China is forcing Olympic athletes to use a state-controlled COVID app that researchers say contains a "devastating" security flaw

Athletes attending the Beijing 2022 Winter Olympics are making their final preparations for the Games, which begin on February 4. But before they leave for Beijing, they have to download an app controlled by the Chinese government.

Called My 2022, the phone app or desktop website, functions primarily as a health monitoring tool to track the COVID-19 health records of Olympic athletes and related personnel. The app also has a messaging function and provides information such as timetables and events.

The mandatory app raises safety concerns among researchers, suggesting athletes in China's Olympic bubble may not be isolated from the technical surveillance and censorship that exists in the rest of the country.

How does it work
The Beijing Olympics last year released two COVID playbooks, one for athletes and coaches and one for other Olympic participants like the media, stating that every participant in the games would need to download the app or log in on desktop computers, to gain access to the country. .

The playbook states that people must log into My 2022's health monitoring system 14 days before entering the Olympics, enter vaccination records and personal health information, and use the app to keep a daily record of COVID-19 symptoms during their stay . .

Olympians can bypass the country's mandatory hotel quarantine if they enter the Olympic bubble, or the "closed-loop management system" as Beijing calls it. In the bubble, Olympians, coaches, and staff are only allowed to enter certain locations such as their hotels and sports venues, and are asked to take precautions such as: B. Wearing masks and avoiding large group gatherings.

Athletes and Olympic staff are required to record their body temperature daily through the app, which also displays the results of daily COVID-19 testing performed by athletes.

People in the bubble are encouraged to communicate with each other through My 2022 and use the app to translate languages ​​and get basic event information. The Olympics organizers are also asking app users to update their health status on the app every day until they leave China for 14 days.

The Beijing organizing committee says it created the app, but public records show the app is ultimately owned by Beijing Financial Holdings Group, a Chinese state-owned company.

What security concerns are there?
On Tuesday, Citizen Lab, a research group at the University of Toronto, released a report raising concerns about the app's security.

The first, and perhaps most worrying, is the "devastating flaw" Citizen Lab found in the app's security. According to Citizen Lab, the app's encryption can be "trivially bypassed," leaving users open to attacks from outsiders who can steal their personal health information and other sensitive data. The report also said the app's privacy policy was "unclear" about whether or with whom the app might share sensitive personal information collected from its users.

The International Olympic Committee and Beijing officials have dismissed Citizen Lab's report, vowing that the app's privacy practices comply with international standards and Chinese law.

"The user is in control of what the My 2022 app can access on their device," the IOC said in a statement to German news agency DW. "The My 2022 app is an important tool in the COVID-19 response toolbox."

Citizen Lab also said the app has a feature that allows users to report "politically sensitive" messages from other users to the app's developers. The developers would then decide whether the message warranted the app's removal. The researchers also said that the developers embedded a list of sensitive keywords like Xinjiang in the app's code, suggesting that the developers could block users from sending messages containing those words, a commonly used content censorship tool on Chinese social media platforms.