While France, Norway, and Germany sounded the alarm, America didn’t, despite the massive connection to a U.S.-based private military firm mired in previous surveillance scandals and founded by a former CIA employee.

Then, a popular sports journalist recently critical of Qatar dies suddenly under mysterious circumstances while at the stadium covering a World Cup match, and the European Parliament’s vice president was arrested with several others in connection with what is described by one expert as “the most shocking integrity scandal in the history of the EU”.

(Scroll to the bottom for advice if you have installed the Hayya or Ehteraz apps)

Today, as the 2022 FIFA World Cup is in full swing, we mourn the recent and seemingly suspicious death of popular sports journalist Grant Wahl.

Wahl collapsed inside the press box at the Lusail Iconic Stadium yesterday, December 9th while he was covering the quarterfinal match between Argentina and the Netherlands. He was treated on scene by paramedics and pronounced dead at a local hospital just one day after his 48th birthday.

Grant’s brother, Eric, suspected foul play immediately.

Wahl, by all accounts a politically progressive individual, had been outspoken in recent days, posting about the treatment of migrants by Qatari Royals and attempting to enter a stadium wearing a t-shirt emblazoned with a soccer ball surrounded by a colorful rainbow.

He was turned away and forced to change his shirt.

As I scrolled through threads, reading tributes to the journalist (and anti-corruption activist who once ran for President of FIFA) and his work, watching people attempt to make sense of a loss for which there was no immediate explanation, another of his brother’s statements jumped out at me:

“His phone better be among his things at Hamad hospital”

As I read on, another reply:

In order to go anywhere in Qatar, everyone had to install an app on their phone which gave the Qatar gov full access to it. It may not matter if his phone is with his belongings.

This sent a chill down my spine.

Could it be true that the Qatari government had required all World Cup visitors to their country to install smartphone apps which provided them with surveillance capabilities?

While early reports suggest Wahl’s belongings and phone have since been recovered, I decided to do a little more digging.

Corruption at FIFA

This (most expensive ever!) World Cup has been throughly dogged with allegations of corruption, with many people around the world disagreeing with FIFA’s decision to host the event in the Gulf nation of Qatar.

From Wikipedia:

The choice to host the World Cup in Qatar has been a source of controversy due to Qatar’s treatment of migrant workers, women, and its position on LGBT rights as well as Qatar’s climate, lack of a strong football culture, scheduling changes, and allegations of bribery for hosting rights and wider FIFA corruption.

In fact, allegations of corruption within context of this World Cup go back to the selection of Russia and Qatar as the following World Cup hosts in 2010.

Those particular allegations, seemingly allnsurfaced by investigative journalists, led to “the indictments of 9 high-ranking FIFA officials and 5 corporate executives by the U.S. DoJ on racketeering, wire fraud, and money laundering charges.”

Two members of the FIFA Executive Committee had their voting rights suspended following allegations that they would accept money in exchange for votes. More allegations of vote buying arose after Qatar’s win was announced.

Eleven of the 22 committee members who voted on the 2018 and 2022 tournaments have been fined, suspended, banned for life or prosecuted for corruption.

50% of the committee members!

Bottom Line: FIFA and the World Cup have been mired in corruption even before considering the human rights and other implications of hosting this event in Qatar.

If you want to know how human rights are going in Qatar, I have an instructive quote for you. When a Filipino migrant worker died on December 7th while repairing a light fixture at the training base for the Saudi Arabian team, Qatar World Cup CEO Nasser Al Khater was quoted by Reuters as saying:

“Death is a natural part of life, whether it’s at work, whether it’s in your sleep.”

Arrests at the European Parliament

Yesterday, December 9th, Belgian police executed a series of raids and arrests. According to Politico, European Parliament vice-president Eva Kaili was detained, among others, in connection with an investigation concerning “criminal organization, corruption and money laundering”.

The raids triggered a scandal for the Parliament and the Socialists and Democrats group in particular, which has been criticized over its soft stance on Qatar in the run-up to the football World Cup.

Kaili, one of the parliament’s 14 vice-presidents, recently called Qatar a “frontrunner in labor rights” after meeting with the country’s labor minister, despite deep international concerns about conditions for stadium construction workers.

