ICO fails to protect World Cup fans

Last week, several news outlets reported that Qatar’s World Cup apps pose serious privacy and security risks. Visitors to Qatar are required to download two apps: Ehteraz, a COVID-19 tracking application, and Hayya, which allows fans entry into the football stadiums and access to transportation services.

In particular, Ehteraz can read and write to a phone’s file system, allow remote access to users’ pictures and videos, and requires location services to be turned on.

Qatari authorities can use this unchecked access to visitors’ phones to track their every movement and phone and social media contacts as well as call history, even after people leave the country.

In an interview with The Register, data security expert Tom Hansen explained that:

“After accepting the terms of these apps, moderators will have complete control of users’ devices. . . All personal content, the ability to edit it, share it, extract it as well as data from other apps on your device is in their hands. Moderators will even have the power to unlock users’ devices remotely.”

Data authorities across Germany, France, and Norway were quick to voice grave concern and warned European football fans to use a burner phone and avoid downloading the invasive apps if possible.

The UK’s ICO (Information Commissioner’s Office), however, has not released official guidance and told reporters that its office is “aware of the reports” and considering “the potential impact.”

In a World Cup marred by scandals around FIFA’s corruption and the abhorrent human rights record of the host country, the risk of harm posed by invasive surveillance apps is severe. UK football fans traveling to the World Cup are entering a country where homosexuality is illegal and where Qatari women must obtain permission from male guardians to exercise basic rights like traveling or marrying a partner. Fans cannot count on FIFA to support them as the organisation has done little to push back against the demands of Qatari authorities. Most recently, several European countries dropped plans to wear “OneLove” armbands in support of diversity and inclusion due to FIFA pressure.

Especially when contrasted with the swift action of other European data protection authorities, the ICO’s failure to provide guidance to UK football fans about Qatar’s World Cup apps is a blatant lapse of its duty. UK fans traveling to Qatar, particularly those who are part of the LGBTQ community or other vulnerable groups, would do well to heed the advice of other data authorities and experts, an overview of which can be found here.