Privacy concerns abound in the official Beijing 2022 Winter Olympics app

Article by Tsaaro

7 min read

Privacy concerns abound in the official Beijing 2022 Winter Olympics app

Introduction

The 2022 Winter Olympics were held in Beijing, China from 4th Feb-20th Feb 2022. Even before the start of the Winter Olympics 2022, China was being criticised and accused of allegations pertaining to human rights violations and other related controversies globally. Around 180 human rights groups were of the opinion that all the leaders globally and the governments should boycott the Winter Olympics in Beijing as the Chinese government was held solely responsible for the genocide of the minority communities in China. The Canadian government along with the UK and the United States government were the ones who decided to diplomatically boycott the games; this meant that these countries would only send their athletes to be a part of the games, whereas the government delegates and officials won’t either attend the games or be a part of the event.

But was this the only issue raised by the officials?

The other issue that was largely concerning the majority and the same was being discussed everywhere from news channels to even the U.S Olympics and Paralympics committee was related to the ‘privacy’ of the athletes as well as the ones who were planning to attend the games in Beijing.

The catch to this privacy-related issue is that those who were preparing to attend the 2022 Winter Olympics had to compulsorily download a mobile application called “MY2022”. This app had multiple security flaws and resulted in privacy concerns that were very much applicable to both the domestic as well as international athletes along with the ones who were merely attending.

What is MY2022?

MY2022 is a mobile application that was made a requirement for all the athletes and the attendees of the Winter Olympic Games. The app performs multiple functions right from real-time chat with your contacts along with that video and audio options are also available for the users; users have the option to even share files with each other, as well as the app notifies its users about the weather and news updates. Furthermore, the app is also used to submit health customs information of those who are visiting China from other nations. This includes submitting the user’s passport details, demographic information along with travel, medical history (if any), COVID-19 vaccination status, and lab test results including users’ daily health status.

China’s intention behind collecting this information as per their official statements was to prevent the transmission of COVID-19 and hence was a part of the COVID protocol that was being followed during the Winter Olympics.

It was prescribed that all the athletes and attendees should download the app 14 days prior to their visit to China, and were required to monitor and submit their health information in order to track their health status on a daily basis. Many countries have relied on similar apps in order to track the health status of their citizens and the foreign travelers, especially if we take India as an example here, the app named ‘Aarogya Setu’ was extensively used and is even used today in order to monitor the health status of the people in India.

As per the Chinese government’s guide on the Olympic games, it was discovered that the MY2022 app was created by the Beijing Organising Committee for the 2022 Winter Olympics. However, later through public records and the App Store’s information, it was revealed that the owner of the app is a state-owned company called the ‘Beijing Financial Holding Groups’.

What does MY2022’s privacy policy state?

It is essential to note here that in order to make an app available on the Google Play store and/or on Apple’s App store, the app developer(s) may first publish their privacy policy. A privacy policy is a legal document mandated not just by Google or Apple, rather many federal and state privacy laws mandate the same and are one of their compliance requirements. Hence businesses and organisations who collect, store, and transfer their users’ data are required to draft and publish a privacy policy/privacy statement on their website, as well as the same should be made available on their app.

After reviewing the privacy policy of MY2022-

  1. From the domestic users, the app collects personal data that includes the name of the user, national identification number, phone number, e-mail address, profile picture, and employment information and such personal data may be then shared with the Beijing Organizing Committee for the 2022 Olympics.
  2. On the other hand, for international users, the app collects personal data that includes users’ demographic information, and passport details along with the details of the organization they are associated with.

MY2022’s privacy policy also states that the app collects and further uses the users’ daily health status as the same is reported by the users so that the authorities are able to track not just the health but also prevent the spread of the virus. Moreover, the privacy policy clearly states that COVID-19 vaccination status and lab test results are taken for the same purpose. The privacy policy in itself doesn’t state anything about where such personal data is shared, instead if we check the official playbook of the Olympic games, it states the list of entities to whom the personal data of the users’ are shared. The entities include- The Beijing Organizing Committee, Chinese authorities (such as the national government, local authorities, and authorities who are in charge of health and safety protocols), the International Olympic Committee, the International Paralympic Committee, and all other authorities who are in charge of the implementation of COVID-19 countermeasures.

