Western media insistence on potential cyberespionage hazards are accusations without evidence. The US’s hybrid war on China includes diplomatically isolating it in world events like the Olympics.

By Joshua Cho, FAIR

A persistent trope in Western media coverage of China is the claim that Chinese technology is inherently compromised and used as a nefarious tool by Beijing to spy on unwitting foreigners. However, when one actually looks for evidence behind these claims or innuendos, one often finds unsubstantiated speculation.

Before the 2022 Beijing Winter Olympics began, there was a spate of reports alleging that China could be spying on visiting athletes and journalists. The reports had a sinister tone, implying to Western audiences that China was trying to collect private information for malicious purposes:

  • Quartz (1/20/22): “Beijing Winter Olympics Athletes Have Every Reason to Worry About Their Cybersecurity”
  • BBC (1/18/22): “Winter Olympics: Athletes Advised to Use Burner Phones in Beijing”
  • New York Times (1/18/22): “Security Flaws Seen in China’s Mandatory Olympics App for Athletes”
  • CNN (2/1/22): “FBI Urges Olympic Athletes to Leave Personal Phones at Home Ahead of Beijing Games”
  • Daily Mail (1/31/22): “Over 1,000 Athletes and Coaches Are Using ‘Burner’ Phones at the Winter Olympics Because the Chinese State Has ‘Crazy, Scary’ Spying Tech that Monitors Calls, Reads Texts, Tracks Movements and Can Spot ‘Illegal’ Words in Private Conversations”
  • Washington Post (1/20/22): “‘China Will Be China’: Why Journalists Are Taking Burner Phones to the Beijing Olympics”
Beijing 2022 Olympics sign

Creating an anaconda

Yahoo! Sports (2/5/22) reported on a tech advisory the US Olympic Committee distributed to sports federations that discouraged athletes from bringing their personal smartphones to Beijing. “There should be no expectation of data security or privacy while operating in China,” the advisory warned, a message echoed by other Western national Olympics committees. Yahoo! cited numerous Western officials and cybersecurity experts who claimed that broader fears of Chinese cyberespionage are “absolutely rational,” setting the stage for what Yahoo! called the “Paranoia Olympics.”

Yahoo! cited a number of Western cybersecurity experts raising concerns for Olympic athletes:

Their worries stem from a variety of sources, from an alleged technical flaw in an app that all Olympics participants must download to broader anti-China hysteria; from Twitter threads claiming to prove that “all Olympian audio is being collected, analyzed and saved on Chinese servers,” to genuine fears about the Chinese government’s ability and willingness to steal sensitive information and use it.

Yahoo!’s report cited supposed China experts’ explanation for how the Chinese government doesn’t even need to conduct cyberespionage to deter athletes from causing disturbances:

It’s a version of what Sinologist Perry Link once termed “The Anaconda in the Chandelier.” It’s a metaphor “used to describe how the Chinese government controls dissent and speech,” explained Neil Thomas, a China analyst at the Eurasia Group. “It basically sits there as a huge anaconda in the chandelier of a room…. It doesn’t need to do anything, this anaconda. It just needs to be there. It doesn’t need to bite you. It doesn’t need to spit venom at you. But your behavior will change simply because you know that it exists.”

This raises the question: If China merely convincing athletes that it might conduct cyberespionage on them is sufficient to control their behavior, and prevent them from bringing up topics that “might trigger the Chinese government,” then wouldn’t unsubstantiated Western media allegations of a Chinese surveillance program on foreign delegations serve the same function as the supposed Chinese anaconda–regardless of whether such a program exists?

Citizen Lab’s findings

Is there evidence of a Chinese surveillance program on foreign delegations? Many Western media reports (e.g., BBC1/18/22CBC1/18/22New York Times1/18/22) on China’s supposed cyberespionage efforts against foreign delegations to the Olympics can be sourced back to a report by the University of Toronto’s Citizen Lab, a cybersecurity research center best known for identifying government-authorized spyware on phones belonging to human rights activists and journalists, which was first reported by German state media outlet Deutsche Welle (1/18/22).

DW reported on some of Citizen Lab’s findings, noting that athletes, coaches, reporters and sports officials, as well as local staff, were required to put “personal information” like passport data and flight information, as well as sensitive medical information related to possible Covid-19 symptoms, onto either the My 2022 app used for the Beijing Olympics or the Olympics’ website:

The app’s SSL certificates—which are supposed to ensure that data traffic is only exchanged between trustworthy devices and servers—are not validated, meaning that the app has a serious encryption vulnerability. As a result, the app could be deceived into connecting with a malicious host, allowing information to be intercepted, or even malicious data to be sent back to the app.