“For several months, investigators from the Federal Judicial Police suspect a Gulf country of influencing the European Parliament’s (EP) economic and political decisions,” the prosecutor’s statement added.

Qatar is accused of targeting officials “with a significant political and/or strategic position” at the Parliament, sending them “substantial amounts of money” and “important gifts,” according to the prosecutor’s statement.

“This is the most shocking integrity scandal in the history of the EU,” said Alberto Alemanno, a law professor at HEC Paris and outspoken activist on transparency issues. “It unveils the inadequacy of the EU ethics system applicable to its elected as well as the absence of any attempt at governing foreign influence lobbying.”

I found the following statement from the Politico article particularly beguiling:

Belgian investigators are looking into whether Qatar sought to influence positions in the Parliament in ways that “go beyond classic lobbying”

What could that possibly mean?

Hacking? Blackmail?

Mass Sporting Surveillance

In an article titled “Last minute recruits in Qatar highlight World Cup security issues”, Reuters notes,

Qatar is the first Middle Eastern country and smallest nation ever to host the World Cup. While it has spent billions of dollars on infrastructure, it has never organised an event on such a scale — which unusually for a World Cup will also be held in or around a single city.

My open-source research today has led me to believe that the Qataris have invested comprehensively into the physical security strategy for an event of such scale. For example, they appear to have hired various experts in counterterrorism and policing to consult or lead.

However, a few of their security leaders gave me pause.

In my LinkedIn review of the ~1,500 or so odd folks listed as working for the “Supreme Committee for Delivery & Legacy”, the organization responsible for “the delivery of the required infrastructure and host country planning and operations for Qatar to host an amazing and historic 2022 FIFA World Cup” (whose officials allegedly paid $2m worth of bribes to FIFA vice president Jack Warner back in 2010), I was able to identify several Russians with interesting backgrounds who appear to have senior security responsibility over the 2022 World Cup based on their recent representations on social media, but don’t seem to possess the appropriate amount of experience to hold such positions.

All have sudden jumps in their career which seem suspicious.

I first noted a woman acting as security advisor who has described herself as previously serving as the Head of Security Planning & Control for the 2014 Winter Olympics in Sochi, which is certainly applicable experience to support her current role. She also has a legal degree from MGIMO, which is mildly notable as a school with a reputation for graduating spies, much like Kevin Chalker’s alma mater of Johns Hopkins SAIS.

I looked into a few other Russian employees working for the Qataris and found similarly interesting bits on their LinkedIn.

Let us quickly review.

Some of these folks have big unexplained jumps in their resumes that seem to indicate a shift in responsibility or interest. For example, earning a degree in political science from one of the best schools in Russia (and beyond), yet becoming a project manager at a firm that registers shell companies for crooks, then somehow finding yourself in a Head of Security role for a massive event with global implications when you haven’t yet held a role with “security” in the title.

Seems unrealistic.

While I did identify a few internal employees with physical security responsibility, I was not able to identify an actual infosec team, the most common layouts of which I am quite familiar with as a senior infosec management consultant with experience across various large companies. I found a security architect (an Indian man who won’t have any true power in a Gulf nation), but not much else.

We can also tell by all the Deloitte folks who liked the leadership’s posts that they have a business relationship, there, too, which isn’t unusual. Business arrangements between Western management consultancies and repressive states seem commonplace.

Perhaps the bulk of Qatar’s World Cup 2022 cybersecurity staff has been outsourced.

Perhaps they have little interest in defensive services.

A Former CIA Employee?

The Qatari government has been getting help from U.S. companies (and former employees of the U.S. government) for some time. In fact, it seems reasonable to say that Qatar cultivates Americans and American firms to act on its behalf to influence U.S. foreign and domestic policy.

Like I said, this is pretty standard stuff, and so long as the country is considered an “ally”, consultants for foreign nations typically need not worry much.

However, the revolving door of professionals from the West to oligarchs with oil money in the East often bumps up against the oft-dismal human rights track records of certain nations, leading highly trained Americans to make deals with leaders who don’t share our respect for the same, growing the market for unaccountable private military companies and hack-for-hire firms and driving further concern from natsec wonks who are highlighting these issues as a growing national security concern.

