Qatar. European authorities warn of spyware risk in World Cup apps

Politics - December 12, 2022

The human rights game was the first game lost. Indeed, the ongoing World Cup in Qatar has been at the centre of fierce international criticism long before it began a few days ago.

The 22nd edition of the World Cup, awarded about a decade ago in Doha, has seen in recent years an investment of hundreds of billions of dollars to build stadiums and other futuristic infrastructures suitable for hosting the sporting event of planetary scope. Billions of dollars and thousands of deaths at work, according to estimates from qualified sources such as Amnesty, The Guardian and Hrw.

More than 6,500 (more than 15,000 according to other statistics) migrant workers have lost their lives working in the Emirate’s construction sites between 2010 and 2021, in the face of the zero protection clauses for personnel employed in various capacities, required by FIFA in assigning the venue for the football kermesse. 

Heatstroke and extremely exploitative conditions were the causes of the deaths of foreign workers who, in a great many cases, were the protagonists of completely anonymous tragedies. They were victims of a system of exploitation and repression, often left without a name or a face because of the very tenuous ties they had in the Arab country. Here, we must remember that, among others, there is a ban on forming trade unions.

The accusations do not end there. International organisations have been pointing the finger for years at the repressive laws on freedom of the press and freedom of expression, the arrests and unfair trials for those who dared to criticise the Emir’s regime; freedom of association and demonstration are equally hindered; discrimination by law or practice against women and the criminalisation of homosexuals.

Conservatives condemn the Kafala system and Qatar’s support for the Muslim Brotherhood in Europe.

Qatar, in the current context of Russian aggression against Ukraine, plays an important role as an energy supplier for Europe. However, the ECR European Conservatives and Reformists condemned the Kafala system, an institute of Islamic law that regulates the contractual employment conditions of migrant workers in Qatar. In a statement ECR Group calls for ‘independent and credible investigations into the deaths and injuries that occurred during the construction of the World Cup infrastructure and for those responsible to be held accountable. “We call on the country to respect the human rights of all those living in or visiting the state, including freedom of religion. We also express reservations about Qatar’s lavish funding of the Muslim Brotherhood, particularly in Europe.”

To the list of accusations we have written about so far, we have added the alert of some European authorities responsible for guarding the right to privacy of EU citizens.

The warning about the risk of privacy violations in World Cup apps

In Germany, the apps ‘Ehteraz’ and ‘Hayya’ have come under the magnifying glass of the BFDI – Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, the Federal Data Protection Authority. According to the German privacy watchdogs, these apps, which officially are supposed to help European and non-European citizens travelling to Qatar to manage health practices and enjoy the best experience, go much further than the descriptions of the data protection notices and processing purposes in the app stores indicate.

To get an idea, let us consider that one of these apps not only collects user data normally required for the smooth operation of the service, but also seems to capture data on phone calls made and numbers called. In this regard, the BFDI not only advised German users against installing the apps, but also alerted the Federal Office for Information Security and the Federal Office for Foreign Affairs to data protection problems associated with the use of the apps.

A similar warning from the Norwegian regulator, which warned its citizens heading to Qatar for the World Cup that any operation carried out with their mobile phone, should one of these apps be installed, could be subject to surveillance by the Emirate.

France also took to the field to sound the privacy alarm for fans. The French authority, the CNIL – Commission Nationale de l’Informatique et des Libertés – has warned of risks to personal data security, advising citizens heading to Qatar to install the apps only shortly before their trip and to uninstall them immediately for their return. The French fear is that photos and videos on fans’ mobile phones could also be at risk.

Politico.eu, which first covered the issue at European level, recalls France’s strong ties with Qatar, but publishes a position of the French government that is entirely in line with the CNIL. The newspaper quotes Minister Jean-Noël Barrot, who recalled that his country has a precise General Data Protection Regulation. This regulation stipulates that all applications must guarantee the fundamental rights of individuals and the protection of their data. “This is not the case in Qatar,” he concluded.

The spyware hypothesis, yet another tile on the World Cup in Doha. Europe’s problems with information security.

The issue of privacy risks in Qatar, raised by the European authorities, is, in a very peculiar way, in the wake of a long series of problems that the EU is facing in terms of security of the information of its citizens, as well as of its institutions. Problems that come from foreign state actors, but not only from those.

The European Parliament’s Commission of Inquiry called ‘PEGA’ was set up in March to investigate alleged violations or maladministration in the application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software. This Commission made it clear that also within the EU the issue of the relationship between the use of spyware to ensure national security and the balance with the principles of the GDPR urgently needs to be addressed.

And the hypothesis is that spyware could also be mentioned in the case of Qatar. Spyware is ‘malicious’ software that can be used by hackers or more simply by malicious experts trained to use it to spy on users in order to gain access to personal information, banking data or online activities. One version of this type of computer programme is known as a keylogger and is able to read the keys typed on a keyboard and reconstruct what is being typed. Perhaps, while you think you are holding a conversation protected from encryption, as is supposed to happen on some popular instant messaging apps.

Malicious software developed with the highest technological standards is absolutely within the reach of all governments. There is both a ‘legal’ market for these tools and a black market, depending on the nature and particular needs of the actors interested in acquiring it.

Even an app can hide spyware or emulate some of its functions, a few lines of code disguised as utilities being enough to fool unsuspecting users. The Google and Apple stores are probably not exempt. It is a well-known fact that the app access portals of the Android and IOS worlds have already allowed millions of users to download dozens of apps containing adware with the function of spying and simultaneously displaying unwanted advertisements with links to malicious sites. For the security of personal data, there is still much work to be done in Europe and abroad.