WC apps pose a data security and privacy nightmare • The Register
With spyware downloads imposed on tens of thousands of surveillance cameras equipped with facial recognition technology, next month’s World Cup in Qatar looks more like a data security and privacy nightmare than a celebration of the beautiful game.
Football fans and others visiting Qatar must download two apps: Ehteraz, a Covid-19 tracker, and Hayya, which gives ticket holders access to the stadiums and access to free metro and bus transport services.
Qatar’s Ehteraz contact tracing scheme was under scrutiny even before its World Cup use because it allows remote access to users’ photos and videos, and can make unsolicited calls.
In addition, Ehteraz requires background location services to always be on, giving the app the ability to read and write to the file system.
“Ehteraz is capable of installing an encrypted file that claims to have a unique ID, QR code, infection status, configuration parameters and proximity data for other devices using the app,” Tom Lysemose Hansen, CTO and co-founder of app security firm Promon told The register. “Essentially, it is clear that the app is taking data from the end user for more reasons than what is expressed by the given consent button.”
After reviewing the two apps, France’s data protection agency CNIL suggested bringing a burner phone to keep your information safe from prying eyes — and ears. And Norway’s security chief gave similar advice, saying to NRK:
“I would never bring my cell phone on a visit to Qatar.”
In addition, around 15,000 cameras using facial recognition will monitor the event and participants, ostensibly to keep footballers and fans safe. But given the country’s dismal human rights record, it’s probably not a bad idea to approach this surveillance with a healthy dose of skepticism.
When asked about security issues related to the two apps, a spokesperson for the German data protection agency BfDI told The register it is working with the German Foreign Ministry and the German Federal Office for Information Security to investigate Etheraz and Hayya.
In addition, the UK Information Commissioner’s Office is “aware of media reports about this case and we will consider the potential impact on the privacy rights of UK citizens,” a spokesperson said The register, and refers travelers to the agency’s page for data rights. “If anyone is concerned about how their data has been handled, they can make a complaint to the ICO.”
The spokesman declined to comment on the use of burner phones.
The bottom line, according to Hansen, is that by downloading these apps, which are required to visit Qatar and attend the World Cup, users are forced to “hand over all sensitive IP on a silver platter upon arrival.”
“After accepting the terms of these apps, moderators will have full control over users’ devices,” he continued. “All personal content, the ability to edit it, share it, extract it as well as data from other apps on your device is in their hands. Moderators will even have the power to remotely unlock users’ devices.”
And what will government snoops do with this unrestrained access? Authoritarian regimes are keen to track who you meet in the country and who you know.
“With this in mind, they will most likely use these apps to scrape all your contacts, check your call and SMS history, track your location through GPS and device radio interface (bluetooth and wifi) and probably raid your social media contacts,” said Hansen, noting that this also puts friends and acquaintances at risk.
Additionally, once you agree to the terms and conditions, the apps can continue to spy on you and your contacts even after you leave Qatar. The only real solution is to get a burner phone, Hansen added, repeating the authorities’ warning.
Even with a new SIM card, don’t import any settings or contacts, or log into your social media accounts, he said. Otherwise, expect to be tracked by Qatar, and possibly other countries’ snobbery. “Your phone’s unique IMEI number and SIM identifier will be tracked by mobile networks in that country and likely shared with other autocratic regimes, meaning they can continue to track you, in those countries, even after you uninstall the app.”
We have asked the app makers and the authorities for their views. No words yet. ®