People traveling to China for the 2022 Winter Olympics—including athletes, government dignitaries, and corporate executives—are all at risk of personal data exposure and being surveilled by the Chinese regime, a data security expert warns.
The risk centers around a state-controlled smartphone app called “MY2022” that the regime in Beijing demands that international and local attendees use to come to the Games. The app’s vulnerabilities were recently exposed by the University of Toronto’s Citizen Lab, which described in its analysis that the app has a “devastating” security flaw.
Rex Lee, in a recent interview with EpochTV’s “China Insider” program, applauded the laboratory for its findings and said the app does have a “huge cybersecurity threat and privacy threat to the end user,” particularly in the amount of user information the app’s developer can collect.
“The other issue is the sensors and hardware that the app developer can take control of such as your camera [and] your microphone,” he said. “They’ll know when the end user is sitting, walking, riding a bike, riding in a car, or even sleeping.
“So if this information ends up in the wrong hands of bad actors, it can go everywhere from bank accounts being hacked, Social Security numbers being hacked, credit card numbers being hacked, all the way to the delivery of misinformation and disinformation.”
The app, which primarily serves as a tool to track users’ COVID-19 health status, also features an instant messaging function and provides information about the Games, as well as tips on local food and beverage, accommodations, and transportation. The app is available in both iOS and Android versions.
Citizen Lab, which published its findings regarding the app on Jan. 18, said that user information, including passport details, travel history, and phone numbers, could be compromised, given that the app can be “deceived into connecting to a malicious host while believing it is a trusted host.”
The laboratory also found that the app contains a blacklist for keywords, including “Tiananmen Massacre,” “Tibet Freedom,” and “Falun Gong,” as well as Chinese terms for The Epoch Times and its sister outlet NTD. The Chinese regime blocks The Epoch Times and its affiliated media because of their longstanding reporting on issues critical of the communist regime such as human rights violations.
Lee said Chinese nationals would certainly get in trouble with the police if they use the censored words on the blacklist.
“I don’t know foreign nationals can be policed by it or arrested by it,” he added. “There’s a lot of issues with this app that goes beyond just privacy and cybersecurity issues. We’re talking about civil liberties issues and human rights as well.”
MY2022’s developer, Beijing Financial Holdings Group Co. Ltd, as shown on the Apple App Store download page, is tied to the Chinese Communist Party (CCP).
The company was established in October 2018, according to the firm’s website, and Fan Wenzhong was named as the company’s president and party secretary. Fan held several different positions in the Chinese regime before heading the company. In 2007, he was a deputy director at the China Banking Regulatory Commission (CBRC). A year later, he began working for the municipal government in Chongqing, a megacity located in southwestern China. One of the positions he took there was as deputy director of the city’s Assets Supervision and Administration Commission.
Between 2010 and 2018, he spent time at both CBRC and the China Banking and Insurance Regulatory Commission.
In November 2020, Beijing Financial Holdings Group published on its website remarks made by Fan during an event. He said the company “served the purpose of the country’s strategies.”
Fan and other party officials in the company held a meeting in November 2021, according to the company’s website, during which he was cited as saying that they must “deeply understand” Chinese leader Xi Jinping’s speech and “grasp the meanings” behind a historic resolution passed during a political conclave earlier that month.
The 2022 Winter Games, to be hosted by Beijing, are scheduled to start on Feb. 4. Several countries, including Australia, Canada, Lithuania, the United States, and the UK have announced diplomatic boycotts of the competition. The United States will send its athletes, but not an official delegation.
“The end user [of this app] at the end of the day, can be damaged really badly, by how much information this app has collected on the end user,” Lee said.
“If the end user does not disable the app, or uninstall the app, whoever developed this app will still be able to surveil and data mine that end user even beyond the Olympic Games.”