back to article World Cup apps pose a data security and privacy nightmare

With mandated spyware downloads to tens of thousands of surveillance cameras equipped with facial-recognition technology, the World Cup in Qatar next month is looking more like a data security and privacy nightmare than a celebration of the beautiful game. Football fans and others visiting Qatar must download two apps: Ehteraz …

  1. JimboSmith

    Yep a burner phone would be best when visiting certain countries. Years ago at a party in the Westminster area where you would expect to find the odd civil servant I was talking to a bloke for a while. I was talking to him because he was a bit more interesting than anyone else I'd met so far. He was working he said for the FCO and couldn't go into more detail about his role because of the Official Secrets Act. He did say his job just involved doing a lot of things you'd find in a non governmental office. I was trying to tease things out of him but he wasn't budging and he flatly denied being in the "Executive Branch". Anyway after a few more drinks I did get out of him a story about where someone had 'lost' their government issue BlackBerry. This was in an unnamed foreign country and had happened at the airport after landing. The strong suggestion was that the local security service had purloined the device. There had been another almost identical situation before and the FCO were now wise to this. If you flew into that country your BlackBerry was a new issue and therefore wouldn't have anything classified on it or I think be provisioned to access anything yet. There were also rules/guidelines for security in that country that were enhanced compared to the normal rules applied elsewhere.

    1. Yet Another Anonymous coward Silver badge

      A government official being careful with government issued phones on an official government visit is one thing.

      But having to follow John le'Carre-esq 'Moscow Rules' on a holiday to watch a giant P.E. lesson seems a bit much

    2. anothercynic Silver badge

      To be honest, that's exactly how I would feel about travelling to the Middle East for something like that...

      1. Yet Another Anonymous coward Silver badge

        But if you want to watch football you need to go to its traditional home in the Arabian desert - that's the price you pay for sport

        1. Joe W Silver badge

          Like reading Shakespeare in the original Klingon version?

          1. gryphon

            I've been reading Star Wars as written by Shakespeare recently.

            Somehow it just fits, especially for C3PO.

    3. Anonymous Coward
      Anonymous Coward

      Can't say how I know. But you're making this up

  2. Yet Another Anonymous coward Silver badge

    In other news

    Priti Patel / Suella Braverman / Cthullu (whoever is home sec by the time this is published) backs UK bid for next world cup

  3. Eclectic Man Silver badge

    Nokia rules!

    My dad's phone is an old Nokia, and totally un-smart, no apps, no touch screen, not even colour. So I'm curious as to what the rules state for someone who does not carry a smartphone. (My dad is not going as he is in his 90's now and a bit unsteady on his feet, so all academic to him.)

    1. A Non e-mouse Silver badge

      Re: Nokia rules!

      The article says you need the apps to gain entry to the events.

      1. Rudy

        Re: Nokia rules!

        The article is wrong, at least as far as the Ehteraz app is concerned. The requirement to have that installed was removed last month (except if you are visiting a healthcare facility).

    2. doublelayer Silver badge

      Re: Nokia rules!

      It sounds like they would not let him into events without the apps to serve as tickets, but he would probably be freer when traveling around the country in general. However, IMEI and IMSI numbers could still be logged and shared, so freer doesn't mean invulnerable.

      1. John Brown (no body) Silver badge

        Re: Nokia rules!

        I suspect from the demand to install the COVID tracking app, that failure to do so will mean refusal of entry at the airport. Next plane out or buy a new smartphone in the airport and install both apps.

  4. Richard149

    App Stores

    Has any asked Google and Apple if these apps break any of their store policies ?

    1. Paul Crawford Silver badge

      Re: App Stores

      I think you will find money trumps rights & decency most times for big corporations. After all, that is how they got that way...

      1. jmch Silver badge

        Re: App Stores

        "money trumps rights & decency most times for big corporations ..."

        Also for FIFA, which explains why Qatar were awarded this world cup, and Russia the previous one. And since money is the only language they understand, it will only change by large numbers of fans not attending, not watching games on TV, not buying merchandise, boycotting world cup sponsors.

        The last few years I've gradually lost interest in a game where players are disconnected from fans, insane money flows for seemingly no reason, and the level of football on offer is, excepting very rare moments, not so exciting.

