A new report about the mandatory smartphone app athletes must use to report health and travel data while they are in China for next month's Olympics is raising security concerns about the technology Beijing plans to use to monitor COVID-19 infections.
According to the report by Citizen Lab, a University of Toronto cybersecurity watchdog, the app has serious encryption flaws.
Sections of the app that will transmit COVID-19 test results, travel information, and other personal data failed to verify the signature used in encrypted transfers, or did not encrypt the data at all, according to the cybersecurity group.
Now in the final stages of planning, China will aim to control the spread of COVID-19 by separating Winter Olympics participants and the general Chinese population, The New York Times reported. The app, known as MY2022, was designed to reinforce the event's precautions, allowing for contact tracing in the event of any outbreaks.
Citizen Lab said in its report it notified the Beijing Organizing Committee of the app's security flaws Dec. 3 but had not received a response. A January software update did not fix the encryption issues, which probably put the app in violation of China's newly enacted personal data protection laws, as well as the privacy policies Google and Apple require to list an app in their stores.
Encryption issues have long been an issue for China's technology industry, which must paradoxically both protect consumer data and share it with government censors and surveillance.
In 2020, then-President Trump tried to ban popular social media platform TikTok because of the company's ownership ties to China, citing concerns over espionage and national security, according to The Hill.
The Trump administration also attempted to cut Chinese telecommunications groups Huawei and ZTE out of 5G networks in the U.S. and allied countries over concerns about espionage risks following a 2017 Chinese intelligence law that requires companies and citizens to participate in state intelligence work.
COVID-19 exposure apps have been replete with security flaws, as many countries hurriedly developed such apps but then had to move quickly to address poor security practices. Design flaws put people at risk for scams, identity theft or extensive government tracking, human rights groups warn, and could undermine the public's trust in health initiatives.
The Citizen Lab report said MY2022 failed to confirm a unique encryption signature with the server where it was transferring data, which meant hackers could intercept the data without Chinese officials necessarily knowing. Other parts of the app failed to encrypt metadata, making it easy for owners of wireless networks or telecoms to detect which phones were messaging and when.
Though it is unclear whether the security flaws were intentional, the report theorized robust encryption could interfere with some of China's pervasive online surveillance tools, especially systems that allow local authorities to spy on phones using public wireless networks or internet cafes.
© 2022 Newsmax. All rights reserved.