 

It is essential to note here that the app outlines circumstances as to when it will disclose its users’ personal data without their consent, in cases wherein it is about national security, public health, and/or criminal investigations. Moreover, this list shouldn’t be considered as an exhaustive list.

What are the privacy concerns?

The privacy concerns relating to this app can be listed down to two major issues, and they are-

  1. Concerns regarding SSL certificates- Secure Sockets Layer or SSL functions with the help of encryption and digital signature in order to ensure safe transmissions of the data and with the aim to secure the flow of the communication between the user and the intended server. Unfortunately, the MY2022 app fails to validate SSL certificates, which means, it is difficult to determine whether the user is communicating to the intended server or to a malicious host that is pretending to be the intended and trusted server. Hence, the user’s information that was intended to be communicated or transmitted to the trusted server comes at risk.
  2. Concerns regarding encryption of sensitive data- The other privacy concern is that the app fails to safeguard the sensitive data during communication & transmission. It was found that the app transmits non-encrypted data, which means, such data can easily be read or collected by anyone.
  3. The other privacy concerns- The scariest concern is regarding the collection of audio of the users, as the users do not have much control over their microphones, and the audio can be easily collected at any time. Such data (Audio of users) is collected by a Chinese AI firm called ‘iFLYTEK’, surprisingly this firm has already been blacklisted by the United States due to major privacy concerns.

Concern relating to free speech

The other findings of this app are regarding the in-built censorship and surveillance keywords listed in the app by the developers in order to ensure and prevent the users of this app from making any comment, which the Chinese government doesn’t want the general public to talk on. However, it is also found that the keywords are not in action and are inactive in the app currently. The total number of words listed under this is around 2,442 and all of the words listed are considered politically sensitive in China. This kind of built-in censorship can be found in most Chinese apps, and the present observation is not surprising.

Violation of Chinese laws and other related privacy policies

The MY2022 violates China’s own laws on data protection & privacy. The Chinese laws pertaining to privacy and cybersecurity are- the Cybersecurity Law of 2016, the Personal Information Protection Law (PIPL), the Data Security law (DSL), and the Civil Code. If we closely look at certain provisions of these above-mentioned laws, we will come to know that the MY2022 even violates the Chinese laws. 

In China, information relating to personal health or medical health can’t be transmitted with an active encryption framework in order to secure such transmission of the data, on the other hand as discussed above, MY2022 fails to perform such encryption during transmission of the personal data. Whereas even Article 51 of the PIPL talks about encryption and de-identification in order to safeguard the personal data, and the app fails to comply with that too. Moreover, Article 27 of the DSL states that the data processors who are involved in processing data, need to mention as to who is responsible for providing data security & necessary protection to the individuals’ data. Hence, the app violates this provision too.

Further, the app violates Google’s Data Security Policy and the Unwanted Software policy, as in order to comply with the former policy, all the apps listed in the Google Play Store need to state which type of data the app collects and whether it is protected with encryption or not. Whereas, in order to comply with the latter, then the listed apps must not collect sensitive personal information/data without encryption. MY2022 is liable to get blacklisted by Google and even from further getting installed by Google Play Protect.

Lastly, the app also violates Apple’s App Store guidelines, as it states that the app needs to have proper safety measures in order to ensure that the information collected/processed is not accessed by third parties and there is no unauthorised disclosure of the same.

Conclusion

If we are aware of Chinese politics, and how the laws function there, the present issue pertaining to privacy won’t surprise us at all. The Chinese government has always been into monitoring and censoring their citizens from speaking against the ruling party. If we further compare any other Chinese apps with the present one, we won’t be surprised, after all these privacy and censorship issues are largely found in all the Chinese apps and platforms. MY2022’s security issues pertaining to encryption can also be found in one of the most popular apps of this decade called Zoom. Privacy is not just a statutory or contractual obligation, it is a fundamental right of the citizens.

Shubham Bansal

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Tsaaro Consulting

Introduction   With data playing a pivotal role in business operations, ensuring data privacy compliance has become a key focus in …

Tsaaro Consulting

The FinTech industry has transformed the financial landscape, offering customers digital solutions that make banking, lending, insurance, and investing more …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them