The app mandated for use by athletes, press members and spectators during the 2022 Winter Olympic Games and designed primarily for COVID-19 contact tracing has serious security deficiencies, according to a new report released on Tuesday.
The app, called MY2022, was introduced for health tracking, among other things. It handles COVID-19 test results, health status and a wide range of personally identifiable information, including names, demographic information, ID numbers and employment affiliations.
Researchers at Citizen Lab, a University of Toronto group that studies global cybersecurity, said that their analysis identified several flaws in data transmission. For one, hackers can intercept data that’s being sent from the app to servers while the app believes it’s connecting to a trusted host. In another example, some sensitive information — which contains metadata like the identities of the sender and recipient of a message — is transmitted without encryption or protection.
Over the past few years, Beijing has made major progress in writing laws and policies to restrict the ways in which private companies can collect and process citizens’ private data. However, Citizen Lab researchers concluded that MY2022’s data security flaws may violate China’s own privacy laws, including the Personal Information Protection Law and the Data Security Law that were enacted in 2021.
Additionally, the app, which is owned by a state-owned company called Beijing Financial Holdings Group, contains a censored keyword list that can filter politically sensitive topics, according to Citizen Lab.
Citizen Lab said it shared its findings of security vulnerabilities in early December with the Beijing Organizing Committee for the 2022 Olympic and Paralympic Games, but it had not received a response as of Tuesday. On Jan. 6, MY2022 released an updated version in Apple’s App Store, but Citizen Lab found that the issues it disclosed to the Chinese Olympics authority were not fixed.
The 2022 Winter Olympics will begin on Feb. 4.