What’s New: In yesterday’s Briefing I discussed security concerns with China’s My2022 Olympics app. In this story, I cited research done by Citizen Lab and Jonathan Scott — both of whom claim My2022 has serious flaws. Mr. Scott’s claims were particularly alarming, stating, “All Olympian audio is being collected, analyzed and saved on Chinese servers.”
This claim is getting serious criticism from the broader information security sector and — I must confess — it’s beyond my technical expertise to independently verify. While some of the critiques are petty, there is a growing number of experts that I trust calling Scott’s research into question.
Why This Matters: I want my readers to trust what they read in this newsletter and to know that I will always provide the most accurate information I can.
What I’m Thinking:
I don’t think this really changes much. First, the Citizen Lab tear-down still stands. Second, even if the app were flawless, the developer and everyone attending the Games in China are subject to known Chinese cybersecurity and national security laws that give the CCP unfettered access. In other words, user data doesn’t have to “leak” from the app; it can simply be gathered directly from the servers and other infrastructure under the government’s control. A simple read of the app’s Terms of Service shows it is collecting tons of data and the use of software from known human rights violator, iFLYTEK, is also confirmed. So there’s still plenty wrong with My2022.
App store rules need to change. Going forward, if companies really want to credibly host “secure” app stores and to protect their users, then they can no longer treat all developers the same. In light of everything we know, is it really sufficient to pretend that, if a Chinese-developed app doesn’t overtly leak like a sieve and if they promise they’re not misusing the information they collect, then everything must be ok? I understand wanting to treat all developers the same, but they’re not. Chinese developers operate under different rules, have different obligations to their home government, and are legally required to deny and hide those obligations. If tech leaders really believe “privacy is a human right,” then it seems obvious that the status quo is insufficient.
As a thank you for your understanding, here’s a photo of Bo telling me, “Dude, get off your laptop and get to scratchin’.”
Thanks for being a subscriber and I hope the rest of your weekend is awesome!