Egyptian authorities have unveiled a COP27 application to "help" participants at the climate change summit in Sharm El Skeikh, which ends on November 18. But NGOs and cybersecurity experts warn that President Abdel Fattah al-Sisi's regime can very easily and effectively use the app to survey attendees, including top diplomats and Egyptian activists. </p><div> <p>The 2022 UN Climate Change Conference, which began on Sunday, November 6 in the Egyptian resort city of Sharm El Sheikh, is a summit under tight surveillance. Human rights groups and cybersecurity experts believe the Egyptian application made available to COP27 participants is a weapon of massive espionage for President Abdel Fattah al-Sisi's regime.
“It’s not the official UN application that’s the problem; it’s the one developed by the Egyptian government that bothers us,” explained Katharina Rall, senior environment researcher at Human Rights Watch, who participated in the NGO’s investigation into the repressive measures put in place by Egypt ahead of COP27.
The Egyptian app, which was rolled out on October 24, is supposed to “improve the COP27 experience for all participants”. It users to manage flight and hotel reservations, get information about Covid-19, and provide agendas for on-site meetings as well as a calendar of negotiations and roundtables.
The all-in-one tool has already been downloaded by more than 5,000 delegates and visitors (out of a total of 44,000 registered participants) who were probably reassured by the fact that this Egyptian application is promoted on the official UN website for the COP27. The UN imprimatur “appears very problematic to us, and we have the right to wonder why there was no verification beforehand”, said Rall.
‘Unlimited trust certificate’ with access to all
Shortly after the app was rolled out last month, cybersecurity experts realized that it was “a cartoon super-villain of an app”, as Gennie Gebhart from the Electronic Frontier Foundation put it in an interview with the British daily, The Guardian.
It’s difficult to imagine a more intrusive app: It “requires access to all the communication connectors of the smartphone, such as Bluetooth, GPS, camera, microphone, address book, NFC [‘near-field communication’, a wireless data transfer technology for very short distances],” explained Frans Imbert-Vier, CEO of UBCOM, a Swiss cybersecurity agency that has analyzed the mobile service developed by the Egyptians.
Unlike most other apps, the COP27 one does not offer warnings that they want to have access to this or that function of the smartphone. “In this case, an unlimited trust certificate is submitted to the user,” said Imbert-Vier. After acceptance, the phone’s operating system acts like the app can mostly do whatever it wants.
Specifically, it transmits geolocation data, photos taken, messages exchanged and allows access to outgoing email content, according to The Guardian, which conducted its own security assessment of this quasi-spyware.
Users cannot simply refuse to allow access to certain functions and still use the application, warned Imbert-Vier. It’s all or nothing, even though all the experts interviewed agree that such an application does not need to have access to emails or the microphone, for example, for the services it offers.
Cheaper, faster, better than standard spying operations
Experts are especially concerned about the app’s uninstalling function. Rall from Human Rights Watch warns that, “uninstalling the application is not enough to get rid of it”. The elements that enabling spying on communications linger on smartphones. “You have to reset the operating system settings [an advanced reset to clean the heart of the smartphone] to put everything back in order,” added Imbert-Vier.
The Egyptian authorities have thus developed the perfect little cyber spy that is difficult to get rid of and that, in addition, steals the user’s consent.
For the Sisi regime, “the COP27 has provided a unique opportunity to update, at low cost, all their information on diplomats and high-ranking dignitaries of the countries attending this event. What’s more, it’s much faster and more reliable than doing all the espionage work on the ground, since the information is provided directly by the victim,” noted Imbert-Vier.
The app is also an additional weapon for the regime to monitor domestic dissent in a country routinely singled out for its gross human rights violations, including crackdowns on freedoms of expression and association. “We must not forget that some of the participants in COP27 are local organisations, and most of the international NGOs also work with Egyptian activists,” said Rall.
Human Rights Watch fears that in a country where you have thousands of detainees are considered political prisoners by NGOs, and which has increased arrests in the run-up to COP27, the official application can be used as a tool to increase repression.
>> Mother of jailed Egyptian activist on hunger strike fears for son’s life
Spying opportunities for hosting event regimes
Egypt is not the first country to be accused of using an official application for a major event for espionage purposes.
For the 2022 Winter Olympics in Beijing in February, China asked athletes and participants to download “My2022”, an equally intrusive application.
A similar scenario appears to be emerging for the 2022 World Cup in Qatar, which starts on November 18. Activists and experts have flagged two applications, Ehteraz, a local Covid-19 app, and Hayya, a digital permit required to enter stadiums and the country, for giving Qatari authorities wide access to information on smartphones.
All these examples suggest that hosting major international now provide authoritarian regimes with an easy gateway to extend the scope of their cyber-surveillance.
This article is a translation of the original in French.