China’s Olympics health app raised privacy red flags

Researchers found that My2022 app has a “devastating” encryption flaw that leaves users’ files and media vulnerable.

The Beijing Winter Olympics app that was used to monitor the health of as many as 60,000 people involved in the event, has come under scrutiny by many cybersecurity experts who expressed their concerns over users’ data privacy.

The use of the My2022 was mandatory for competing athletes and all the people participating in the Winter Olympics to monitor their health and travel data to prevent the spread of Covid-19 disease. However, weeks before the Beijing Winter Olympics many cybersecurity experts warned over the risk to use an application like this, while many countries advised their athletes to be very careful with the details entered in the application, as well as choosing a new mobile phone to install the My2022 app and get rid of it when they leave China.

Back in January, in a report published by the University of Toronto’s research and strategic policy unit Citizen Lad, there was presented evidence that My2022 app has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped.

“MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents. However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information” the report noted.

“MY2022 includes features that allow users to report “politically sensitive” content. The app also includes a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies” researchers pointed out and added that “while the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s laws and national standards pertaining to privacy protection, providing potential avenues for future redress”.

International concern

The research findings sparked international concerns over privacy safety at the Winter Olympics games and many countries made strict recommendations as well as bans on their athletes who participated in the event. Over fears of digital espionages countries such as the US, UK, Australia, and Germany warned their athletes and National Olympic Committees to leave their smartphones and laptops behind and travel to China with brand new devices. They also urged their athletes not to log in to their social media accounts or even use sensitive personal data, such as email passwords, during their stay in China. The Dutch Olympic Committee provided athletes and support staff with phones and laptops and asked its Olympic team to destroy them before returning home from the Chinese capital.

Due to the surveillance concerns, cybersecurity experts warned athletes who participated in the Winter Olympics to change their passwords when they return to their countries and ensure no unknown devices or services have access to their accounts.

However, despite researchers’ concerns about flaws in the Beijing 2022 Winter Olympics app, the International Olympic Committee (IOC) rejected the allegations by stating that My2022 wasn’t developed to spy on athletes but to protect them from Covid-19 spread.

“The ‘My2022’ application is an important tool in the toolbox of the COVID-19 countermeasures,” the IOC stated. “The user is in control over what the ‘My2022’ app can access on their device. They can change the settings already while installing the app or at any point afterward. It is not compulsory to install ‘My 2022’ on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead. The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities,” the IOC claimed.

George Mavridis is a freelance journalist and writer based in Greece. His work primarily covers tech, innovation, social media, digital communication, and politics. He graduated from the Aristotle University of Thessaloniki with a BA in Journalism and Mass Communication. Also, he holds an MA in Media and Communication Studies from the Malmö University of Sweden and an MA in Digital Humanities from the Linnaeus University of Sweden.