The International Olympic Committee (IOC) defends China’s MY2022 app for the upcoming Olympics after security concerns were raised by a report from Citizen Lab, underlining data security and privacy issues in the app.
Citizen Lab
Those who are attending the 2022 Olympic Games held in Beijing need to download the My2022 app that contains personal information like medical and travel history. According to a report by Toronto’s Citizen Lab, the app has a “devastating flaw where encryption protecting user’s voice audio and file transfers can be trivially sidestepped.”
According to the report, the security vulnerability in the app puts the user’s passport details, medical/travel details, and demographic information at risk. Researchers further explained that the server responses can be faked allowing a hacker to give false instructions to users.
Another thing pointed out by the Citizen Lab is that the app contains an option to report “politically sensitive” content with words like Tibet and Xinjiang in the censorship list. According to the report, it goes against Google’s Unwanted Software Policy, Apple’s Guidelines, and China’s privacy protection laws. However, Apple and Google have not responded to this yet.
In response to these security issues and allegations, the International Olympic Committee has defended the app saying there are no security issues with it. IOC spokesperson said:
“Due to COVID-19 pandemic special measures need to be taken to protect the participants of the Olympic and Paralumpic Winter Games Beijing 2022 and the Chinese people…The My2022 app supports the functions for health monitoring. It is designed to keep Games-related personal safe with within the closed loop environment.”
The IOC spokesperson also said that the app has received approval from the App Store and Google Play Store. IOC also said that people don’t need to download the app on their smartphones as you can also log in to your account on the web page.
“The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”
Ron Deibert, Citizen Lab director at the University of Toronto, said that IOC’s response and the statement do not address the security vulnerabilities of the app that were reported by Citizen Lab. Diebert also said that these vulnerabilities are still present in the latest version of the app.
“The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks.”
My2022 app is pretty straightforward regarding the information collected and the third parties with whom the information is shared. Information like device identifiers, installed apps on the device, and cellular service provider detail is shared with Huawei, Xiaomi, Vivo, Meizu, Tencent Holdings, and Weibo Corporation.
Many news outlets reported the vulnerabilities across the world including the US, Germany, the UK, Australia, and more. They have urged users not to download the app on their personal devices as it can result in monitoring by the Chinese government even long after the games end. In light of these concerns, the Dutch Olympic Committee banned the citizens from taking their personal smartphones and other devices to the games.
Amidst the data security concerns, the Beijing Olympic 2022 organizing committee said that the personal information collected will “not be disclosed unless the disclosure is necessary.”
This is not the first time security concerns have been raised during the Olympic Games. Last year, Tokyo Olympic 2020 was also hit by a data breach. As a result, log-in details and passwords of ticketholders were leaked online.
