Security flaws in a smartphone application that’s required for athletes and team officials attending the 2022 Beijing Olympics leave users at risk of having their calls and data intercepted, a Toronto cybersecurity watchdog has found.

The University of Toronto’s non-profit Citizen Lab analyzed My 2022, a software program that offers a suite of functions, including not only the ability to submit health information but also real-time chat, voice-audio chat, file transfers and news and weather updates.

Beijing Olympics organizers require all participants to use the app, which is the property of a Chinese, state-owned company.

The application “has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be … sidestepped” with little effort, Citizen Lab researcher Jeffrey Knockel writes in a new report on My 2022 software.

It also includes a feature to allow users to report “politically sensitive content” to My 2022. It is not clear with whom the information would be shared.

In addition, the research lab found a censorship keyword list in the software – totalling 2,422 words or phrases such as Tiananmen or “Chinese Communist Party evil” – that are frequently censored in China. Citizen Lab also found software code capable of reading this list and applying it to censoring communications on My 2022.

This list of censored words is currently inactive, and not being used to block any communication. But Mr. Knockel said the owners of the software, Beijing Financial Holdings Group, could issue an update to activate this function.

Human-rights groups have called for China to be stripped of hosting the 2022 Winter Olympics, which begin on Feb. 4, because of repression against Uyghurs and other Turkic minorities and the quashing of democracy and civil liberties in the former British colony of Hong Kong. Australia, Britain, Canada, Japan and Denmark have joined a U.S. diplomatic boycott of the Games to protest against China’s human-rights record, and will not send official representatives.

The official Beijing 2022 playbook posted on the International Olympic Committee’s website tells people to download the My 2022 application at least 14 days before heading to China and begin reporting their health status on it daily, as well as uploading their vaccination certificate and COVID-19 test results. After they arrive in China, the playbook asks them to use the app to report their health status, including body temperature, each day.

The athlete guidebook also points out competitors and team officials can use My 2022 to keep in touch with each other via messaging and chat features or use it to translate their messages, check competition schedules and medal counts or buy Beijing 2022 merchandise.

My 2022′s policies, according to Citizen Lab, say personal information will be shared without user consent in circumstances that include national security matters and criminal investigations.

Canada’s Olympic committee has recommended that Canadian athletes leave their personal electronic devices at home and restrict the amount of personal information they store on any devices they bring to Beijing.

“We’ve reminded all Team Canada members that the Olympic Games present a unique opportunity for cybercrime and recommended that they be extra diligent at the Games, including considering leaving personal devices at home, limiting personal information stored on devices brought to the Games, and to practice good cyber-hygiene at all times,” the Canadian Olympic Committee said in an e-mailed statement to The Globe and Mail.

The Citizen Lab researchers said they notified the Beijing Organizing Committee of the security flaws in December, but have not received a response. The watchdog’s report also said My 2022′s security flaws “may not only violate Google’s unwanted-software policy and Apple’s App Store guidelines, but also China’s own laws and standards on privacy protection.

Mr. Knockel said Olympians using the app in China would be better off connecting to the internet via a virtual private network (VPN) service. VPNs, which people in China use to bypass internet restrictions there, also offer increased privacy and security. Many VPNs are blocked in China, however, he added.

The Citizen Lab report noted China has a history of undermining encryption technology to conduct political censorship and surveillance.

But it points out health information being submitted through the app is already destined for the Chinese government anyway.

STEVEN CHASE, SENIOR PARLIAMENTARY REPORTER
ROBERT FIFE, OTTAWA BUREAU CHIEF
The Globe and Mail, January 18, 2022