In preparation for the 2021 Tokyo Olympics, Japan worked on developing a contact tracing app that would track overseas visitors, but concerns quickly grew over software bugs and whether all visitors would have smartphones on which to install the application.
The Citizen Lab report states that MY2022 failed to confirm a unique encryption signature with the server it was transferring data to. In effect, this meant that hackers could intercept the data without Chinese officials necessarily knowing. Other parts of the app, like its built-in messaging service, failed to encrypt metadata, allowing owners of wireless or telecom networks to easily detect which phone was sending a message to another and At what time.
“Any information you transmit can be intercepted, especially if you’re on an untrusted network like a cafe or hotel Wi-Fi service,” said Jeffrey Knockel, associate researcher at Citizen Lab and one of the authors of the report. Sensitive information collected this way could be used for identity theft, Dr. Knockel added.
It’s unclear whether the security breaches were intentional or not, but the report speculated that proper encryption could interfere with some of China’s ubiquitous online surveillance tools, particularly systems that allow local authorities to spy on phones using public wireless networks or internet cafes. Still, the researchers added that the flaws were likely unintentional, as the government will already be receiving data from the app, so there would be no need to intercept the data while it is in transfer.
“By using the app, you are already sending data directly to the Chinese government,” Dr Knockel said.
The app also included a list of 2,422 political keywords, described in the code as “illegalwords.txt,” which functioned as a keyword censorship list, according to Citizen Lab. The researchers said the list appeared to be a latent function that the app’s chat and file transfer function was not actively using.
Censored word lists are common in Chinese social media apps and function as a first line of defense in a multi-tiered censorship system designed to prevent the spread of unwanted political topics.