Athletes competing in the Beijing 2022 Winter Olympics are making their final preparations for the Games that start on Feb. 4. But before they set off for Beijing, they will need to download an app controlled by China’s government.
Called My 2022, the phone app—or desktop website—primarily functions as a health monitoring tool to track the COVID-19 health records of Olympic athletes and related staff. The app also features a messaging function and provides information like shuttle and event schedules.
The mandatory app is raising security concerns among researchers, suggesting that athletes in China’s Olympic bubble may not be insulated from the tech surveillance and censorship that exists in the rest of the country.
How it works
The Beijing Olympics released two COVID playbooks—one for athletes and coaches and one for other Olympic participants like media—last year stating that everyone coming to the Games would have to download the app—or log in on desktops—to gain access to the country.
The playbook says that people will have to log on to My 2022’s health monitoring system 14 days before entering China for the Olympics, input vaccination records and personal health information, and use the app to record a daily record of COVID-19 symptoms throughout their stay.
Olympic participants can skip the country’s mandatory hotel quarantine as they enter the Olympic bubble, or “closed loop management system,” as Beijing dubs it. In the bubble, Olympic athletes, coaches, and staff will only be allowed to enter certain venues like their hotels and sports facilities and will be encouraged to take precautions like wearing masks and not gathering in large groups.
Athletes and Olympics-related staff must keep a daily record of their body temperature via the app, which will also display the results of the daily COVID-19 tests athletes take.
People in the bubble are encouraged to communicate with one another via My 2022 and use the app to translate languages and learn basic information about the events. Olympic organizers are also asking app users to update their health status on the app daily until they’ve been out of China for 14 days.
The Beijing Organizing Committee says it built the app, but public records show that the app is ultimately owned by the Beijing Financial Holdings Group, a state-owned Chinese company.
What are the security concerns?
On Tuesday, Citizen Lab, a research group at the University of Toronto, published a report raising concerns about the app’s safety.
First, and perhaps most concerning, is the “devastating flaw” Citizen Lab detected in the app’s security. Citizen Lab says that the app’s encryption can be “trivially sidestepped,” leaving users open to attacks from outsiders who may be able to steal their personal health information and other sensitive data. The report also said that the app’s privacy policy was “unclear” about if—or to whom—the app might share sensitive personal information collected from its users.
The International Olympic Committee and Beijing officials have dismissed Citizen Lab’s report, pledging that the app’s data protection measures respect international standards and Chinese law.
“The user is in control over what the My 2022 app can access on their device,” the IOC said in a statement to German outlet DW. “The My 2022 application is an important tool in the toolbox of the COVID-19 countermeasures.”
Citizen Lab also said the app had a function that allowed users to report “politically sensitive” messages from other users to the app’s developers. The developers would then decide if the message warranted removal from the app. The researchers also said developers embedded a list of sensitive keywords like Xinjiang in the app’s code, which suggests developers could block users from sending messages that contained those words, a commonly used tool for censoring content on Chinese social media platforms.
The idea that the app may be monitoring discussions between users and censoring certain content is a red flag since Beijing 2022 officials have threatened punishment for those who violate China’s political norms.
“Any behavior or speech that is against the Olympic spirit, especially against the Chinese laws and regulations, are also subject to certain punishment,” Yang Shu, deputy director general of international relations for the Beijing Organizing Committee, said at a press briefing on Tuesday.
Even before Citizen Lab’s report, athlete delegations have been concerned about the security of their phones and other devices in China.
The U.S. team has advised its own athletes to bring burner, or disposable, phones to China instead of their personal devices due to concerns that Chinese authorities would monitor the devices and plant malicious malware on them, the Wall Street Journal reported on Friday. Olympic officials for the Netherlands, Canada, the U.K., Belgium, and Australia likewise have advised athletes to not bring personal phones or devices to China.
Beijing, for its part, says it has no plans to monitor devices and does not believe cybersecurity issues will taint the Games.
“By raising the so-called cybersecurity issue in China, relevant countries, who are guilty of the charge themselves, are accusing the innocent party without any evidence,” Zhao Lijian, China’s foreign ministry spokesperson, said at a press briefing on Tuesday.
