Ahead of the Beijing Winter Olympics, privacy experts have raised concerns over a mandatory app required for all attendees. The My2022 app, which supports chats, voice chats, news and weather updates, and file transfers, must be downloaded by all attendees 14 days prior to departure for China, at which point they are also required to start submitting daily health updates. Foreign visitors will also need to upload personal information – such as travel and medical history.

Poor encryption leaves user data vulnerable

According to a recent report by the Citizen Lab, the My 2022 app “has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped.” This leaves users vulnerable to having their personal information or communications easily intercepted by hackers or outside parties.

In a summary of its findings, the Citizen Lab reported:

“[T]he app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection.”

The report also noted that the My2022 app does not specify with whom it shares the sensitive medical information which it collects. However, we do know that a state-owned company called Beijing Financial Holdings Group owns the app – something else that doesn’t bode well for user privacy, given China’s reputation as a surveillance state.

After conducting a review of the app, Cybersecurity firm Internet 2.0 has encouraged attendees to use burner phones while at the games, warning that “China’s national data security laws are not designed with the Western values of privacy and liberty and do not offer the same level of protection.” According to the BBC:

“[Internet 2.0’s] report … looked at some of the technology sponsors of the Games and their products in order to show “the sophisticated and broad surveillance culture that exists in China.” One product, a VPN by Qi-Anxin, was able to capture a significant amount of user data, the report said. Under China’s national security laws, authorities can request to access this data.”

Censorship in the My2022 app

In addition to potentially compromising user data, the app contains censorship functionality. The Citizen Lab found a censorship list of over 2,400 keywords, though it was unclear whether the function would be used since it was inactive at the time of analysis. According to the BBC:

The Citizen Lab report said it had found a “censorship keywords” list built into the app, and a feature that allows people to flag other “politically sensitive” expressions.

The list of words included the names of Chinese leaders and government agencies, as well as references to the 1989 killing of pro-democracy protesters in Tiananmen Square, and the religious group Falun Gong, which is banned in China.

Team USA has urged athletes to use burner phones amidst the security concerns.