Security experts and regulators are warning World Cup participants not to download Qatar’s World Cup apps for visitors over serious privacy concerns.
The latest warning comes from Germany’s federal data protection agency, which said in a statement that the two apps they want visitors to download go much further than the app’s privacy notices indicate.
Of the two apps – Ehteraz and Hayya – one collects data about phone calls, while the other prevents the device on which it is installed from going to sleep. The data collected by the apps does not remain locally on the device, but is also sent to a central server.
The Norwegian Data Protection Agency went further, describing the Ehteraz app as an “infection tracking app” that can retrieve personal information from users’ phones. The agency notes that it doesn’t know what these apps actually do or what users’ personal information is used for.
German and Norwegian authorities recommend participants not to download the apps or bring a second burner phone to install the apps on if asked by Qatari authorities to install the apps upon arrival in the country.
Security experts agree with the advice, and Darren Guccione, chief executive officer and co-founder of cybersecurity software company Keeper Security Inc., told SiliconANGLE, “You wouldn’t give a stranger the keys to your house, but phone apps can unknowingly collect detailed, personally identifiable information about those who use them.”
“It’s of particular concern when a state collects unauthorized information through an app or, worse, remotely accesses a device,” Guccione said. “Users should exercise extreme caution when downloading an app and use a secondary phone instead of their primary phone when traveling.”
Joseph Carson, chief security scientist and consulting chief information security officer at privileged access management solutions provider Delinea Inc., noted that cybercrime targeting unsuspecting fans and supporters at events like the World Cup is on the rise.
“Many fake, deceptive websites, apps, or emails that appear official are loaded with a plethora of scams,” Carson explained. “These scams can result in victims’ login credentials, passwords, and credit card information being stolen and their computer or smartphone infected with malicious software or even ransomware. These can trick the unknowing victim into spreading malware to family and friends, losing confidential data, or having significant financial repercussions.”