IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Qatar World Cup apps prompt digital privacy warnings from regulators

European regulators have voiced serious concerns over the permissions required by apps Ehteraz and Hayya

Two apps described as 'mandatory' for attending the Qatar World Cup have been the subject of privacy complaints by multiple European data regulators, amidst claims they collect sensitive data outside of their remit.

‘Ehteraz’ and ‘Hayya’ are both apps released by Qatar’s Ministry of Interior and its Supreme Committee for Delivery & Legacy, respectively. The former is listed on Google Play as a contact tracing app for the tournament, while the latter is listed as a portal through which to book tickets, manage accommodation, and enter stadiums, but experts have argued that the permissions required by both apps go far beyond these basic functions.

In a statement, Germany’s BfDI (The Federal Commissioner for Data Protection and Freedom of Information) urged football fans looking to download the app only to do so if “absolutely necessary”.

The regulator also suggested that users should put the apps on a spare phone that contains no other personal data or contact information, and wipe the phone's storage and operating after use.

It alleged that the permissions and data processing of both apps goes beyond that described on their app store listings, that one of the apps tracks the number of phone calls made, and that data used by the apps is “transmitted to a central server” in addition to remaining on the device.

Datatilsynet, Norway's data protection authority, likewise stated that it does not know “what these apps actually do,” but that Ehteraz is required for seeking any medical treatment whilst in Qatar.

It recommended not giving the Hayya app permission to use device location and urged all businesses planing to send employees to the Qatar World Cup to carry out proper risk assessments.

“We are alarmed by the extensive access the apps require. There is a real possibility that visitors to Qatar, and especially vulnerable groups, will be monitored by the Qatari authorities.”

Google Play notes that Hayya’s security practices do not include data encryption, and the developer has neglected to provide a way for users to delete their data. The official FIFA guidance on Hayya explains that a Hayya card is “required to access the stadium on match day”.

The UK government's travel advice for Qatar states that visitors will not be required to register with Ehteraz prior to arrival, but that Hayya is a mandatory ID required not only for entering stadiums during the event, but also for entering Qatar in general.

“We are aware of media reports on this matter and we will consider the potential impact on the privacy rights of UK citizens,” an ICO spokesperson told IT Pro.

“If anyone is concerned about how their data has been handled, they can make a complaint to the ICO. We’d also always advise travellers who may be heading to Qatar to refer to our Your Data Matters page to ensure they are aware of their data rights."

Related Resource

Database and big data security

KuppingerCole 2021 Leadership Compass Report

Whitepaper cover with black header image with logo and title, and contributors photoFree Download

The ICO declined to comment on the suggestion of using spare phones for app use.

Apps released for the promotion of, or to interface directly with, sports events have a history of security concerns. At the start of 2022, a ‘devastating flaw’ was discovered in China’s Beijing Olympics app that allowed threat actors to circumvent encryption intended to protect users’ files and voice recordings. 

The MY2022 app, the use of which was mandatory for both international and domestic visitors to the games, was also found to transmit some metadata without any SSL encryption and lacked transparency over the extent to which it shared user medical data with third-party organisations. 

In response, the Federal Bureau of Investigation (FBI) urged athletes to use temporary phones throughout the Beijing Winter Olympics, and advised participants and spectators not to download apps required to attend the event for fear of personal data theft, tracking, or malware.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’
cyber security

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

1 Jun 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Unpatched Exchange servers could be behind Rackspace's ransomware attack
zero-day exploit

Unpatched Exchange servers could be behind Rackspace's ransomware attack

7 Dec 2022
What we can learn from the supercomputer revolution
Sponsored

What we can learn from the supercomputer revolution

1 Dec 2022