        I used to watch world cups religiously, including at insane hours for the ones in US and Brazil. I won't miss this one

        1. Stork

          Re: App Stores

          Same here. Also helped by the sons playing basketball, there’s no bloody 120 minutes game and still no scoring.

          1. IGotOut Silver badge

            Re: App Stores

            Take it to the next level,Volleyball. If a point hasn't been scored in 60 seconds, you'll be watching one hell of a rally.

          2. Fred Daggy Silver badge
            Pint

            Re: App Stores

            Just wait until you watch Test Cricket (unless it's a greentop pitch)!

            Tension and interest doesn't come just from scoring. No sport is interesting when the scores are lopsided and unless there is a "personal interest story", there won't be. Conversely, it's easy to manufacture tension when the scores are close - even between the two worst teams in the competition.

            Icon, because SWMBO will never join me at the cricket and I get a chance to enjoy one or two in moderation. (Cell phones have put an end to any chance of peace and tranquility though)

            1. Stork

              Re: App Stores

              I have watched test cricket, wonderful. Sitting in the sun getting slowly alcohol used…

        2. Yet Another Anonymous coward Silver badge

          Re: App Stores

          Have FIFA said who is going to win? Or are they keep it as a big reveal for the finale ?

          1. that one in the corner Silver badge

            Re: App Stores

            Aren't they even going to wait for the viewers' phone-in votes* to be counted?

            Though I heard that it was actually all filmed weeks ago and the voting was a sham.

            * (calls will cost £2.50 plus your usual network charge)

    2. Henry Wertz 1 Gold badge

      Re: App Stores

      Google (unlike Apple) has a true smartphone, not phone restricted to apps only via app store. So even if these violate Google Play rules, you'd then be expected to load it from a web link.

      1. IGotOut Silver badge

        Re: App Stores

        By "True" smartphone, you mean one where you can't uninstalled preloaded apps / spyware. Aka Google?

        Bring back WinPhones

  5. VoiceOfTruth

    I would like to see the not-so-subtle racism in this article applied elsewhere

    Actually I would not, but fair is fair. Naughty Qatar. But the UK does just as badly

    -> Authoritarian regimes are keen to track who you meet in country, and who you know.

    As though there is one country in the world which does not.

    1. SCP

      Re: I would like to see the not-so-subtle racism in this article applied elsewhere

      I seem to recall there was quite a bit said when UK police tried (or did) use Covid tracking app information, so I am not sure that there is totally one-side treatment of nations on this sort of topic. Indeed one of the regular topics on The Register is security and numerous states, companies, and general user "stupidity" have been called out.

      In this case Qatar is insisting on use of applications which have a security implication for users; it is a relevant news story, and if the same situation regarding apps had arisen with the World Cup being held in the US I am confident The Register would have covered it equally as well without fear or favour - it is not as though the TSA gets a free pass on this site.

    2. Stork

      Re: I would like to see the not-so-subtle racism in this article applied elsewhere

      Last I visited the UK I was not required to have anything installed on my phone. In fact, there was no requirement I brought a phone at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: I would like to see the not-so-subtle racism in this article applied elsewhere

        There WILL be a requirement to bring a certain device (to UK or anywhere else), though I don't think I'll live long enough to see it happen.

      2. mikepren

        Re: I would like to see the not-so-subtle racism in this article applied elsewhere

        But but But your insta stories..

    3. that one in the corner Silver badge

      You keep using that word, I do not think it means what you think it does

      Racism?

      I just re-read the article and didn't spot a single reference to any characteristic of any individual at all. Did you perhaps misread "Qatar snoops" as "Qatari snoops"?

      No, wait, spotted it: you think that "regime" is an ethnicity and all the members of that group are being labelled as authoritarian!

    4. tekHedd

      No defense

      "As though there is one country in the world which does not."

      Yup, they're down to "but he did it too!" because they have no defense. Everyone from the the execs to lowly sockpuppets will be repeating the same whaddabout-ism from now until it's over because...it's all they've got.

  6. DS999 Silver badge

    How is it going to get your contacts, location, etc.

    If you don't give the app permission to do so? That's been necessary on iPhone forever, and I thought Android had added similar stuff a few revs ago? Does the app refuse to operate if it can't grab your contact list? Seems to me they could rely on collecting that info only on those rocking obsolete Androids. Given how much a visit for the World Cup costs, I doubt any of them is carrying a phone that old!