As Newsweek put it,

A recent report from the Associated Press has shown an increase in former U.S. Intelligence officials working for controversial foreign governments.

And AP themselves note:

Qatar sought an edge in securing hosting rights from rivals like the United States and Australia by hiring former CIA officer turned private contractor Kevin Chalker to spy on other bid teams and key soccer officials who picked the winner in 2010, the AP’s investigation found.

Chalker also worked for Qatar in the years that followed to keep tabs on Qatar’s critics in the soccer world, according to interviews with Chalker’s former associates as well as contracts, invoices, emails, and a review of business documents.

It’s part of a trend of former U.S. intelligence officers going to work for foreign governments with questionable human rights records that is worrying officials in Washington.

Per The New York Times in a January 2021 article titled, “C.I.A. Warns Former Officers About Working for Foreign Governments”:

The C.I.A.’s counterintelligence chief sent a note to retired officers this week warning against working for foreign governments either directly or indirectly.

[…]

“I can’t mince words — former C.I.A. officers who pursue this type of employment are engaging in activity that may undermine the agency’s mission to the benefit of U.S. competitors and foreign adversaries,” wrote Sheetal T. Patel, the C.I.A.’s assistant director for counterintelligence.

Global Risk Advisors was founded in 2010 by this guy, Kevin Chalker, an employee of the CIA for 5 years before he left the “day-to-day” in the hands of “his executive leadership team” to start a quantum computing firm.

According to the Associated Press on October 27th, Kevin Chalker is now under FBI scrutiny for his work.

One possible outcome from this probe is a future forced registration by the Department of Justice as a foreign agent.

FBI Probing Ex-CIA Officer's Spying for World Cup Host Qatar

A former CIA officer who spied on Qatar's rivals to help the tiny Arab country land this year's World Cup is now under…

www.usnews.com

On November 2nd, SWI published an article titled, “Project Merciless: how Qatar spied on the world of football in Switzerland” which provides additional evidence that Chalker’s company is actively conducting HUMINT, or human intelligence operations.

Please note the bottom right section on that last document (which appears to be the most sensitive, since a physical copy was photographed) where the most expensive tier is described as follows:

“BOTTOM LINE: High degree of probability that we will achieve worldwide penetration of the FIFA organization, with predictive intellience of all plans and intentions, advanced warning of major shifts, and the ability to shape and influence both short-term and long-term policies and procedures leading up to the WC 2022”

This is 100%, we got this covered, and can take care of it for you.

That tier, MERCILESS HIGH, would cost its presumptive buyer $567m.

Based on the work of journalists at major publications around the world, we now know Chalker’s company Global Risk Advisors and the nation of Qatar have transacted hundreds of millions of dollars in spy business, and we also have possession of a few documents GRA developed for Qatar in 2013 and 2014.

So what else was this American company trying to sell to Qatar, anyway?

Kevin’s wider pitch is shown in the screenshots below.

Note VIPER, MYSTERY, and FALCONEYE are programs specific to surveillance of populations, while CHECKMATE describes 2022 World Cup influence campaigns (“full deniability and minimal risk”).

The Yale Daily News reported that Chalker taught two graduate seminars at Yale’s Jackson Institute in Spring of 2020, the first being,

“designed to replicate a consulting contract in which the students were called on to advise the U.S. Special Operations Force on the “long-term consequences of America’s newly articulated posture toward Iran.”

The second seminar he gave was titled “Exploring Russian Utilization of Private Military Companies.”

Obviously, Global Risk Advisors is a private military company.

‘Get Out Of Jail Free’

You might be wondering how companies like Global Risk Advisors can legally get away with this kind of work while actively claiming to be on the right side of the law.

Well, apparently, if you’re acting as an agent of a foreign government, you have an actual ‘Get Out of Jail Free’ card, as in the game of Monopoly.

It’s called the Foreign Sovereign Immunities Act, which is also the reason why Jamal Khashoggi’s fiancée recently lost in court when she sued Mohammad bin Salman for Khashoggi’s murder, as bringing claims under the Act is the only means with which to bring a suit against a foreign sovereign in the United States. More on that later.

