The My 2022 platform would collect sensitive data from its users such as passport number or vaccination status and Covid-19 test results.
The Canadian research laboratory Citizen Lab has identified several security flaws in the application that all participants in the Beijing Winter Olympics must use, according to a study published on Tuesday.
In reaction to the publication of this report, the International Olympic Committee (IOC) claimed that two specialized cybersecurity bodies, requested by the IOC, had tested the application and that their conclusions indicated that it did not present “critical vulnerabilities“.
According to the work of Citizen Lab, on the other hand, the MY2022 application, created and managed for the Games which will open on February 4 by Beijing Financial Holdings Group (BFHG), a subsidiary of the city of Beijing, has two major defects.
Read alsoOlympics 2022: China will not sell tickets but will invite spectators
“China is notorious for undermining encryption technologies to practice political censorship and surveillance“, underlines the author of the study, Jeffrey Knockel. “Therefore, it is reasonable to wonder if the encryption of the data of this application was not deliberately sabotaged for surveillance purposes or if it is the result of the negligence of the developers.“.
The first flaw relates to so-called SSL certificates, which allow two entities to communicate securely online. According to Citizen Lab, which depends on the Canadian University of Toronto, MY2022 does not authenticate the SSL certificates submitted to it, which means that unrecognized entities could have access to the data of the application.
SEE ALSO – In China, a “sanitary bubble” set up around the sites of the Beijing Olympics
Collection of sensitive data
The second flaw is that certain information is transmitted without proper encryption, usually to SSL certificates, which makes them more vulnerable to hijacking. For foreign users of the platform, personal data is collected such as passport number, organization and country of origin, as well as vaccination status and Covid-19 test results.
Citizen Lab indicates that it pointed out the flaws to the Chinese authorities in early December, asking them to respond within 15 days and to remedy them within 45. But at the end of the deadline set by the laboratory, Beijing had not responded to this request.
Read alsoOlympics 2022: as in 2008, Chinese director Zhang Yimou will direct the opening ceremony of the Beijing Games
The IOC insisted that it was not mandatory for Games participants to download MY2022, which could be viewed from an internet page. “MY2022 is an important tool in the arsenal of anti-Covid measures“, argued the committee, and”has been designed to ensure the health safety of people in the bubble“.
During its work, Citizen Lab says it also identified a file called “illegalwords.txt” (illegal words), many of which are “politically sensitive“, according to the study. We find in particular the terms “CCP evil” (CCP for Chinese Communist Party and “evil” for bad), or Xi Jinping, from the name of the Chinese president.
If lines of code are contained in the app to be able to censor these terms, they are not yet activated as they are, according to Citizen Lab.
SEE ALSO – Daily tests, mandatory mask… “Beijing is ready” for the 2022 Winter Olympics