    The claim that it will continue to spy on you forever is even more spurious. If you delete the app as your flight back home takes off, how is it going to do that - unless it has a built in 0 day persistent rootkit (i.e. the holy grail of exploits which is worth millions of dollars and used only for very targeted attacks to prevent its discovery that will render it worthless)

    While the built in persistent rootkit is theoretically possible, the PR and diplomatic blowback when that was inevitably discovered (perhaps before the World Cup was even over) would greatly outweigh whatever intelligence they were able to collect. Since those with actual secrets worth stealing would use a burner phone to run the app so all it could get is their whereabouts at a given time (and that assumes they don't "accidentally" swap burner phones with someone else who has a similar model just for the heck of it)

    1. doublelayer Silver badge

      Re: How is it going to get your contacts, location, etc.

      "Does the app refuse to operate if it can't grab your contact list?"

      That'd be an easy way to do it. Anyone who installs this in the first place is willing to accept dodgy software in return for getting into the events, so how many will cheerfully install and activate the app but balk when it demands access and won't work without it? They might not even know about that until they install it in preparation, having already paid for their Qatari lodging and whatever tickets you need to attend.

      You're correct about it continuing to spy on you, although I'll point out that you wouldn't need a full rootkit unless the user did a factory reset of their device and a lower-level exploit that doesn't change the system partition would withstand an app uninstall. I don't think they will use either, though. Still, they will be able to collect a significant amount of information while it's running, so even without a beachhead on the device, there's information about you which can be used to drive further attacks if they're motivated to do so. If I scrape your device's common storage and any data I can get by making the user accept permission requests, that's useful in targeting users later or selling to interested parties. I'm not really sure what Qatar would actually do with it, but it's not likely to be good.

      1. Wellyboot Silver badge

        Re: How is it going to get your contacts, location, etc.

        >>>not really sure what Qatar would actually do with it<<<

        When sharing data with other friendly intelligence agencies this data becomes far more valuable, if you regularly meet a number of people of a certain persuasion* in country A (all fine and dandy) then anyone you meet in country B (where that persuasion isn't) may well be added to the list of poeple to investigate especially if you're often out and about on your own away from the other fans between games.

        This is the point that many people don't get about data, one + one does indeed equal three, correlations can be made and inferences deduced by combining all the data on hand, you are not being tracked in isolation. All surrounding circumstances are also being recorded and computer are very good at trawling through a billion data points repeatedly and building representations. Multiplayer shooter games are a very good illustration, all the players computers are tracking all the other players game data and providing a rapidly updated view just from in-game location coordinates and a few other identifiers.

        *of any kind they don't like, merely being in some regions for a while will interest many agencies.

    2. Anonymous Coward
      Anonymous Coward

      Re: How is it going to get your contacts, location, etc.

      The Android National Trust app goes completely ga-ga if you try to block it from accessing location services. it's OK if you allow location services but then switch off GPS, but it should still be trying to use coarse location... but it was easier to just delete the app (it's a LARGE app) and use a browser.

      (I generally know roughly where I am and roughly where I'm going and only turn on GPS when necessary)

  7. Anonymous Coward
    Anonymous Coward

    I'm dying of suprise right now.

    The worlds favorite sport is also it's most corrupt. What about the combination of that and Qatar was going to produce anything else? Until there is house cleaning at FIFA and Bladder is back in the ground with a stake in his heart, we should expect this kind of thing. Same for the IOC. I'm surprised the football fans keep rolling over for this stuff, considering the ultras have overthrown bigger governments and have a penchant for taking out their frustrations by burning things.

    1. This post has been deleted by its author

    2. jmch Silver badge

      Re: I'm dying of suprise right now.

      Blatter has been out of FIFA for a while. What really shows the deep corruption there is that even after it was obvious that awarding the cup to Qatar was a hugely corrupt process, with police raids and prosecutions in US and Switzerland, the award was not rescinded.

      World cup is FIFA's cash cow that rakes in billions. FIFA officials distribute these to national associations, trading money for votes. And the majority of FIFA's 200+ members are in countries where corruption is rampant, so each local association distribution of money is also corrupt. There are only a handful of countries where the clubs / FA are so rich that they won't be influenced by FIFA's money. Given the inbuilt incentives, none of this is going to change any time soon

      1. wolfetone Silver badge

        Re: I'm dying of suprise right now.