If an agent of the sovereign against whom you bring a civil case has a provable business relationship with the sovereign, you may be exempted from dismissal via the Commercial Activity Exemption. The trouble is proving the private military firm which attacked you has a business relationship with the sovereign beyond circumstantial evidence in order for your case to be tried.

One victim of state-sponsored hacking tried.

According to Forbes in 2018:

Elliot Broidy, a friend of President Trump’s, had his emails hacked last year. The information in those emails, not surprisingly, made their way to reporters who generated stories on Broidy’s access to Trump and expectations of consulting contracts with Saudi Arabia and the UAE.

[…]

Broidy, who resigned as deputy finance chairman of the Republican National Committee in April as details of his emails emerged, is seeking to unmask those who went after him. Broidy’s attorneys at Boies Schiller Flexner LLP stated in federal court documents that they have information that Qatar paid millions of dollars to companies and individuals in the U.S. to disseminate hacked emails to news outlets.

According to the claims in the lawsuit, Stonington Strategies LLC, was retained by Qatar for strategic communications and was paid $50,000/month. Shortly before Broidy’s emails were hacked, that amount was upped to $300,000/month.

Qatar allegedly used another firm, Global Risk Advisors, LLC (GRA) and its principals, Kevin Chalker and David Mark Powell, to coordinate the hack of Broidy’s computer. The lawsuit claims that Chalker is a former CIA cyber operative and Powell is a former British intelligence agent.

The case details contain a short breakdown about how Broidy believed he was hacked by Global Risk Associates, suggesting he or his lawyers hired digital forensics analysts to reconstruct the scene:

A judge from the United States 9th Circuit of Appeals who reviewed Broidy’s case’s previous dismissal by a District court upheld that dismissal, stating variously:

• “The alleged actions that Qatar took here have not been shown to violate either Qatari law or applicable international law. The parties do not dispute that, under Qatari law, the various criminal prohibitions against hacking, theft, or disclosure of trade secrets do not bind government agents acting in accordance with official orders.”

• The hacking was not considered “commercial activity” because espionage is apparently not “one in which commercial actors typically engage”.

Very incorrect, Judge Collins! You’re way behind the times!

Per the Associated Press:

The use of such technology provided by private firms is well documented by autocratic countries around the world, including the Gulf.

The private surveillance business has flourished in the last decade in the Persian Gulf as the region saw the rise of an information war using state-sponsored hacking operations that have coincided with the run-up to the World Cup.

For added, more technical reference, Google’s Threat Analysis Group has written about how this is a growing problem:

Countering hack-for-hire groups

As part of TAG's mission to counter serious threats to Google and our users, we've published analysis on a…

blog.google

In fact, Google gives specific and lengthy mention to Appin Security as a specific perpetrator of harm.

Appin, based in India, is specifically named by SWI as the hack-for-hire firm which conducted attacks on FIFA power broker Peter Hargitay. The folks who uncovered this hack and others, Swiss media SRF’s investigative team, have worked to expose key details of how Qatar has spied extensively on officials in the world of football.

For example, Project Clockwork:

According to documents, Qatar approved “Project Clockwork“. And within one month of the drawing up of the planning document, Hargitay’s computer was hacked.

That the attack was carried out by another company is not unusual. Global Risk Advisors frequently draws on the services of subcontractors to carry out operations, the SRF investigation shows.

This approach makes ascribing the attack to [Kevin] Chalker’s company difficult. And identifying Qatar as the client even more so.

In one document, the company explicitly promised to provide “patsies” and “lightning rods” to deflect suspicion on.

As sports fan publication AwfulAnnouncing notes:

While SRF doesn’t have definitive links from GRA to those incidents (their more direct links are to Indian company Appian Security, which they claim was linked to a “hacking for hire” setup), they do include documented GRA plans of action that would seem to include “predictive intelligence” efforts like these.

And they say these plans were presented to Qatar by GRA, approved, and paid for.

Side note

As for Hatice Cengiz, Khashoggi’s fiancée, her case was dismissed.

MbS not only ordered the murder of a prominent press critic (a U.S. resident!) and got away with it, he got promoted in the process.

Just a few days before the White House was supposed to weigh in last month on the question of immunity (the court had asked the Biden administration to weigh in), bin Salman was suddenly promoted to prime minister by his father, the King, who would have normally held that position, legally cementing his immunity to civil action under FSIA.

