Concerns are growing about an obligatory health app for competing athletes, with the Beijing Olympics only weeks away, after a recent revelation showed the software contains security problems and a list of “politically sensitive” terms that have been flagged for censoring.

The My2022 app, which will be used to track athletes’ health and travel data, has a “devastating” encryption weakness, according to a paper published by Citizen Lab, a research and strategic policy unit at the University of Toronto.

The Olympic dilemma

Photo credit: Beijing 2022 | Twitter: @Beijing2022

The issue, according to researchers, is twofold: first, the app does not always verify that the servers to which encrypted data is transferred are the specified servers, which could allow bad actors to spoof or impersonate that server’s identity in order to gain access to those files.

According to the paper, this might allow the attacker to “read a victim’s sensitive demographic, passport, travel, and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form.”

Second, certain critical data is not encrypted at all by the program. That effectively means that some sensitive data within the app is being transported without security, “including the names of messages’ senders and receivers and their user account identifiers.”

The controversial Beijing Olympic Games

The Beijing Olympic Games are already surrounded by controversy. The United States declared in December that it would boycott the games because to persistent human rights concerns, despite China’s denial of its years-long campaign against Uyghur minorities.

In addition, US senators have suggested new legislation that would revoke the International Olympic Committee’s (IOC) tax-exempt status for refusing to hold China accountable for its human rights transgressions.

The app’s encryption issues have generated more concerns, but should visiting countries and athletes be concerned?

Though experts agree that broad concerns about monitoring during the Olympics and the app are justified, the program’s security issues are more likely due to bad design than a malicious desire to spy. In other words, athletes and anybody visiting China during the Olympics should exercise the same caution they would while visiting any other country.

Experts agree that the Chinese government should address the security flaw, but that the flaw does not necessarily put athletes at risk of government surveillance.

And, according to Kenton Thibaut, a resident China fellow at the Atlantic Council’s Digital Forensic Research Lab, the encryption is unlikely to be flawed by design.

She pointed out that it’s doubtful that somebody purposefully hacked the app’s encryption in order to gain easier access to user data, given all of the data is going to the government anyhow.

However, the Olympics are a highly significant event for Beijing, according to Thibaut, and it’s reasonable to expect some monitoring, “especially for athletes who have perhaps indicated displeasure about not being able to speak out or displeasure about the IOC’s stance on China.”

Athletes who want to connect with family or friends outside the country should utilize “reasonably secure” encrypted messaging apps such as iMessage, Signal, or WhatsApp, especially because relatives are not able to attend the Olympics owing to Covid.