        I think it's worth pointing out that Giani Infantino (translates to Johnny Man Baby or something like that) who is the new head of FIFA, has a lovely apartment in Qatar which he has since moved in to. Not on a temporary basis, permanently.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm dying of suprise right now.

      “Most corrupt.”

      I think the International Olympic Committee might disagree.

      But they’d be happy to come second if you bung them some cash…

  8. Anonymous Coward
    Anonymous Coward

    I think in most countries the port of entry police have the right to take anybodies phone and copy it's contents. Certainly in the US that is true. Moreover, unless you have "international roaming", which is hugely expensive, if you want local internet connectivity you have to purchase some local SIM contract which usually requires installing some app which doesn't care at all about your privacy, quite the opposite.

    1. Sandtitz Silver badge

      "if you want local internet connectivity you have to purchase some local SIM contract which usually requires installing some app"

      Examples? Never heard of such app requirements tied to a SIM.

    2. UCAP Silver badge

      International roaming cost me precisely nothing when I went overseas last summer.

  9. Anonymous Coward
    Anonymous Coward

    Don't go barmy

    I wouldn't at all be surprised to find some people getting drunk and doing stupid things - urinating in public, mooning, slobbering on or hugging friends/strangers, getting in fights even with the Qatari police, and then beginning an expensive journey though the Qatari legal system that could last for years. I know that in some Arab countries raped women and minors have been jailed for corrupting morals. It's no joke.

    Going for business, staid historic archeological tourism, etc. ? - sure, if you're prepared to behave on their terms.

    But this is crazy and foolish.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't go barmy

      "I know that in some Arab countries raped women and minors have been jailed for corrupting morals"

      This is a consequence of an honour-shame society. If a woman or girl becomes pregnant due to rape, they have dishonoured their family by being party to extramarital sex and presenting clear evidence to society.

      Meanwhile, if the rapist is careful and the only witness is the rape victim, they aren't guilty of any dishonour.

  10. chivo243 Silver badge
    Trollface

    The Marx Solution

    "Additionally, some 15,000 cameras using facial recognition will monitor the event"

    Gimme a Groucho nose and mustache! Shave my beard for the trip... Wait, I hate football. I won't be going...

  11. g7rpo

    Just buy the cheapest smart phone you can get

    Put a sim in it, install the apps and turn it off until you land, upon leaving bin the phone and snap the sim, annoying but based on the cost of going out there to watch any matches it would be negligable

    1. JimBob01

      Re: Just buy the cheapest smart phone you can get

      Was thinking the same thing.

      The rules seem to say you have to have the apps, not that they have to be on every phone you possess. Given how many people seem happy to live with (at least) 2 phones, is having another just for FIFA and Qatar such a big deal?

    2. Richard Tobin

      Re: Just buy the cheapest smart phone you can get

      Presumably to install the app you need to have connected the phone to your Google or Apple account, so you'd better have disposable versions of them too.

  12. Dan 55 Silver badge

    There is also the COP27 app.

    The useless Google Play info says both that there is third party data collection and that no data is collected, and no mention of e.g. passport info is made.

  13. James O'Shea Silver badge

    If I were going

    Which I'm not, I'd take my recently replaced iPhone SE. I would:

    1. erase it completely and then install the latest OS version which would work on it, making certain to NOT turn on my AppleID. This means a nice fresh new set of non-data in Photos, Contacts, Music, etc. They can snoop to their hearts content, there ain't nothing there for them.

    2. insert a temp SIM. Lots of options available.

    3. as it's not worth anything as a trade-in, erase it again and just leave it in the airport on my way out.

    I might/might not take my new iPhone, the one which replaced the SE, powered off, at the bottom of my bag. It would also be erased, and the SIM would be removed and replaced with another temp SIM. If the authorities detected it, something which would make the level of survielence quite clear, it would be erased again as soon as I got to the hotel, and the real SIM would not go near it. And as soon as I got home I'd report a hardware problem and have it replaced under the warranty. My actual data would never be exposed.

    But I wouldn't set foot in Qatar in the first place, so all this is moot.

  14. Anonymous Coward
    Anonymous Coward

    I’m down with the apps, the snooping and the cameras

    However, I can’t stand soccer, so I won’t be going….