Citizen Lab researcher Jeffrey Knockel says he found the vulnerability not only regarding health data, but also with other important services in the app. This includes the app service that processes all file attachments as well as transmitted voice audio…. The expert says he also discovered that for some services, data traffic in the app is not encrypted at all. This means that the metadata of the app’s own chat service can easily be read by hackers.

It also found that the app had an inactivated “censorship keyword list,” a “reporting function that allows users to report other users if they consider a chat message to be dangerous or dubious.” One option that could have been chosen (had the function been turned on) was “‘politically sensitive content,’ a phrase that is typically used in China to describe censored topics.”

DW reported that Citizen Lab confidentially reported these findings to the Beijing Organizing Committee on December 3, 2021.  Citizen Lab’s cybersecurity experts, the news article said, conducted an audit on January 17 that found that “no changes were made to address the concerns raised over security vulnerabilities and the list of ‘illegal words.’”

‘A simpler explanation’

However, when one actually reads the full Citizen Lab report (1/18/22) that DW and other Western media outlets selectively cited, one quickly discovers that this reporting contained significant omissions that made My 2022’s alleged vulnerabilities seem more malicious and deliberate than they were described in the original report.

For example, Citizen Lab’s report claims that while it’s “reasonable to ask whether the encryption in this app was intentionally sabotaged for surveillance purposes or whether the defect was born of developer negligence,” it also argues that “the case for the Chinese government sabotaging My 2022’s encryption is problematic” for several reasons:

For instance, the most sensitive information being handled by this app is submitted in health customs forms, but this information is already being directly submitted to the government, and thus there would be little instrumental rationality in the government intercepting their own data, as weaknesses in the encryption of the transmission of this information would only aid other parties. While it is possible that weakness in the encryption of health customs information was collateral damage from the intentional weakening of the encryption of other types of data that the Chinese government would have an interest in intercepting, our prior work suggests that insufficient protection of user data is endemic to the Chinese app ecosystem. While some work has ascribed intentionality to poor software security discovered in Chinese apps, we believe that such a widespread lack of security is less likely to be the result of a vast government conspiracy but rather the result of a simpler explanation, such as differing priorities for software developers in China.

In other words, Citizen Lab offered plausible reasons for why My 2022’s developers left alleged security vulnerabilities to enhance functionality that have nothing to do with a malicious Chinese government conspiracy to spy on foreign delegations. Citizen Lab also pointed out that the most sensitive information about athletes would already be directly submitted to the Chinese government for Covid containment purposes, so there would be little point in using My 2022 for espionage purposes.

Ultimately, Citizen Lab concluded:

While we found glaring and easily discoverable security issues with the way that My 2022 performs encryption, we have also observed similar issues in Chinese-developed Zoom, as well as the most popular Chinese Web browsers. My 2022’s functionality to report other users for “politically sensitive” expression is common in other Chinese apps, and, while we found bundled a list of censorship keyword terms capable of stifling political expression, such lists are near ubiquitous in Chinese chat apps, live streaming apps, mobile games and even open source software. In light of previous work analyzing popular Chinese apps, our findings concerning MY2022 are, while concerning, not surprising.

Citizen Lab’s arguments and conclusions undermine the conspiratorial tone in Western media coverage, which might be why they were omitted, with the opposite impression conveyed through cherry-picked quotes. Outlets like the CBC (1/18/22), Quartz (1/20/22) and the Washington Post (1/20/22) focused on Citizen Lab’s “worst case scenarios” of all internet traffic potentially being intercepted, warning people to “pack burner digital devices” to evade the “‘devastating flaw’ that could expose users’ medical and passport information.”

Aside from a few exceptions like the Associated Press (1/18/22), which correctly noted there “was no evidence that the easily discoverable security flaws in the MY2022 app were placed intentionally by the Chinese government,” the Chinese state media outlet CGTN (1/28/22) offered more nuanced reporting, citing the major thrust of Citizen Lab’s conclusions that were omitted from most Western media accounts, where they would have contradicted the lurid narrative.

‘Two software patches ago’

There is one apparent error in Citizen Lab’s report. The group calls My 2022 “an app required to be installed by all attendees to the 2022 Olympic Games,” a claim repeated in Western media reports on My 2022’s alleged vulnerabilities. The link provided leads to a report by Fortune (12/7/22) that states attendees are “mandated to download a health app called ‘My 2022’ to input personal information and health records,” with no source provided to substantiate this claim.

But the International Olympics Committee (IOC) has directly refuted this claim, noting that it is not mandatory for attendees to download the app, and that the app’s settings can be configured to disable access to “‘files and media, calendar, camera, contacts,’ as well as a user’s location, their phone and their phone’s microphone.” The IOC has also noted that the app has been validated by Apple’s App Store and the Google Play Store, in addition to passing two independent assessments by cybersecurity testing organizations that found “no critical vulnerabilities.”

