There are mounting fears over the surveillance of delegates at the Cop27 climate talks in Egypt, with cybersecurity experts warning that the official app for the talks requires access to a user’s location, photos and even emails upon downloading it.
The revelation, as more than 25,000 heads of state, diplomats, negotiators, journalists and activists from around the world gather at the climate summit that starts in Sharm el-Sheikh on Sunday, has raised concerns that Egypt’s authoritarian regime will be able to use an official platform for a United Nations event to track and harass attendees and critical domestic voices.
The official Cop27 app, which has already been downloaded more than 5,000 times, requires sweeping permissions from users before it installs, including the ability for Egypt’s ministry of communications and information technology to view emails, scour photos and determine users’ locations, according to an expert who analysed it for the Guardian.
This data could be used by Abdel Fatah al-Sisi’s regime to further crack down on dissent in a country that already holds about 65,000 political prisoners. Egypt has conducted a series of mass arrests of people accused of being protesters in the lead-up to Cop27 and sought to vet and isolate any activists near the talks, which will see governments attempting to hammer out an agreement over dealing with the climate crisis.
“This is a cartoon super-villain of an app,” said Gennie Gebhart, the Electronic Frontier Foundation’s advocacy director. “The biggest red flag is the number of permissions required, which is unnecessary for the operation of the app and suggests they are trying to surveil attendees.
“No reasonable person will want to consent to being surveilled by a nation state, or having their emails read by them, but often people click these permissions without thinking much.”
She added: “I can’t think of a single good reason why they need these permissions. It’s an open question how this information will be used – it raises a lot of scary possibilities. It may well have a silencing effect in that people self-censor when they realize they are being watched in this way. It can have a chilling effect.”
Hussein Baoumi of Amnesty International told the Guardian that tech operatives working for the rights organisation had examined the app and flagged a number of concerns prior to Cop27. The app was able to access users’ camera, microphone, Bluetooth and location data as well as pair two different apps.
“It can be used for surveillance,” he said.
Baoumi added: “The issues they found were primarily the permissions it asks for. If granted, it allows the app to be used for surveillance against you. It collects data and sends them to two servers, including one in Egypt. The authorities don’t say what they’re doing with this data, and they’re able to use this app for mass data collection from everyone using it.”
Amr Magdi of Human Rights Watch said that his organisation had also assessed the app and found that it “opens doors for misuse”.
Magdi added that conferences like Cop27 are “an excellent chance from a security perspective for information gathering,” including for certain activists “they want to know more about”.
Rights activists in Egypt flagged concerns about the Cop27 app almost immediately after it became available.
“You can now download the official #Cop27 mobile app but you must give your full name, email address, mobile number, nationality and passport number. Also you must enable location tracking. And then the first thing you see is this,” tweeted Hossam Baghat, the head of the Egyptian Initiative for Personal Rights, linking to an app screen showing the face of the Egyptian president.
He then tweeted a screenshot of the app’s terms and conditions, which read: “Our application reserves the right to access customer accounts for technical and administrative purposes and for security reasons.”
Digital surveillance of Cop27 attendees comes atop a highly developed infrastructure for dragnet surveillance of Egypt’s citizens’ communications, prompted in large part by Egyptian officials’ fears of the power of digital communications and their relationship with the popular uprising of 2011. This includes deep packet inspection technology provided by an American company in 2013, allowing authorities to monitor all web traffic moving through a network. The Egyptian government also blocks online access to over 500 websites, including the country’s lone independent news outlet Mada Masr, using technology provided by Canadian company Sandvine.
Surveillance by major telephone providers such as Vodafone allows the Egyptian authorities direct access to all users’ phone calls, text messages and information. One Cop27 attendee said that Vodafone was distributing free sim cards to conference attendees on arrival in Sharm el-Sheikh airport.
“The Cop27 app is really part of the wider surveillance structure in Egypt,” Baomi said. “This app is coming from a country doing mass surveillance unapologetically on its own population. It makes sense that, of course, the Egyptian government’s app can be used for surveillance, to collect data and use it for purposes unconnected to Cop27. It’s sad but expected from Egypt.”
Rights activists and members of Egyptian civil society critical of the government have been subject to targeted surveillance by the Egyptian authorities for years, raising concerns about the risks for high-profile activists attending Cop27. The Egyptian Initiative for Personal Rights and Citizen Lab identified one “ongoing and extensive phishing campaign against Egyptian civil society”, in 2017 targeting organizations working on human rights issues, political freedoms and gender as well as individual targets such as lawyers, journalists and activists. Four years later, Citizen Lab identified a fresh targeted hacking attempt against the phone of a prominent former Egyptian opposition leader based overseas.
South Sinai governor Khaled Fouda also recently boasted to a domestic cable channel about the level of surveillance at Cop27, including cameras in the back of taxis feeding footage to a local “security observatory”.
“Sisi’s idea of ‘security’ is mass spying on everyone,” Magdi tweeted in response.
The Cop presidency and the Egyptian ministry of foreign affairs were approached for comment.