The Beijing Winter Olympic Games, set to start on February 4, have an official and obligatory-to-use app – MY2022 – but security researchers found that it may not be safe due to poor encryption.
That means that users’ voice audio and file transfer data can be easily compromised, Citizen Lab said in a report presenting the findings of cross-country exposure analysis of MY2022.
Additionally, the group claims that the vulnerability also affects passport details, demographic and medical, and travel history, as well as server responses, that could allow a malicious actor “to display fake instructions to users.”
And the users of the app whose primary purpose is Covid tracing are everyone participating in the Olympics – athletes, fans, and media crews.
Citizen Lab said it was unclear with whom the app shares sensitive medical information that it collects.
According to media reports, a number of countries are now instructing their athletes to use new, burner phones and email accounts during their stay in China to avoid security breaches that can result in serious damage.
China’s state-run media outlets, however, are publishing articles saying that the app is comparable to the one used at the Olympic Games in Tokyo, and that all personal information “will be encrypted to ensure privacy.”
For Chinese users, this information includes name, national ID number, phone number, email, employment information and profile picture, while users coming from abroad will have their demographic and passport information and that identifying the organization they belong to collected and shared with the Beijing Games’ Organizing Committee.
Besides reportedly leaving files unencrypted and therefore easily exposed, more concerns emerging from the Citizen Lab report have to do with censorship features baked into the app, such as the inclusion of a (currently inactive) list of censorship keywords and the ability to report content that’s considered politically sensitive in China.
Citizen Lab believes that the state of the app’s security means it potentially violates Google’s and Apple’s app store rules, but also even China’s own privacy protection standards.
And all this, the organization said, provides “potential avenues for future redress.”