Everyone going to Qatar for the World Cup next month will be required to download two apps: a Covid tracking app called Ehteraz and Hayya, an official World Cup app for booking match tickets and accessing the free Metro.
According to a review by Øyvind Vasaasen, the head of security at Norwegian news outlet NRK, the apps collect a lot of data.
The more problematic app is Ehteraz. It asks for permission to read, delete or alter the content of a phone. It also requires location access, can make direct calls, and disable your lock screen.
Additionally, it will require access to Bluetooth and WiFi and it can prevent your phone from powering off and override other apps.
Hayya is not as intrusive. Still it has limitless access to data, requires location access, views network connections, and can prevent your phone from switching to sleep mode.
Vasaasen said if he were going, he would not take his phone.
He added: “When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone. You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do.”
The apps provide the government with the opportunity to spy, Vasaasen said, likening using the apps to giving authorities access to your entire house.
NRK asked cybersecurity company Mnemonic to review the apps.
“The consequences for individuals and groups if data from Ehteraz goes astray can be significant,” said Tor Erling Bjørstad of Mnemonic.
“At the same time, they process data, particularly linked to GPS and position, which has a high potential for abuse. In a way, you have to trust the people who develop or own the apps, and it is not a given that you particularly want to trust the authorities in Qatar,” he added.
University of Oslo’s Law Faculty research fellow Naomi Lintvedt reviewed the apps and concluded they are “very intrusive.”
“You cannot consent to parts of the use, just everything. If I understand the apps correctly, there will also be limited options to change permissions there. This means that if you want to go to the WC, you have no choice. This is a mandatory app, with no options,” she said.
She noted that if she were an employer, she would not allow employees to carry their work phones to Qatar.
Asked about her main concerns with the apps, she responded: “They go far too far in terms of what data is recorded and used. They get far too broad of access to change and take over functionality on your mobile phone, which appears to be completely unnecessary. It allows for government surveillance, and since it is Qatar, that has to be considered as well. This increases the risk that data will be used for purposes other than pure infection tracking.”
NRK has submitted its findings to FIFA, the organization that arranges the World Cup.