Official Beijing 2022 Winter Olympics app rife with privacy risks

In a detailed report compiled by Canada's Citizen Lab, researchers analysed the MY2022 app for potential privacy and security issues. The investigation found that the app collects a long list of sensitive information including device identifiers and hardware model, service provider information, a list of other apps installed on the device, WLAN status, real-time location, audio access, and access to storage, among other sensitive personal data.

The collection of this data is disclosed in the app's privacy policy and is ostensibly required for Covid-19 protection controls, translation services, Weibo integration, and tourism recommendations and navigation.

According to Citizen Lab, the app's encryption system also has a major flaw that potentially enables bad actors to access documents, audio and files saved on the device in text form.

The MY2022 app is also subject to censorship based on a built-in list of keywords, which include the names of Chinese leaders and government agencies, as well as references to the Tiananmen Square massacre of pro-democracy protesters in 1989. Such a feature is apparently not uncommon for apps in China.

The app's privacy policy is also opaque about exactly who or what is receiving and processing the sensitive data which users are required to upload. This is in direct violation of both Google and Apple's app guidelines, yet the app is currently still available from both app stores. The app even violates China's own laws regarding privacy protection.

There is also ongoing confusion about whether or not the use of MY2022 is compulsory or optional. All athletes, members of the press and spectators are required to install the app and add their personal information to it, if they plan to attend Beijing 2022.

For Chinese citizens, MY2022 collects names, national identification numbers, phone numbers, email addresses, profile pictures and employment information, sharing this data with the Beijing Organising Committee for the 2022 Olympics.

For overseas visitors, the app collects complete passport information, daily health status, Covid-19 vaccination status, demographic data, and the organisation for which they are working.

Citizen Lab also revealed flaws in the app's SSL-based encryption, which could allow rogue connections due to certification validation issues. An attacker could potentially spoof multiple servers, pretending to be a trusted destination, and intercept sensitive data coming from the app. The analysts also found that transmitted data is not always encrypted, so some transmissions could be intercepted and easily read via network packet eavesdropping.

All of the risks uncovered by Citizen Lab were reported to the Beijing Organising Committee for the 2022 Olympic and Paralympic Winter Games on 3 December 2021. No response had been received by 18 January, at which time the researchers publicly disclosed their findings.

Although the app developers then released a version 2.0.5 update to the app, further analysis of the newest version found that the issues previously reported remain unresolved.

Citizen Labs noted that it seems unlikely that the app's weaknesses were deliberately included, given that the intended recipient of all the data captured has always been the Chinese state, so there is no obvious incentive there to build in additional back-door access for other actors.

After Citizen Labs' findings were made public, the International Olympic Committe (IOC) issued a statement, which said: "The MY2022 application is an important tool in the tool box of the Covid-19 countermeasures. The MY2022 app supports the function for health monitoring."

The IOC statement added that the MY2022 app can be configured by users to disable access to features such as "files and media, calendar, camera, contacts", as well as location information, stating that: "The user is in control over what the MY2022 app can access on their device. They can change the settings already while installing the app or at any point afterwards."

Cyber-security firm Internet 2.0 recommended that any foreigners attending the Beijing Olympics should use a 'burner' phone or tablet and create a new email account to use solely during their time in China.

Reviewing Citizen Lab's findings, Chris Hauk, consumer privacy champion at Pixel Privacy (pixelprivacy.com), said: "While the Citizen Lab report claims the app is required for participants, the International Olympic Committee says installation of the app is not compulsory and that the user is in control over what the app can access on their device.

"However, in either case, users should share as little information as possible with the app and are also advised to make sure their login and password information is different from that used on other apps, websites, and other users. Users should also delete the app from their devices as soon as possible. At the very least, uninstall it after clearing Chinese airspace, in order to protect against any possible hacking attempts in the future."

Paul Bischoff, a fellow privacy advocate at Comparitech (comparitech.com) said: "The MY2022 app poses a serious privacy and security threat to Olympics athletes, staff and audience. On top of collecting detailed personal information, the app uses insecure SSL connections that can be intercepted by middlemen. The fact that this app was allowed to be published in both major app stores is concerning, showing how Google and Apple might be too lenient toward state-sponsored apps."

News of the cyber-security concerns surrounding the official MY2022 app follows the Covid-related health announcement earlier this week that China has finally succumbed to the fluctuations of the ongoing pandemic and has decided not to sell Olympics tickets to the public.

Having already barred foreign spectators from attending the Winter Games, China has now confirmed that its own citizens are not permitted to attend events either, "to ensure the safety of all participants and spectators", according to the Beijing 2022 organising committee.

The announcement came just two days after Beijing's first reported case of the Omicron variant, which triggered an immediate lockdown and mass testing in one of the capital city’s neighbourhoods.

The committee said an “adapted program” would be in place instead at the Winter Games, which start on 4 February 2022, to allow some spectators, perhaps indicating a special exception for sufficiently screened and quarantined small groups.

The IOC later released its own statement: “The organisers expect that these spectators will strictly abide by the Covid-19 countermeasures before, during and after each event so as to help create an absolutely safe environment for the athletes.”