IOC reacts to cybersecurity concerns
January 18, 2022The IOC tells DW that China's My 2022 smartphone app, meant for use by all athletes at the upcoming Beijing Winter Games, has been independently assessed by two cybersecurity testing organizations and found to have "no critical vulnerabilities."
The International Olympic Committee's statement followed DW's exclusive story detailing cybersecurity flaws in the My 2022 app. The IOC told DW in an email response that it has requested the just-released report by the University of Toronto's Citizen Lab detailing vulnerabilities to hacking, including some cybersafety measures that Citizen Lab says can be "trivially sidestepped."
"The 'My2022' application is an important tool in the tool box of the COVID-19 countermeasures," the IOC statement read. "The 'My2022' app supports the function for health monitoring."
Citizen Lab maintains that it is the My 2022 app's forms for transmitting a user's health condition and medical history, plus his or her passport and travel data, as well as demographic information, that are among the app's vulnerabilities to hackers.
Beyond that, Citizen Lab reports that server responses can be "spoofed," allowing hackers to display fake instructions to users of the app.
Configurations and concerns
The IOC says the app can be configured by the user to disable access to features such as "files and media, calendar, camera, contacts," as well as a user's location, their phone and their phone's microphone. Whether most Olympic participants will take the time to configure the app to limit its uses, and potential vulnerabilities per the Citizen Lab, is a question for future study.
Some countries, including Germany, the Netherlands and the United States have already warned athletes not to use, or even bring, personal phones, tablets or laptops because of cybersecurity and surveillance concerns.
The IOC stated: "The user is in control over what the 'My 2022' app can access on their device. They can change the settings already while installing the app or at any point afterwards." It also says the app has received approval from the Google Play store for Android phones and the App Store for Apple phones.
'Not compulsory'
Though Citizen Lab's report stated that the app is "mandated," the IOC says "it is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead."
The IOC says the app is also being used by the "local Beijing 2022 workforce for time-keeping, task management and instant messaging, hence the app is not only for international users."
It adds: "We have requested the report of Citizen Labs to understand their concerns better."
European response
The German Olympic Sports Confederation (DOSB) responded with a statement saying it would not comment on reports regarding data security but would "cooperate with the German Federal Institute of Information Security (BSI)."
"Our athletes are being equipped with a smartphone from IOC partner Samsung in Beijing," the statement read. "BSI recommends using My 2022 on these devices in China and deinstalling it at home. Without My 2022 there is no immigration into China according to the Beijing playbooks."
Athleten Deutschland, an organization that represents more than 1,000 athletes and looks to bring about fundamental changes in German and international sports practices, feels these revelations confirm their long-held fears.
"China has perfected its surveillance apparatus, has critics disappear, and commits blatant human rights violations. We should not be naive and lightly dismiss scenarios that are unimaginable to us," the organization said in a statement to DW.
"Instead, the organizers and the IOC should be prepared for all conceivable scenarios - be it possible manipulation of Corona tests, surveillance and espionage, or reprisals against critical athletes... However, it appears that the IOC and the organizers are not adequately fulfilling their duty of care, as the recent Citizen Lab report reveals. It is inexplicable and irresponsible of the IOC to require participants to use an app with such glaring security vulnerabilities."
Paulina Tomczyk, General Secretary of EU Athletes, the European federation of player unions and athlete associations, told DW that the news raises serious concerns about data protection, privacy and overall security.
"It is notable that a number of countries already discouraged or banned the use of private devices by athletes participating in the Games," Tomczyk said in a written statement.
"The IOC should have worked proactively to ensure that the app, which they repeatedly tell athletes to download in its Playbook, does not put athletes at any risk. It is unacceptable for the organising committee to not respond to the concerns that were shared with them already in December last year."
Edited by Jonathan Harding