SHARM EL-SHEIKH, Egypt: It can show you a bus route or update you on weather – but tech experts and rights groups say Egypt’s mobile app for COP27 has a far more sinister side as it can spy on delegates and track their talk, texts and emails.
“It is a spying tool,” said Frans Imbert-Vier, head of UBCOM, a Swiss-based cybersecurity company that performed a technical analysis of the app.
“It is an opportunity for the government to collect and update all this data from all these people for free, without any effort, in two weeks,” he told the Thomson Reuters Foundation by phone from Paris.
The app lists schedules at the climate talks and carries speaker profiles; it also asks for the user’s name, email, mobile number, nationality and passport number, and requires that location tracking be turned on.
It has been downloaded more than 10,000 times on Google Playstore, equal to almost in every three registrants who signed up for the Red Sea resort conference.
But cybersecurity experts say it can also be used to listen into chat, read private emails and track texts – the sort of monitoring they say that many Egyptians routinely face.
With disquiet growing over the app, the Egyptian Ministry of Communication and Information Technology did not respond to a request for comment by the Thomson Reuters Foundation.
But Egypt’s special envoy to the conference, attended by delegates from almost 200 countries, said there was nothing untoward nor covert about it.
“There has been a cybersecurity assessment done and it refuted that completely,” said Wael Aboulmagd, Egypt’s COP27 special envoy, denying that the app posed a security threat.
The United Nations is also investigating allegations of misconduct by Egyptian police officers providing security at the talks, according to the Associated Press news agency.
Egypt has faced repeated questions about human rights under President Abdel Fattah el-Sisi, a former military leader.
Rights groups say political dissent is silenced and tens of thousands have been jailed. COP27 was further overshadowed by Alaa Abd el-Fattah, a jailed Egyptian activist who went on hunger strike to protest his detention and prison conditions.
Urging caution, some Western governments have told their officials not even to download the app, the Politico publication reported, amid fears it could be used to hack their emails, read texts or listen in on delegates’ private conversations.
The conference drew more than 90 heads of state, along with thousands of journalists, activists and business leaders.
“Everyone should be concerned” about surveillance at COP27, said Tony Roberts, a member of the African Digital Rights Network, an advocacy group.
Egypt is after all no stranger to the art of state surveillance, he said, citing a record of Internet shutdowns, its censoring of online content and regular stifling of dissent.
“The mandatory collection of detailed personal details and mandatory location tracking on the COP27 mobile app is a gross violation of privacy,” he said via email.
Emails, texts and voice at risk
Mobile apps are common at big events to update visitors, share info and keep people safe. But they can also be abused.
An app to monitor Covid-19 at this year’s Winter Olympics in Beijing contained flaws that could expose attendees to data breaches, be it of their passport details or medical history, said Toronto-based Citizen Lab, a cybersecurity watchdog.
China said its app was mainly used to monitor attendants’ health, and that it followed strict rules to protect their data.
European regulators have similarly said the applications developed by Qatar for the World Cup may pose privacy risks.
Egypt’s COP27 app is not mandatory for delegates, but is promoted on the conference website as the official government app that delivers “delegate focused services”.
“The app will be there for you at every step, from your arrival in Egypt until your departure,” reads the app’s description on the U.N. website.
The app can access a user’s calendar, camera, microphone and contacts, and collects more data than needed, said Imbert-Vier.
“All your system can be read by this application,” he said. Encrypted files being the exception, he added.
Marwa Fatafta, Middle East and North Africa policy manager at digital rights group Access Now, said she had seen a technical analysis of the app and described it as “highly intrusive”.
"It requires excessive permissions that are unnecessary and disproportionate to its intended function, such as access to the user's camera, microphone, GPS location, email, and user accounts for applications, like WhatsApp," she said.
"There is no justification why the Egyptian authorities need this intrusive access to people attending COP27."
Akua, an African activist attending the conference who asked to go by one name for fear of reprisal, said she was surprised by the number of permissions sought by the app.
She downloaded it anyway to access the agenda and transport timetable, then deleted it to protect her privacy.
"I worried about the (Egyptian) authorities using this app to track me," she told the Thomson Reuters Foundation.
Oluwatosin Ogunsola an entrepreneur from Nigeria, said he did not download the COP27 app.
"Participants are worried about why so much data is required," he said. "I downloaded another transport app which did not require this amount of data."
State of surveillance
Before the summit, Egypt also said all taxis in Sharm El-Sheikh must install a camera, a move that Human Right Watch said let the security agency spy on drivers and passengers at COP27.
The local governor told Egyptian television that the cameras were purely installed to check on how drivers behaved and make sure they stuck to proper taxi rates.
On Sunday, German federal police warned their nation's delegation at COP27 that members may be subject to spying by Egyptian security agents, Reuters reported.
The police cited "overt and covert surveillance through photography and videography" by Egyptian agents, Reuters said.
Few rights groups or privacy campaigners are surprised.
"You hold an international conference in what is essentially a police state, then these are the kind of things that happen," said Adam Coogle of Human Rights Watch, referring to mass surveillance at the summit. – Thomson Reuters Foundation