Later, in early February, Citizen Lab (NBC2/8/22) noted its concerns about My 2022 were addressed “several weeks and two software patches ago,” after the developers reached out after the initial paper was published and sought advice on how to fix the identified problems. All of this indicates that there is no basis for the claim My 2022 was used by the Chinese government to spy on foreign delegations.

However, NBC argued that “focusing on that single smartphone app is a red herring” in “the context of China’s larger appetite for the personal data of people around the world.” It provided no evidence of China’s alleged appetite for the personal data of people outside its borders, instead relying on resurgent Yellow Peril hysteria in Western countries to suggest that it must be true.

Another claim about My 2022 that has gone viral on social media, spread by popular podcast host Joe Rogan and Washington Post columnist Josh Rogin, is the allegation that the app constantly records audio on users’ phones. This was debunked by numerous experts, like Will Strafach, the creator of an iPhone app that blocks location trackers, who looked at My 2022’s code and found that there was nothing beyond an overt translation function that could activate the phone’s microphone.

More evidence-free espionage claims

The evidence-free allegations promoted by Western media about supposed Chinese cyberespionage at the Olympics fit into a larger pattern of claims that Chinese technology is inherently compromised and engineered to serve as spyware by the Chinese government.

Numerous headlines alleged that Huawei, a Chinese multinational tech corporation that created the world’s first 5G smartphone, was conducting espionage on behalf of the Chinese government:

  • Forbes (2/26/19): “Huawei Security Scandal: Everything You Need to Know”
  • Fox (2/13/20): “US Accuses Huawei of Spying on Mobile Phone Users”
  • NBC (2/14/20): “US Officials: Using Huawei Tech Opens Door to Chinese Spying, Censorship”
  • Business Insider (3/16/19): “Everything You Need to Know About Huawei, the Chinese Tech Giant Accused of Spying That the US Just Banned From Doing Business in America”

Huawei had been cleared of accusations of espionage as early as October 2012, after the White House ordered an 18-month review of security risks by suppliers to US telecommunications companies. The inquiry found no evidence that the company was an espionage asset, although predictable concerns about nebulous “security vulnerabilities” were raised (Reuters10/17/12).

In more recent years, Australian officials led the way in getting Western governments like the US to ban Huawei’s technology on national security grounds, after conducting simulations on the offensive espionage potential of 5G technology (Sydney Morning Herald5/22/19). However, when one reads past sensationalist headlines and looks for evidence that Huawei is conducting espionage on behalf of the Chinese government, one comes up dry.

For instance, the Wall Street Journal’s report headlined “US Officials Say Huawei Can Covertly Access Telecom Networks” (2/12/20) cited anonymous US officials claiming that Huawei “can covertly access mobile-phone networks around the world through ‘backdoors’ designed for use by law enforcement.” When one reads further down, however, the Journal admitted that the officials “didn’t provide details of where they believe Huawei is able to do so,” and that they “declined to say” whether the US has observed Huawei taking advantage of these supposed backdoors.

This is consistent with the US government’s assumption that it doesn’t need to show proof of malicious activity by Huawei; it’s a Chinese company, and therefore could be ordered to install backdoors or share data with the Chinese government, despite denials by both Huawei and the Chinese government of those allegations (Wall Street Journal1/23/19). In the absence of evidence, the US government has relied on asking foreign governments to shun Huawei’s technology based on speculative “what if” scenarios (Axios1/30/20).

Critics of baseless US government accusations have argued that it wouldn’t make sense for China to jeopardize their own business interests by spying through Huawei’s technology, because the US and other Western countries are China’s best customers, aside from its domestic market, and it would be catastrophic if espionage were ever discovered (ZDNet5/20/19). This might be why Huawei has stated they are willing to sign “no spy” agreements to reassure suspicious governments that there are no backdoors in their technology (BBC5/19/19).

But one doesn’t need to take Huawei or the Chinese government’s word for it, as other Western governments have confirmed there is no evidence for the US government’s allegations. The British National Cyber Security Centre (NCSC) reported that they haven’t seen any evidence of malicious activity by Huawei, contradicting evidence-free US government allegations (Reuters2/20/19).

Although German spy chief Bruno Kahl claimed that Huawei “can’t be fully trusted,” he didn’t cite any evidence of malicious activity by Huawei, and the head of Germany’s IT watchdog (Federal Office for Information Security), Arne Schönbohm, stated they had “no evidence” of Huawei conducting espionage (The Local12/16/18). France’s cybersecurity chief, Guillaume Poupard, the head of the national cybersecurity agency ANSSI, stated that “there is no Huawei smoking gun as of today in Europe” (South China Morning Post1/31/20).