Mass Sporting Surveillance

Several sparse pieces have been written about the extensiveness of surveillance at this World Cup, with The Telegraph calling it “the most heavily surveilled tournament in history”.

How Qatar could spy on World Cup visitors

Drones, surveillance vehicles and mobile-phone hacking: the clandestine spying services proposed to Qatar by a former…

www.swissinfo.ch

While a comprehensive review of the security strategy in play at the World Cup is beyond the scope of this article, it is appropriate to review the warnings issued by various EU data protection watchdogs about the two mobile apps the Qatari government deployed for the World Cup, then to review the apps myself to gain an understanding of their capabilities, permissions requested, and implications thereof.

Firstly, Qatar mandated that any person traveling to their country to attend the World Cup must download two apps:

While the French, Norwegian, and German governments warned their citizens of potential intrusion via spyware, with some going so far as to recommend the use of burner phones, most others did not.

Interestingly, Switzerland, despite its historically strong stances on data privacy, also failed to issue its citizens any official warning, opting instead to block the use of the two apps on federal phones and suggesting its government employees use a burner device, despite awareness in the Swiss media of these issues since November.

“Ehteraz is able to install an encrypted file which claims to hold a unique ID, QR code, infection status, configuration parameters and proximity data of other devices using the app,” Tom Lysemose Hansen, CTO and co-founder of app security firm Promon told The Register.

“Essentially, it is clear that the app is taking data from the end user for more reasons than are expressed by the given consent button.”

One of the apps says it’s a COVID tracker, the other is an event pass which also ties in with your identity and gives free access to transport.

Here are links to the apps:

• Ehteraz (Google) / Ehteraz (Apple)

• Hayya (Google) / Hayya (Apple)

I personally find it continually disturbing that Apple and Google give app developers the ability to represent their own data privacy practices without doing any validation whatsoever to make sure they aren’t lying.

For example, unethical apps can simply lie and say they aren’t collecting any data from us, and get published in the App Store anyway with a pretty little privacy notice. Foul!

Their privacy policies make zero sense in connection with the representation they provided to Apple, which end up feeding these little official-looking sections of the App page:

Advice

Still at the World Cup?

• Disable Wi-Fi, Bluetooth, and GPS/Location

• Place a sticker over your camera lens to ensure photos are only taken when you intend

• Remove permissions from the app. Only enable the permissions needed to open the app if you actively need to show an authority figure

• If you can afford it, pay for transport directly instead of using it for free using the Hayya app.

Already back home?

• Uninstall the app as soon as possible

• Consider filing a complaint with your country or organizations’ data privacy organizations

• For next time: If traveling to a country not known for its human rights or privacy laws, consider purchasing a “burner”, or temporary phone. The reason for this is to avoid sensitive data being taken off your device: who you are, where you are, where you live, who you associate with, what you do, what you think, what you are planning — and to avoid that data being passed to third parties, which could include government intelligence agencies, online trolls, advertisers, or anyone else with the connections or coin.

The app security expert quoted by The Register said:

Even with a new SIM, don’t import any settings or contacts, or log in to your social media accounts, he said. Otherwise, expect to be tracked by Qatar, and possibly other countries’ snoops.

“The phone’s unique IMEI number and SIM’s identifier will be tracked by mobile networks in that country and probably shared with other autocratic regimes which means they can continue to track you, in those countries, even after you uninstall the app.”

As we can see from the pitches made by Global Risk Advisors to Qatar and other documents describing their business relationship and capabilities, it seems clear Qatar is extremely focused on controlling their image.

According to The Nation’s Karim Zidan in “The Qatar World Cup Ushers in a New Era of Digital Authoritarianism in Sports” and others who have been reporting in the area, various journalists “have faced intimidation and censorship in Qatar over the past few weeks.”

Given the pattern of censorship prevalent throughout the 2022 World Cup, it is evidently clear that Qatar’s state-of-the art surveillance technology is less about its determination to uphold safety standards than it is about stamping out protests and intimidating potential dissidents.

Welcome to the age of digital authoritarianism in sports.

If you liked this article, please subscribe. It's free!