top of page

Euro authorities warn World Cup fans over Qatari applications

European privacy experts have warned fans travelling to the FIFA World Cup in Qatar that their personal data could be at risk through the download of two mobile applications known as the official World Cup app “Hayya” and the Covid-tracking app “Ehteraz”.

Sources are reporting that both applications will be required by fans either entering the stadiums or if medical attention is required whilst in the country.

Since Qatar was announced as host for the competition there has been substantial controversy surrounding the tournament, which kicked off on Sunday, November 20.

The factors of note include human rights issues, the environmental impact of hosting the tournament, alleged corruption within FIFA, a supposedly weak Qatari soccer culture and strict laws against same-sex relationships.

Now, experts have warned that applications developed for the event, Hayaa and Ehteraz, are a form of spyware which pose privacy and security concerns as they could provide the Qatari authorities access to user’s data as well as the power to read, delete or change content and make direct calls.

Additionally, Neil Jones, director of cybersecurity evangelism at Egnyte, argued that the data collected by the applications could also be a treasure trove for would-be cyber-criminals.

“If you plan to travel to the event, I will strongly recommend the purchase of a burner phone, if the privacy-limiting capabilities cannot be disabled,” Jones remarked.

Other European regulators also have misgivings about the Qatari applications. The German foreign ministry, the federal office for information security and the commissioner for data protection and freedom of information are analysing both applications, a spokesperson for the commissioner told POLITICO.

The two applications of note will be required by fans to access the stadiums (Hayaa) and if visiting healthcare facilities (Ehteraz) so they may be partly unavoidable.

Consequently, the general advice is to use either a device that has been factory reset, or a new phone, both of which can be disposed of or reset on leaving the country.

It is also strongly advised to only allow the absolute minimum permissions on all applications, such as location settings and disabling permissions to make calls on behalf of the user in applications.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page