Internet watchdog warns Olympic Games app has security, censorship flaws

With the Beijing 2022 Winter Olympic Games set to begin in a few weeks,  Internet watchdog Citizen Lab on Tuesday published a report highlighting security and censorship issues with a smartphone application mandated for use by all attendees at  the Games. Image courtesy of Citizen Lab

According to a guide for athletes and team officials from the International Olympic Committee, the app provides information from the committee and the city of Beijing while also being a health-monitoring system related to the COVID-19 pandemic. The app collects medical information and health monitoring, which requires the user to daily input their health information.

Citizen Lab said a flaw in the app permits encryption protecting voice audio and file transfers to be “trivially sidestepped.”

The report also states that some sensitive data is transmitted by the application without encryption or any security, meaning transmissions containing sensitive metadata relating to messages, including names of the message’s sender and receiver, can be read by “any passive eavesdropper.”

The app also makes vulnerable information contained in health customs forms, it said, such as passport details, demographic information and travel and medical history while also allowing an attacker to spoof server responses so as to display fake instructions to the phone’s user.

“MY2022 is fairly straightforward about the types of data it collects from users in its public-facing documents,” the report states. “However, as the app collects a range of highly sensitive medical information, it is unclear with whom or which organization(s) it shares this information.”

Though currently inactive, a list of 2,442 words was discovered by the researchers who said the app contains code designed to apply this list, which includes negative references to the Chinese political system and President Xi Jinping, for censorship. While most of the words targeted for censorship are in simplified Chinese, some are in Tibetan, Uighur, traditional Chinese and English.

Citizen Lab states that the reason why the list may currently be inactive is that it was intentionally disabled “in a bid to hide the extent of China’s censorship regime from outsiders or out of pressure from the IOC, who has previously attempted negotiations with the Chinese government over what content it can and cannot censor at the Games.”

The report was published a few weeks before the Olympic Games are to kick off on Feb. 4, but they have been plagued by controversy due to the Asian nation’s human rights abuses.

The United States, Britain and Canada are among nations that have said they will politically boycott the Games.

Particularly at issue is Beijing’s treatment of its Muslim-minority Uighur population. China has been accused of genocide over interning more than 1 million of its Uighur citizens in so-called re-education camps in Xinjiang region, where they are subjected to forced disappearances, forced labor and forced sterilizations, among other abuses.

China has vehemently denied the accusations and has called on the international community to stop meddling in its internal affairs.

Citizen Lab said it is not surprised by its findings as Chinese apps ranging from banking to video streaming have been found to excessively collect sensitive user data without consent.

The report was published after Citizen Lab disclosed the security issues to the Beijing Organizing Committee on Dec. 3, giving them 15 days to response and 45 days to fix the identified issues, which expired Tuesday.

Citizen Lab also states that it believes the MY2022 app violates the policies of Apple and Google but it is still available in both of their app stores.

UPI has contacted the IOC, Apple and Google for comment on the report.