It’s been three weeks since the start of the 2022 FIFA World Cup in Qatar, and even if football matches have been the main topic of conversation, human rights have not been far behind. In this second part of our series “Red Card on Digital Rights,” SMEX and Ranking Digital Rights (RDR) dig further into the main issues of concern when it comes to the internet and digital surveillance in Qatar.
Thirty-two teams have played since the tournament began, watched by 1.2 million visitors and more than 15,000 surveillance cameras. Far from fearing criticism, the country’s authorities have proudly touted the tournament’s surveillance and security systems. Niyas Abdulrahiman, Chief Technology Officer (CTO) of Aspire Zone Foundation, in charge of stadium technology during the 2022 FIFA World Cup, told AFP in August: “We have eyes on the ground, we can view all of the 15,000 cameras across the eight stadiums.” This, he has claimed, “is the future of stadium operations.”
As far back as seven years ago, Qatar’s main telecom company Ooredoo announced plans to create the “World’s Best Smart Stadiums,” with “full access to control systems for an integrated range of functions such as video surveillance.” Like a state-of-the-art panopticon, everything is viewed from its inspection house: in this case, the ASPIRE Control & Command Center. Here, more than 100 technicians monitor and control all security, protection, and operational systems for the tournament’s eight stadiums and nearby streets.
What FIFA organizers in Qatar don’t talk about, however, are the human rights implications of the technology they advertise as key to their next-generation stadiums. We don’t know, for example, for how long people’s pictures will be kept by their technology, or how people’s facial biometric data will be linked with other personal information to identify the individuals recorded by these thousands of cameras.
The ASPIRE Control and Command Center pictured from inside. Via Aspire Zone Youtube video.
A lack of transparency from Qatari telcos
As mentioned in part one of this series, Ooredoo is owned primarily by entities tied to the Qatari government. Most visitors to the country for the World Cup will be connecting to networks through this company, which has offered a free SIM card with the Hayya app.
Ranking Digital Rights has evaluated and ranked Ooredoo in its Corporate Accountability Index—which looks at more than 250 aspects of a company’s policies that affect people’s human rights, focusing on corporate governance, freedom of expression, and privacy—since 2017. In this year’s inaugural Telco Giants Scorecard, Ooredoo came in last place for the fifth consecutive time, highlighting its glaring lack of policy transparency. This year marked the first time that Ooredoo committed to “safeguarding human rights,” as part of its inaugural ESG report, but the company did not expand on what this commitment entails. Ooredoo makes neither a commitment to net neutrality nor does it share anything about its process for responding to government shutdown orders, or how many such orders it received or complied with. Ooredoo failed to provide any information about how it handles government demands for content takedowns, account restrictions, or user information.
Above are Ooredoo’s scores in the three main categories RDR ranks as part of its 2022 Telco Giants Scorecard. You can read the full Ooredoo report card here.
The opaque policies of the Hayya app
Spectators who wish to access the tournament are required to obtain a Hayya Card, which can be obtained through the Hayya portal or app, launched by the Supreme Committee for Delivery and Legacy (SC), the official committee the Qatari government has charged with the planning and operation of the games. The Hayya Card provides fans with an entry permit into Qatar, entry into stadiums, and other benefits such as free transport and a free SIM card.
Hayya’s policies have important shortcomings and lack transparency, which can pose notable risks to fans’ right to privacy. In November, SMEX released a report exploring Hayya’s remedies for privacy-related grievances; access to and notification of changes to privacy policies; user information collection, sharing, inference, and retention; targeted advertising and user tracking; response to government surveillance demands; and security. The results were as follows:
Weak mechanisms for addressing privacy concerns
The mechanisms available through the Hayya app and portal to address users’ privacy concerns, potential grievances, and eventual corresponding remedies, were found to be deficient. The mechanism for lodging complaints merely refers to the possibility of doing so through the state’s legal system, in particular via the Ministry of Transport and Communications. But since a complaint against the app constitutes a complaint against the SC, also a state entity, a conflict of interest could arise. In addition, to make use of grievance mechanisms and submit complaints, users need to contact the SC via email addresses, but these are hard to find. European fans are additionally protected, however, thanks to the GDPR, so they can also lodge complaints with the Information Commissioner’s Office in the UK or with EU data protection authorities.
No notiﬁcation of changes to privacy policies
User information handled with opacity
The SC is transparent about what user information it collects and how, mentioning specific categories of user information and even providing examples. On the other hand, there is no commitment from the SC to delete all user information after a Hayya account is terminated. It is only stated that if user information is no longer needed it will either be “irreversibly” anonymized or “securely” destroyed. This vague language means the SC could retain data it does not need for longer periods of time, or even indefinitely.
Users lack control over targeted advertising
It is unclear what the SC’s advertising targeting rules are and how they are enforced. The targeting parameters include users’ browsing habits and their interests. The language used is not comprehensive and there is no mention of prohibited targeting parameters. Advertising opt-out/opt-in options includes only the ability to reject “marketing” via direct contact as well as “in-app marketing,” but there are no opt-out options for the Hayya portal.
In a nutshell: Rather than a truly privacy-respecting policy, the Hayya app and portal require users to actively engage in privacy-protecting measures that are only effective for a limited number of targeted advertising and tracking processes. Qatari law does not regulate targeted advertising or tracking.
Vague process for handling government surveillance demands
vague security policies and measures
The SC lacks transparency about security policies and measures. There is no disclosure regarding measures to limit and monitor employee access to user information, no mention of a security team conducting audits of Hayya, and no indication that it commissions third parties to conduct such audits. It provides no mechanism through which security researchers can report vulnerabilities or any commitment not to pursue legal actions against these researchers. The SC’s process for dealing with data breaches that may occur on the Hayya app and portal is equally unknown. The SC does not disclose any use of essential user safety measures.
Amid a great deal of surveillance and data collection ongoing in Qatar during the World Cup, a total lack of transparency is heightening risks to digital rights. This makes it impossible to ascertain to what extent Qatar’s actions stem from a desire to ensure high levels of security during the event versus whether it’s purposefully attempting to carry out surveillance. Either way, it’s clear the country has put far more consideration into creating an all-encompassing security apparatus than it has into safeguarding digital rights of any kind. Fortunately, both RDR’s Ooredoo Scorecard and SMEX’s Hayya report provide realistic recommendations for steps that can be taken to ensure respect for human rights. There’s no excuse for hosting major events with this level of massive surveillance, especially with such opaque policies.
Fans can likely expect some more amazing football matches before this World Cup ends, after which RDR and SMEX will return in early 2023 with a retrospective on the lessons learned for digital rights during the tournament and some thoughts about how we might mitigate risks for future ones.