Qatar’s dirty plays call for more accountability on mass surveillance

At the close of last year, people from around the world traveled to Qatar to enjoy a soccer game and cheer on their home team at the 2022 FIFA World Cup. SMEX and RDR teamed up to cover this event from a different perspective: to monitor the country’s evolving surveillance practices and lack of internet freedom during these games. This included requirements for visitors to download apps with poor privacy settings, pushing for undue censorship from the country’s internet providers, along with the use of CCTV cameras equipped with facial recognition technology. In this final part of our three-part series, we’ll be looking back at some lessons learned during the course of the games.

First, as discussed in part one, it’s vital to review digital security practices any time you’re traveling to a mega event, including a sporting one. This is particularly true for journalists covering it. It’s a good time to make sure all devices are updated and accounts secured, with strong passwords and an activated two-factor authentication.

In the second part of the series, we looked at how Qatar deployed a massive surveillance system, including 15,000 cameras across eight stadiums, and required all visitors to install an app with opaque policies. Meanwhile, one of the only internet providers in Qatar, the state-controlled Ooredoo, was ranked last in RDR’s recent Telco Giants Scorecard for its notable lack of transparency.

Sadly, the deployment of surveillance on such a breathtaking scale failed to garner much attention from the public. This means that there’s still a good deal of advocacy work needed to make visible the risks posed by the use of such privacy-invading technology during large-scale events.

Indeed, the privacy of more than 1.4 million fans visiting Qatar was placed at risk by the forced installation of the Hayya app on their smartphones. SMEX’s evaluation of the Hayya app revealed vague policy statements regarding privacy, notification of changes, handling of user data, targeted ads, government demands, and security measures. New kinds of risks to users’ data emerged from scams like the sale of fake and unauthorized Hayya cards for which fans were asked for their personally identifiable information at time of purchase. Phishing attempts also emerged with websites replicating the official FIFA 2022 World Cup page.

It is important that civil society hold FIFA accountable as World Cup hosts, and push them to deploy technology that is respectful of human rights, while conducting adequate human rights impact assessments for any surveillance that is deemed necessary. The next FIFA tournament, to take place in 2026, will be hosted by three countries: Canada, the U.S., and Mexico. It would not come as a surprise if these hosts launched their own version of the Hayya app for this event. 

Unsurprisingly, France is already applying the same recipe as Qatar for the upcoming Paris 2024 Olympics, seeking to greatly expand its arsenal of surveillance powers and tools, all under the guise of protecting the millions of tourists attending the event from terrorism or other public safety hazards. Inevitably, a certain level of technology will always be used during large-scale events—which may indeed require increased public security—but any such measures should be deployed only with full transparency and strong privacy-protecting policies in place.

SMEX’s Hayya report card provides useful recommendations to improve the Hayya app, but these policies could also be used as a baseline for the development of safer future apps. The Ranking Digital Rights methodology, which was used to create the Hayya report, is widely regarded as “a gold standard” for assessing how well the policies of tech and telecommunications companies respect human rights. Recommendations from the report include: implementing real remedy and grievance mechanisms, giving users control of their information and clarifying the handling practices for their information, being transparent about how government surveillance demands are handled, and enforcing security practices and policies.

Organizing a World Cup costs billions of dollars; implementing proper data handling, remedy, and grievance mechanisms for apps like Hayya or for the use of surveillance cameras is a very marginal cost by comparison. There is no excuse for host countries not to assure these best practices are followed. And this can be done without any negative repercussions for public security. Failing to employ a human-rights perspective in the implementation of such technology would tend to indicate an authoritarian tendency or simply a lack of interest or motivation with regards to human rights.

This means that the work of civil society in advocating for more transparent policies will be critical in ensuring human rights are respected during the next big sporting event. In other words, we have four years to help make privacy and freedom of expression a winning team at the next World Cup.

Avatar photo


SMEX is a registered Lebanese NGO that works to advance self-regulating information societies in the Middle East and North Africa.