Saturday, February 24

Does China intend to spy on the Beijing 2022 athletes? | Digital Trends Spanish

Is China planning to spy on attendees of the 2022 Beijing Winter Olympics? This is the question raised by a computer security report about My2022, an application that will be mandatory for all attendees of the event that will take place between February 4 and 20, 2022.

You will be interested:

What is My2022

Mel Almanza / Digital Trends in Spanish

From athletes, coaches, journalists, photographers, videographers to the general public, everyone attending the Beijing 2022 Winter Olympics and Paralympics is required to use the My2022 app, which is available at iOS and Android.

The main purpose of My2022 is to keep a record and daily monitoring around COVID-19, through a feature called “Green Health Code”, which collects more medical data.

However, as can be seen from its description in the App Store, it also offers a series of complementary services.

The smartphone version of My2022 offers services about the sporting event, such as event information, instant messaging and information service for functional areas, such as transportation, food, accommodation, among others. In addition, it provides information on activities outside the event, such as tours, shopping and entertainment.

“My 2022 displays information in both Chinese and English and provides personalized service for different user groups to enjoy a complete gaming experience with a single app,” the app describes.

What are the security flaws of My2022

A woman walks past an installation promoting the Beijing 2022 Winter Olympics and Paralympics.
However the Citizen Lab cybersecurity group, from the Munk School of Global Affairs and Public Policy at the University of Toronto, warned that the My2022 app does not provide encryption, exposing users to leaks of their personal data and medical records.

Among the Citizen Lab’s findings are:

  • The encryption that protects users’ voice audio and file transfers can be compromised.
  • Health forms, which contain passport information, medical and travel history, are also vulnerable.
  • Server responses can be spoofed, so an attacker could display bogus instructions to users.
  • It is not specified with which entity or organization the app shares the personal data and medical records it collects.
  • MY2022 includes features that allow users to report “politically sensitive” content.
  • Although it is a dormant feature, it includes a list of censored keywords, focusing on political topics and internal affairs, such as Xinjiang and Tibet, as well as references to Chinese leaders and government agencies.
  • The flaws could violate the software policies of Google and Apple, in addition to violating China’s own privacy laws, according to CitizenLab.

Is there a real danger?

Citizen Lab says that fears about Chinese-origin apps are largely justified because there is a history of security flaws, privacy violations, and information controls in other apps operated in this country.

However, it acknowledges that the Chinese government itself “has taken steps to control invasive collections and mishandling of personal information by companies, following global approaches to personal data protection.”

In that sense, he considers that the findings “are worrying”, but they are not surprising because they respond to a deficit that drags most Chinese developers, in the absence of laws and regulations that protect personal data.

Regarding the problems with encryption, he maintains that although it could be something intentional, it is not plausible, insofar as the files and medical data are delivered directly to the Chinese health authorities.

In addition, these are flaws that have been detected in other local applications. In light of previous work analyzing popular Chinese apps, our findings on MY2022 are not surprising, although they are concerning.

Meanwhile, the International Olympic Committee (IOC) dismissed the concerns, stating that the application has been independently evaluated by two cybersecurity organizations, which found that “it does not have critical vulnerabilities.”

“The My2022 application is an important tool in the toolbox of measures against COVID-19 (…) It is compatible with the health control function,” said the entity.

In any case, numerous Olympic committees, such as those of the United States, Germany, Australia, Canada, Great Britain and the Netherlands, have recommended that their delegations use disposable phones, virtual private networks (VPN) and create email accounts during the duration of the stay in China.

Publisher Recommendations