The health monitoring app that athletes competing in the Beijing Olympics were given has significant security flaws, is linked to a company blacklisted by the United States for Uyghur surveillance, and was developed by a company chaired by a Chinese Communist Party loyalist.
The MY2022 app is owned by Beijing Financial Holdings Group, a state-controlled company founded in 2018 and belonging to the Beijing city government. Beijing Financial says it is run by a board of directors and a CCP committee. The company chairman is Fan Wenzhong, who is also the secretary of the company’s CCP committee.
Everyone attending the Olympics in Beijing is required to submit their health status through MY2022 each day. The app’s presence at the Olympics is yet another example of how U.S. and international athletes will likely be forced to use technology linked to the CCP.
OLYMPIC COMMITTEE HAS NO REGRETS OVER GIVING CHINA THE WINTER GAMES
Citizen Lab, a Toronto-based cyber research group, released a report this month concluding that the MY2022 app “has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped” and that “health customs forms, which transmit passport details, demographic information, and medical and travel history, are also vulnerable.”
The firm said MY2022 also includes features allowing users to report “politically sensitive” content, with “a censorship keyword list, which, while presently inactive, targets a variety of political topics including domestic issues such as Xinjiang and Tibet.” Citizen Lab said the app’s “security deficits” might violate Google and Apple rules.
Citizen Lab said numerous Chinese third-party entities have access to MY2022 — one example being Huawei, which has access to data when the app is used on Huawei devices — and with a host of information, including audio, device status, and location access, shared with iFlytek when its translation service is used.
IFlytek, also the official translation services provider for the Beijing Olympics, has been blacklisted by the U.S. for helping the CCP spy on Uyghur Muslims.
Citizen Lab said MY2022 collects users’ demographic information and passport information, as well as the organization to which they belong.
The group said it discovered a file called “illegalwords.txt” within the Android version of MY2022, which “contains a list of 2,442 keywords generally considered politically sensitive in China.”
“It is unclear whether this keyword list is entirely inactive and, if so, whether the list is inactive intentionally,” the group added in its analysis.
Jonathan Scott, the founder of Hack Tree, said in a tweet this week that he analyzed the app and was chilled by what he found.
“After reverse engineering all of the #Beijing2022 #spyware app for Apple #ios and Google #Android, I can definitively say all Olympian audio is being collected, analyzed, and saved on Chinese servers using tech from USA blacklisted AI firm iFlytek,” Scott said in a viral tweet.
Jeff Knockel, a researcher at Citizen Lab, responded by saying that “we observed data transmitted to iFlytek only during the use of the translation feature.”
The Chinese Embassy in Canada claimed that Citizen Lab’s report was “distorted and unfounded” and that concerns were “totally unnecessary.”
The U.S. Olympic Committee told athletes that “there should be no expectation of data security or privacy while operating in China.”
The International Olympic Committee defended the app, saying two outside groups had assessed MY2022 and found no security flaws with it.
“The MY2022 application is an important tool in the toolbox of the COVID-19 countermeasures,” the IOC said, adding, “It is not compulsory to install ‘MY2022’ on cellphones, as accredited personnel can log on to the health monitoring system on the web page instead.”
The IOC itself has partnerships with companies that have been linked to the Chinese government, implicated in using forced Uyghur labor in Xinjiang, and have faced U.S. scrutiny as national security threats.
The Chinese state-run Global Times claimed this month that 35,000 athletes, journalists, and staff already use MY2022, according to the Beijing Olympics organizing committee.
The IOC’s “Playbook” for the Olympics touted MY2022’s “Health Monitoring System.”
“You will be required to check your health status daily for 14 days before traveling [to China] and report your health status during your entire stay in China,” the IOC told athletes.
The Beijing Financial website’s Chinese language website touts the MY2022 app owner’s close links with the CCP, with dozens of posts on “Party Building” detailing how the company was implementing CCP rules all the way down to “the lowest level.”
Beijing Financial celebrated the 100th anniversary of the CCP’s founding last year, including with lectures on the CCP. The company said it wanted to implement the “spirit” of Chinese leader Xi Jinping’s speech, and Fan Wenzhong led company members to a “party day activity” themed “Following the Red Footprint, Don’t Forget the Original Mission” where they “revisited the oath of joining the party, accepted the red baptism, inherited the red gene, and continued the red blood.”
Sen. Marco Rubio, a Florida Republican, sent a letter to President Joe Biden pleading for protection for U.S. athletes.
“It is critical that you take the steps necessary to ensure that [U.S. Olympic athletes] are sufficiently protected from Beijing’s surveillance and manipulation,” Rubio wrote.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
After receiving no response, Rubio’s office tweeted a dire forecast for the games related to the MY2022 app controversy.
“The White House is sending Americans into a dystopian surveillance state with no plan to protect their digital privacy.”