  15. Anonymous Coward
    Anonymous Coward

    Sorry to trouble you, folks, but

    this is the future. You'd better get used to it. Each and every government, democracy or no democracy, needs to know everything about you, for your own good of course (safety and security, fast and efficient delivery of public services, eliminating insurance and financial fraud, reducing pollution, utilities consumption etc.).

    What a wonderful world!

    1. Gene Cash Silver badge

      Re: Sorry to trouble you, folks, but

      Rather amusing for an Anonymous Coward to be posting this...

    2. tekHedd

      #sarcasm

      See, back when El Reg was a UK publication, people would have recognized this as sarcasm. In these enlightened times, no one uses sarcasm any more, so many people fail to recognize it when it occurs.

  16. jlturriff

    Fans who don't use smart phones etc. need not try to attend?

    I guess that if I don't have a smart phone or tablet I won't be able to get into Qatar at all, then. (Granted, few fans will be likely to have that lifestyle, but still...

    1. Anonymous Coward
      Anonymous Coward

      Re: Fans who don't use smart phones etc. need not try to attend?

      No smart phone or tablet?

      No problem sir.

      We will assign you a 24/7 “guide”. He will accompany you everywhere and observe your every action.

      Ask us about our generous payment plan.

      Enjoy.

  17. Potemkine! Silver badge

    I'm not interested in that so-called sport named 'Football' ("beautiful sport"? Pffff!). Enabling hosting such a competition in such a country is just a proof the rulers are rotten and corrupt.

    If NK was rich enough, the next WC would be there.

    == Bring us Dabbsy back! ==

  18. Anonymous Coward
    Anonymous Coward

    There is no need for Ehtaraz or Vaccination documents

    Hi everyone,

    Just to give a heads up, there is no need to install either applications starting November 1st as per https://www.qatarliving.com/forum/news/no-obligation-showing-ehteraz-qatar-november-1 and other local news sites/papers. I have some agreements with this article as a Government employee, a resident and national here as I am a cybersecurity novice who is very much concered about my own privacy.

    However, I just want to inform everyone if your local airlines does not permit you (this was communicated to most commericial airlines as well) then you can send the Ministry of Interior or Foreign affairs a tweet and they can handle it with the airline. I don't work in either, but they usually take these actions as fast as possible and help non-residents that are coming for the FWC. As I mentioned I have a lot of dislike for the application and some of the research done within this article is great work that I have done myself as well during the start of the pandemic where I was really critical of the application.

    Although I dislike the pandemic application Ehtaraz, it had warned me when in many locations of infected people such as my university Campus/classroom which had an infected person which the university hid away and didn't tell the students as not to cause panic. The people who recieved the notification had immediately took an action to leave campus that day and most of the people who usually turned it off/forced the application to stop did not recieve that notification had gotten covid due to the fact the university kept quiet/refused to take action (which were fined heavily later by the Government). I do wish people to tell their families to be very careful COVID and other Viruses wise when visiting a World Cup, I haven't had COVID nor do I wish it on anyone and my co-worker had recently caught a different Virus which she didn't disclose as well as the privacy of mobile phones by having a burner phone to visit any country ( I do it myself because I dislike how google summarizes my trips even when I disable maps off ).

    1. Anonymous Coward
      Anonymous Coward

      Re: There is no need for Ehtaraz or Vaccination documents

      it's a very interesting post. But it's not a compliment, you know ;)

  19. Anonymous Coward
    Anonymous Coward

    don't import any settings or contacts, or log in to your social media accounts

    Does it mean that you wouldn't be ALLOWED to use local comms (roaming, mobile, data), UNLESS your handset has those two apps installed, in other words, the authorities (well, via telecom operators) would block any such 'unapproved' devices from operating? Otherwise, if this advice applies only to 'infected' handsets, it's damn obvious that's compromised completely, every aspect of it. I mean, if wanted to not to be tracked, I'd keep the infected phone off all the time,and ideally in some tinfoil box ;) and only turned it on to enter the stadium (or a go-go club, etc.), and use my 'real' phone for the usual activities. Not that' d ever want to go to such a toxic country in the first place, for any reason.

  20. bigtimehustler

    If you have a Samsung phone, just install the apps into the secure folder instead of the main phone. It will only have access to what else is in your secure folder. Just make sure when anyone us going to check, you already have the app open and don't go searching into the secure folder in front of them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like