Mandatory App, Opaque Policies: The Policy Void that Threatens the Privacy of Qatar World Cup Attendees [REPORT]

For the 2022 FIFA World Cup in Qatar, a plethora of technologies are being deployed including smart city tech, drones, and facial recognition, and a mandatory digital registration system, known as Hayya (“let’s go” in Arabic). To access the tournament, spectators are required to obtain a Hayya card using the mandatory Hayya application. The Hayya system was launched by the organizers of this year’s tournament, the Supreme Committee for Delivery and Legacy (SC). It provides fans with an entry permit into Qatar, entry into stadiums, fan events and amenities such as free transport and a free sim card with Qatari operator Ooredoo. Fans cannot access any of the stadiums without signing up for a Hayya card. This kind of surge in technology use, especially technology that cannot be opted out of, raises questions as to how spectators’ rights related to privacy and data will be protected. 

This research report is part of a campaign titled Red Card on Digital Rights, a campaign launched by SMEX and Ranking Digital Rights (RDR) to raise awareness about digital rights during this year’s World Cup, taking place in November 20 – December 18). 

We used the RDR methodology to assess the policies and practices of the Hayya App and Portal to help those attending and the wider public better understand how user information is handled and protected in the system. The methodology benchmarks companies in the Information and Communication Technology sector (ICT) using a group of indicators that set high but achievable standards for corporate transparency and policies that align with internationally recognized human rights standards. 

Our analysis explores remedies for privacy related grievances, access to and notification of changes to privacy policies, user information collection, sharing, inference, and retention, targeted advertising and tracking, handling of government surveillance, and security. In all areas, Hayya’s policies had shortcomings and lacked transparency, which can pose risks to fans’ rights to privacy. 

Our findings 

We found that the mechanism provided to users to address their privacy concerns is deficient as it does not seem to cover all the range of possible privacy harms (such as targeted advertising and profiling harms) that may emanate from Hayya’s practices and policies. 

The SC lacks transparency about its collection, inference, sharing, and retention of Hayya users’ information, falling short of RDR standards. It is transparent about which user information it collects and how, but does not list all the types of user information it infers and shares, nor its purposes for doing so. Its policy of user information retention is opaque and it is unclear for how long information of Hayya App and Portal users is retained. Finally, users lack control over their information and are only able to access their information in some cases. 

The SC provides only limited information about its targeted advertising and tracking practices, despite clearly engaging in them. It permits advertisers to engage in the problematic practice of targeting specific individuals by using their email addresses. Targeted advertising is only off by default “where required by law,” and it is not clear if the committee respects user generated signals not to be tracked. 

The SC’s process for responding to government demands for user information of its Hayya App and Portal users is unclear, offering only vague statements that it may disclose information to comply with legal obligations inside and outside Qatar. 

Spectators attending the World Cup are in the dark about what measures and policies the SC has in place to protect their information on the Hayya App and Portal. The committee does not disclose whether or not it monitors and limits employee access to user information or if it conducts security audits. It is not transparent about its policy for handling data breaches nor does it disclose tools—such as advanced authentication methods— for users to secure their information.  

Our recommendations

    • Strengthen remedy and grievance mechanisms. The SC should provide Hayya users with robust grievance and remedy mechanisms that cover all the range of possible harms that may affect spectators while using the portal or the application. 
    • Clarify handling of user information. The SC should specify the user information it infers and shares, and its purposes for collection, inference, and sharing. It should limit collection of user information to what is directly relevant and necessary to accomplish the purpose of its service and use user information only for the purposes for which it was collected or inferred. It should also specify for how long it retains user information and commit to deleting all user information after users terminate their accounts.
    • Put users in control of their information. The SC should provide users with clear options to control collection and inference of their information and delete all the types of information collected or inferred about them. Hayya users should also be able to access and obtain all the user information the SC has collected or inferred about them. Finally, the SC should prohibit advertisers from targeting specific individuals using their email addresses or any other specific identifiers. It should clarify that targeted advertising is off by default in all cases, not just  “where required by law,” and respect user generated signals not to be tracked. 
    • Be transparent about handling government surveillance demands. The SC should clarify how it responds to government demands —domestic and foreign— for user information. It should also disclose data about the number of these demands it receives, including compliance rates and the number of fans affected by them.
  • Put in place strong security policies. The SC should disclose and implement robust policies and measures to protect the information of Hayya users. These should include mechanisms to limit and monitor employee access to user information, conducting internal and third-party security audits, and a clear policy for notifying the authorities and affected users of data breaches when they occur.

Check out our report for more detailed information about our methodology and findings. You can also follow our campaign on social media on our website using the hashtag: #RedCardonDigitalRights

Hayya Card Report