The International Olympic Committee has defended China's MY2022 Olympics app following a report from Citizen Lab that found serious privacy issues with the platform.
All attendees of the 2022 Olympic Games in Beijing need to download and use the app, but Citizen Lab released a report on Monday that said a "simple but devastating flaw" allows the encryption protecting users' voice audio and file transfers to be "trivially sidestepped."
According to Citizen Lab, passport details, demographic information, and medical/travel history in health customs forms are also vulnerable. Server responses can be spoofed, allowing an attacker to display fake instructions to users, according to the report.
The MY2022 app also allows users to report "politically sensitive" content and includes a censorship keyword list involving topics like Xinjiang and Tibet.
Citizen Lab noted that the app may violate Google's Unwanted Software Policy, Apple's App Store guidelines, and China's own laws and national standards pertaining to privacy protection. Google and Apple did not respond to requests for comment.
The report caused widespread outrage, since the thousands of people at the games will have no choice but to download the app if they want to represent their country.
In comments to ZDNet, the International Olympic Committee defended the app and downplayed the severity of the issues discovered by Citizen Lab.
A spokesperson justified the app's security holes by saying that due to the COVID-19 pandemic, "special measures" needed to be put in place to "protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people."
"Therefore, a closed loop management system has been implemented... The 'My2022' app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed loop environment," the IOC said.
The IOC also defended the app by saying it received approval from the Google Play store and the App Store.
"The user is in control over what the 'My2022' app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead," the IOC claimed.
"The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities."
Ron Deibert, director of Citizen Lab at the University of Toronto's Munk School of Global Affairs & Public Policy, told ZDNet that the IOC's comments do not address the serious security vulnerabilities the organization discovered and reported.
"To date, the app vendor has not either. In fact, the app vendor has not responded at all to our vulnerability disclosure, and the latest version of the app, unfortunately, still includes the vulnerabilities," Deibert noted.
"The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC's comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks."
Some experts said the vulnerabilities would also give criminal hackers a way to steal sensitive personal information. The Beijing 2022 organizing committee, however, told USA Today that personal information collected by Beijing 2022 "will not be disclosed unless the disclosure is necessary."
"Information of accredited media representatives will only be used for purposes related to the Olympic and Paralympic Winter Games," the Beijing 2022 organizing committee said.