You'll be forgiven for not knowing that "Together for a Shared Future" is the official slogan of the 2022 Winter Olympics.

It's the kind of bland feelgood sentiment that games hosts tend to come up with every four years. After all, who can be against "sharing" or the "future"?

Well, judging by their foot-dragging responses to IT security concerns, it looks like the organizers are.

Figure 1: The research team found a database with 2,400 politically sensitive "trigger" words and a function that could be activated to report users' speech.
(Source: Li Xin/Xinhua/Alamy Stock Photo)

Exhibit A is the official app, My2022, has been vexed by multiple security issues.

Toronto-based Citizen Lab identified a number of potential flaws in early December and unsuccessfully tried to raise these with organizers and the developer (see Chinese officials won't fix security flaws in Olympic app).

After a spate of media stories, the Beijing Olympics organizing committee responded on January 20, with technology chief Yu Hong attributing the lack of response to the advice being sent to an "old email address."

Even if you are persuaded that this multi-billion dollar maximum-priority extravaganza can be brought undone by an expired email address, it doesn't explain how the app developer never seemed to get the email either.

Yu said that if any security flaws existed they had been fixed, adding that the developer and Citizen Lab were now in direct contact. The app in Google Play and the App Store reports it was updated on January 23.

Security flaws everywhere

A plausible explanation for this disconnect is simply that Chinese officials are expected to ignore foreign input in general and in particular on anything as sensitive as the internet.

Even so, let's just note that official China still can't bring itself to fully acknowledge the app's security holes.

The English language China Daily advised readers vaguely on January 28 that the vulnerabilities were merely something "Western media outlets" had reported, rather than the detailed findings of cybersecurity researchers.

It certainly did not report, for example, that the app sent unencrypted information in breach of China's own data laws, or that the research team had found a database with 2,400 politically sensitive "trigger" words and a function that could be activated to report users' speech.

The thousands of athletes and officials required to download the app will hardly be reassured by this bare minimum level of disclosure.

Together for a shared future?

They won't be heartened either by the finding by another security researcher, Jonathan Scott, that all audio from the app is analyzed and stored on servers using AI technology from iFlytek, a firm blacklisted by the US because of its work in Xinjiang.

Separately, security firm Internet 2.0 has called into question two other official Olympics applications.

It found the VPN built by Qi-Anxin Technology, the official Olympics cybersecurity partner, harvests all current and previous network information on smartphones. It also notes that the VPN is tightly integrated with software from Qihoo 360, another blacklisted company.

Interested in Asia? Check out our dedicated content channel here on
Light Reading.

Additionally it reports that the anti-virus installer from Kingsoft, an official software supplier to the games, could contain malicious behaviors or properties.

These findings raise reasonable concerns about information security and privacy.

But the organizers' unwillingness to speak frankly about them merely exacerbates anxieties and make a mockery of any sloganeering about sharing and working together.

Related posts:

— Robert Clark, contributing editor, special to Light Reading