The application that collects medical data and travel information has been singled out by experts from Citizen Lab for its security flaws. But the spy rumors remain unsubstantiated. However, experts have identified the presence of features allowing Internet users to report others for “political reasons”.
The sympathetic air of the little panda of My2022 softens no one. On the contrary, the official application of the organizing committee of the Beijing Games worries. Intended to monitor the spread of Covid-19, in particular among athletes, journalists and senior officials, it collects health data and travel information. In addition, it offers the possibility of writing, sending voices or files to other people. In short, the app is a crossroads where potentially sensitive data crosses. Problem: its security leaves something to be desired.
In a report published on January 18, the Citizen Lab, a cybersecurity watchdog from the University of Toronto, Canada, warns of the presence of serious flaws. First, encryption protecting participants’ audios and file transfers can be “trivially circumvented”. Second, shared data, whether medical or demographic, is vulnerable. Thus, in detail, the researchers fear that a hacker can easily access the information collected. Worse: that he could post false instructions on the participants’ laptops.
And, when it comes to hacking, the number one suspect is none other than the Chinese government. Between the human rights attacks perpetrated in particular against the Uyghurs and the era of mass surveillance in the country, China arouses great mistrust in the West. The Australian, Canadian, American and British Olympic Committees have already advised their athletes not to bring their phones and personal computers. On site, according to them, it is better to favor disposable devices. The UK even provides spare phones to athletes who request them.
Surfing on the wind of panic caused by the results of the Citizen Lab, other connoisseurs leaned on “My2022”. Like that of Jonathan Scott, presenting himself as a student-researcher in computer science.
Speaking of the app as a “spyware”the American bombards: “All Olympic athlete audios are collected, analyzed and saved on Chinese servers.” The counters around his message panicked, accumulating 6,000 retweets and 10,000 likes. Only, nothing, in what he advances, is really proven. And other cybersecurity experts, like Will Strafach, developer of the Guardian app – a firewall for the iOS operating system – are quick to raise eyebrows.
After monitoring the app’s network traffic, Will Strafach found no “no audio transmission to any server”. While admitting that “the olympic app does not seem good for privacy”the expert specifies that he has only spotted a “microphone activity” only when using translation features. Not what to imply that all the audios are intercepted, even less that they would be it surreptitiously.
Citizen Lab researchers have asked themselves: to what extent are the detected security breaches intentional? Noting that most of the information collected on the app is already submitted in health customs forms and transferred to the government, the academics point to the lack of “instrumental rationality” that the same data would have to be intercepted again.
Reacting to AFP, Yu Honga, technical manager of the Games Organizing Committee, refuted any possibility of data capture after the publication of the Citizen Lab report. In addition, she assured that the security flaws had been fixed in a recent update.
However, silence remained on another discovery made by the researchers: that of a list of 2,422 censored words and expressions, grouped together in the “illegalwords.txt” file. Most are political, referring to the Tiananmen Square massacre, common criticism of the Chinese Communist Party or President Xi Jinping. Others, written in Tibetan or Uyghur, refer to the Dalai Lama and the Koran.
This list could contribute, according to experts, to censor some of the messages sent. An automated technique already deployed on other communication platforms in China, such as WeChat. For now, however, the list would not be actively used in My2022. Citizen Lab has nevertheless identified the presence of functionalities in the app allowing Internet users to report others for “political reasons”. A possibility that already exists in Chinese applications and which, too, could lead to the removal of content in a way “not transparent”.