The My2022 program, which is sold as an app on both Apple's and Google's stores, is required for coaches, athletes and attendees ostensibly for public health purposes during the pandemic. But recent reporting has indicated that the My2022 app is doing much more than informing attendees about the coronavirus. Sasse's letter references claims that the app not only lacks critical encryption capabilities but is collecting data, such as user voice audio, on People's Republic of China (PRC)-based servers.
"Let me be clear," Sasse told Google CEO Sundar Pichai and Apple CEO Tim Cook, "by failing to pull this compromised app from your companies' app stores, your companies are choosing to host PRC mandated spyware for Olympic athletes who have recently been threatened with punitive action if they do not strictly adhere to the PRC's own authoritarian laws governing speech and freedom of expression."
His letter laid out a series of questions for the tech giants, including whether they've communicated with the PRC or IOC regarding concerns about privacy and security.
IOC has defended the app, stating that it is "an important tool in the tool box of the COVID-19 countermeasures" and "supports the function for health monitoring." It also clarified that "it is not compulsory to install 'My 2022' on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead."
According to DW, the IOC has said that users are able to disable access to files, media, location, user's audio and other features. It also reportedly cited approval from both Apple and Google.
"The user is in control over what the 'My 2022' app can access on their device," an IOC statement reportedly read. "They can change the settings already while installing the app or at any point afterwards."
Yet, Citizen Lab has released a report alleging that the app has serious security flaws that make it vulnerable to hackers. Jonathan Scott, who founded HackTree.org, also said he reverse engineered the Android and Apple iOS apps.
"I can definitively say all Olympian audio is being collected, analyzed and saved on Chinese servers using tech from USA blacklisted AI firm @iflytek1999," he tweeted.
He was using the Twitter handle for iFlytek, a Chinese artificial intelligence company that the Commerce Department has listed for human rights violations.
Scott detailed his concerns in a letter to Sen. Ted Cruz, R-Texas, and requested an investigation. Political scrutiny will likely mount as the highly-contentious games continue and the PRC is accused of genocide, along with other nefarious activities.
In Friday's letter, Sasse wrote: "While we have heard that encryption issues may have been fixed and My2022 developers have replaced iFlyTek software with similar technology from another firm, we have not learned which firm's software now services the app and if that firm also shares close ties to the PRC Government's surveillance apparatus."
Sasse added that by continuing to offer the app, Google and Apple had contradicted their claims "that these stores serve as effective filters for malignant apps that do not meet your companies' high standards for customer security and privacy."
His letter requested a written response to questions about how the companies continue to justify hosting the app, how they're evaluating its presence, and how the tech giants determine whether the app meets their standards for privacy and security.