions they require, including tracking your location, making calls on your behalf, and deleting photos and videos. 

It’s not clear how the local authorities plan to use all the permissions fans give them when downloading the apps. But if you’re in Qatar for the World Cup, you need to try to reduce your exposure and protect yourself from spying and other online risks.

Sidestep state surveillance with PIA VPN. While we can’t protect you from in-app tracking, we’ll encrypt your traffic so it’s unreadable even if it falls into the wrong hands. Get  PIA VPN and stay safe online.

Can You Avoid In-app Tracking on Your Smartphone?

No. Once you’ve signed in, it’s impossible to stop Smartphone apps from collecting your data, 

You can, however,  limit what they get by:
1. Using a throwaway email and a “burner phone” not linked to any other accounts.
2. Never offering more information than absolutely necessary. 
3. Opt out from data collection in the privacy and security settings.
4. Checking the app’s Privacy Policy to get an idea of who they might be working with.

Finally, use Private Internet Access. While a VPN can’t prevent apps from tracking you once you log into their service, they do encrypt your traffic between apps and on other services. This goes a long way to shield you from tracking and surveillance.

Does PIA Protect You From Data Collection?

No, not from in-app data collection, but a VPN like PIA does shield all the other data leaving your device. This renders your data useless to hackers and trackers and keeps you safe on public WiFi. 

If you’re in Qatar for the FIFA World Cup, it’s a good idea to always connect to PIA VPN before you use public Wi-Fi, as the local authorities could be eavesdropping on your connection. 

Our automatic Wi-Fi protection feature switches on the second you enter a free Wi-Fi zone, so you don’t have to do a thing. 

Try PIA risk-free with our 30-day money-back guarantee, and if our VPN doesn’t make your World Cup that much safer, get a full refund.