‘Is TikTok Spying on You?’

Other speculative headlines about Chinese cyberespionage revolved around the popular social media app TikTok:

  • Washington Post (7/13/20): “Is it Time to Delete TikTok? A Guide to the Rumors and the Real Privacy Risks.”
  • Forbes (7/25/20): “Is TikTok Spying on You For China?”
  • Bloomberg (5/13/21): “A Push-Up Contest on TikTok Exposed a Great Cyberespionage Threat”
  • CBS (11/15/20): “How TikTok Could Be Used for Disinformation and Espionage”

Although these headlines suggest that the Chinese government is using the video sharing platform to spy on users, when one actually reads these reports, it becomes apparent that there is no evidence that TikTok takes more data from users than other social media apps like Facebook, or that it shares that data with the Chinese government.

CBS (11/15/20) cited numerous claims from experts they contacted about how China could potentially  share data with the Chinese government or “push disinformation” through the “For You” page on the app that recommends videos–though it doesn’t mention a single instance where TikTok actually did such those things. Forbes (7/25/20) admitted that despite “all the talk, there is no solid proof that TikTok sends any data to China, there is no solid proof that any information is pulled from users’ devices over and above the prying data grabs typical of all social media platforms.” Although Bloomberg (5/13/21) stated that claims of cyberespionage are difficult to verify, it acknowledged there’s “no publicly available evidence that TikTok has passed American data to Chinese officials.” The Washington Post (7/13/20) concluded that “TikTok doesn’t appear to grab any more personal information than Facebook,” and there is “scant evidence that TikTok is sharing our data with China.”

Critics of the insinuations used by US government officials to try to ban TikTok on national security grounds have argued that “TikTok is not fundamentally different from other social media platforms,” as DW editor Fabian Schmidt (8/8/20) put it. It is of “no importance in the end who runs the platforms where people choose to put themselves on stage,” Schmidt argued, since the users themselves are “primarily responsible for protecting their own data on social media.”

However, people need not take TikTok’s word that it is not spying on behalf of the Chinese government, as groups from Citizen Lab to the CIA have concluded that there’s no evidence that Beijing has intercepted data or used the app to access users’ devices (South China Morning Post3/23/21New York Times8/7/20).

These accusations of Chinese hardware and software conducting espionage on foreigners on behalf of the Chinese government are ironic, since there is more evidence of the US government spying on Huawei, and using Huawei’s technology to spy on others, than there is of Huawei spying for the Chinese government. And Washington has been caught inserting secret backdoors on US hardware and embedding software on mobile apps to spy on and keep track of people’s movements, while the NSA spies on Americans and people abroad operating on a “collect it all” ethos (Der Spiegel12/29/13Wall Street Journal8/7/20).

Motives to sully Chinese tech

Journalist Vijay Prashad (Breakthrough News10/28/20) has pointed out that the US information war on China has intensified in recent years, as China’s technology industry has either become a peer competitor to or surpassed the US in certain sectors. Huawei once surpassed Apple as the second-largest smartphone maker in 2018, and TikTok is one of the most popular social media apps in the US.

Similar Yellow Peril propaganda campaigns were waged by the US against Japan in the 1980s, with familiar tropes of alleged unfair trading practices when Americans were anxious regarding Japan’s rising economy as a peer competitor, noting their dominance in exporting technology like cars, computers and semiconductors. Japan’s economy is widely believed to have been sabotaged by the 1985 Plaza Accord Tokyo was pressured to sign by the US.

Despite racist insinuations that China isn’t capable of innovating and claims that its success stems primarily from stealing intellectual property from the US, China is now in the lead regarding 5G (and potentially 6G mobile technology) and artificial intelligence, and has had a lead over the US in global patent filings since 2019. China’s status as a competitor to the US and emerging leader in the tech industry has even led US Secretary of Commerce Gina Raimondo to say that the US and Europe should work together to “slow down China’s rate of innovation” (CNBC9/28/21).

But whereas other East Asian countries like South Korea and Japan are politically subordinate to the US, in addition to having much smaller economies, China is politically independent of the US, and has already surpassed the US’s GDP when measured in purchasing power parity terms. Western corporate media thus have less incentives to vilify those countries compared to China, since they will not be independent countries capable of rivaling the US anytime soon.

It is admittedly possible that the Chinese government is lying about not trying to conduct cyberespionage on foreign delegations at the Olympics, or spying on people through Huawei’s technology and social media platforms like TikTok. But Western media insistence on potential cyberespionage hazards are accusations without evidence. The US’s hybrid war on China includes diplomatically isolating it in world events like the Olympics, and unsubstantiated allegations of nebulous security vulnerabilities can be used to smear and sabotage China’s increasingly competitive tech industry as well.