Going to the World Cup? Leave Your Phone At Home
The World Cup is starting next week — in two days, the opening ceremony will happen — and it seems that protecting the privacy rights of the 1.5 million expected attendees is not a priority for the organizers. I am 🇧🇷 Brazilian and a football enthusiast, and in today’s newsletter, we will discuss some World Cup-related privacy issues.
World Cup attendees will be required to download two apps: Ehteraz, a COVID-19 tracking system, and Hayya, which will allow entrance to stadium grounds, schedule viewing, and free public transportation. Let us take a look at some of the permissions required by these apps:
Ehteraz
Image 1 — Screenshot from the Ehteraz app — Google Play Store
Image 2 — Screenshot from the Ehteraz app — Google Play Store
According to Tom Lysemose Hansen, CTO and co-founder of app security firm Promon: “Ehteraz is able to install an encrypted file which claims to hold a unique ID, QR code, infection status, configuration parameters and proximity data of other devices using the app.”
Interestingly, the data provided by the developers to Google Play Store (screenshot below — image 3 — you can access it here) is very different from the permissions screen I pictured above (image 2):
Image 3 — Screenshot from the Ehteraz app — Google Play Store
Now let us look at the Hayya app, also mandatory for those attending the World Cup this year:
Hayya
Image 4 — Screenshot from Hayya app — Google Play Store
And below is the list of required permissions from this app:
Image 5 — Screenshot from Hayya app — Google Play Store
I am not being naive here — apps such as Instagram or TikTok also request multiple permissions, and we can question if they are necessary or legitimate. My point in this article is that these two apps are mandatory in case you are attending the World Cup, and it is not clear who will have access to this data and how this data will be shared, processed, and used, both nationally and internationally.
As a consequence, privacy and security experts recommend that, if you are attending the World Cup, you should get a burner phone & be careful with the type of photos you are taking so that they are according to Qatar’s morality laws. The French Data Protection Agency (CNIL) told Politico: “Ideally, travel with a blank smartphone… or an old phone that has been reset.”
“It’s not my job to give travel advice, but personally, I would never bring my mobile phone on a visit to Qatar,” said NRK’s head of security Øyvind Vasaasen after a thorough review of the apps.
According to Politico, EU data protection chiefs have advised: “Qatar’s World Cup apps pose a massive privacy risk, so don’t download them.”
As these apps are mandatory to attend the festivities, the CNIL offered a few tips for those traveling to the World Cup:
- install the apps just before departure and delete them when you return;
- limit connection to services requiring authentication to the minimum possible;
- keep your phone with you all the time;
- have a strong password;
- limit system authorizations to those strictly necessary.
Currently, 1.5 million people are expected to attend the World Cup in person, so most people will watch the games remotely.
However, perhaps we are setting a dangerous precedent here: to join World Cup festivities, attendees from all over the world will have to share high amounts of personal data under a different protective framework than they receive in their home countries. There is no choice, it is a default obligation to everyone attending.
As experts foresaw, the higher level of surveillance measures that started during the pandemic (mainly contract tracing and pandemic-related apps) are finding their way to remain as a rule and not as an exception.
To attend the World Cup, you, as a foreigner, will not only have to download a data-aggressive COVID-related app but also an additional app focused on the logistics of the event. Is this what data protection in a post-pandemic world looks like?
I am interested in seeing how these data protection issues will unfold in the next weeks, months, and global events — and what the reaction from the privacy & data protection community will be.
Therefore, starting this Sunday, we will have the World Cup and also a parallel privacy spectacle worth watching.
-
✅ Before you go:
- Did you enjoy this article? Share it with your network so they can subscribe to The Privacy Whisperer.
- For more privacy-related content, check out The Privacy Whisperer Podcast and my Twitter, LinkedIn & YouTube accounts.
- At Implement Privacy, I offer specialized privacy courses to help you advance your career. I invite you to check them out and get in touch if you have any questions.
See you next week. All the best, Luiza Jarovsky
