– It's not my job to give travel advice, but personally I would never bring my mobile phone on a visit to Qatar.
That's what NRK's head of security Øyvind Vasaasen says after a thorough review of the apps.
Everyone travelling to Qatar during the football World Cup will be asked to download two apps called Ehteraz and Hayya.
Briefly, Ehteraz is an covid-19 tracking app, while Hayya is an official World Cup app used to keep track of match tickets and to access the free Metro in Qatar.
In particular, the covid-19 app Ehteraz asks for access to several rights on your mobile., like access to read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps and prevent the phone from switching off to sleep mode.
The Ehteraz app, which everyone over 18 coming to Qatar must download, also gets a number of other accesses such as an overview of your exact location, the ability to make direct calls via your phone and the ability to disable your screen lock.
The Hayya app does not ask for as much, but also has a number of critical aspects. Among other things, the app asks for access to share your personal information with almost no restrictions. In addition, the Hayya app provides access to determine the phone's exact location, prevent the device from going into sleep mode, and view the phone's network connections.
– They can simply change the contents of your entire phone and have full control over the information that is there, is the conclusion of NRK's security manager.
It has come to NRK’s attention that since Vasaasens comments were based on the privacy statement of the app, this fact was not sufficiently emphasized. The head of security made statements on the legal framework of the app, not its technical capacities.
As part of the media house's preparations for the Qatar WC, he has reviewed these apps.
Vasaasen is downright frightened by what NRK's security review has uncovered.
– When you download these two apps, you accept the terms stated in the contract, and those terms are very generous. You essentially hand over all the information in your phone. You give the people who control the apps the ability to read and change things, and tweak it. They also get the opportunity to retrieve information from other apps if they have the capacity to do so, and we believe they do.
– You're giving them the opportunity
The security chief explains that it is essentially like the authorities getting full access to your house.
– You're saying that it is perfectly fine for the authorities to enter your home. They get a key, and they can get in. You don't know what they're doing there. They say they might not make use of the chance, but you're giving them the opportunity. And you would never do that, Vasaasen points out.
NRK has asked Bouvet and Mnemonic, two independent IT security companies, to review the apps and give us their conclusions.
– Can do quite a lot of bad things
The Ehteraz app in particular receives criticism, and it is compared to the first Smittestopp (Stop Infection) app in Norway.
– It was, after all, a privacy scandal. If someone has slightly more evil intentions than the Institute of Public Health, then you can do quite a lot of bad things with the information that the app collects in the first place, says Martin Gravåk at the Bouvet company.
– He explains that the app tracks where you go, and the mobile phones that are near you. In this way, they can cross-link the information and find out who you are meeting and talking to.
– If you're hunting the opposition, gays, or others you don't like, an app like this will make it much easier for you," Gravåk states.
The Mnemonic company also compares the Ehteraz app with the first version of Smittestopp.
– The consequences for individuals and groups if data from Ehteraz goes astray can be significant," says Tor Erling Bjørstad of Mnemonic to NRK.
He has downloaded the apps and analysed what is in the application packages, and does not think the apps are hair-raising compared to "normal apps" that most people use.
– At the same time, they process data, particularly linked to GPS and position, which has a high potential for abuse. In a way, you have to trust the people who develop or own the apps, and it is not a given that you particularly want to trust the authorities in Qatar.
However, his technical analysis found no signs that they can actually change things that are stored locally on the mobile device, but nevertheless warns that the reason may be that it has not yet been implemented.
NRK has submitted the findings about the apps' security holes to FIFA. They tell us that they do not wish to comment on the matter.
– Increases the risk
Naomi Lintvedt, research fellow at the Faculty of Law at the University of Oslo, has reviewed the apps at the request of NRK.
She agrees with NRK's head of security that there is much that is problematic, and describes the apps as «very intrusive».
– You cannot consent to parts of the use, just everything. If I understand the apps correctly, there will also be limited options to change permissions there. This means that if you want to go to the WC, you have no choice. This is a mandatory app, with no options," she points out.
Lintvedt says bluntly that if she were an employer, she would not allow employees to take their work mobile phone to Qatar.
Even as a private person, she would have been very sceptical about using her own phone in the World Cup host country.
– What is the main criticism against these apps, as you see it?
– They go far too far in terms of what data is recorded and used. They get far too broad of access to change and take over functionality on your mobile phone, which appears to be completely unnecessary. It allows for government surveillance, and since it is Qatar, that has to be considered as well. This increases the risk that data will be used for purposes other than pure infection tracking, she believes.