To mitigate the risk of sensitive information and personal data being collected on personal phones during the 2022 Beijing Winter Olympics, we recommend:
Athletes and visitors to the games buy and take a new phone with them to use only while inside China. This will protect their sim information of their devices that they use in their home country
Creating a new email address and browser account and using these on the ‘burner’ Phone. This mitigates the risk of cloud accounts such as google, apple or internet browsers connecting all your personal information with this new and isolated ‘burner’ phone.
Not using this device or account upon leaving China again as these details are likely collected and stored. Using this device outside of China poses the same risk as taking your personal devices and accounts into China.
With the upcoming 2022 Winter Olympics in China the team at Internet 2.0 saw the need to publish case studies demonstrating the sophisticated and broad surveillance culture that exists in China. All Chinese companies are compelled to follow the national security legislation while operating in China. All athletes and visitors to China for the Olympics will be exposed to such laws and surveillance culture. In this paper we show how these laws manifest in terms of surveillance of mobile phones through mobile applications and internet browsers through desktop software. Part 1 is an analysis of the QI-ANXIN VPN. Part 2 is an analysis of the Kingsoft’s anti-virus and WPS Office software. We must state that this is not a criticism or endorsement of QI-ANXIN and Kingsoft. Internet 2.0 does not allege inappropriate conduct by QI-ANXIN or Kingsoft, rather we see it as case studies to understand exactly how the Chinese Communist Party imposes its national security legislation and its implementation in the commercial market from a technical standpoint.
Part 1 is a technical analysis of QI-ANXIN Technology Group Inc’s (QI-ANXIN) Virtual Private Network (VPN) software product. QI-ANXIN is an official sponsor to the Beijing 2022 Olympic and Paralympic Winter Games, see Figure 1. The analysis is based on QI‑ANXIN’s publicly available Winter Olympics mobile protection software, as described on their website. The Internet 2.0 intelligence team analysed the VPN and discovered a significant amount of user data being collected by the software.
In our opinion QI-ANXIN’s VPN provides a limited degree of privacy and security to its users, this assessment is based on the device and network data collected by the software. We recommend that visitors and athletes travelling to the 2022 Winter Olympics in China are aware of the risks in taking and using personal devices during the event, particularly that China’s national data security laws are not designed with western values of privacy and liberty and do not offer the same level of protections. This is true for all digital communications in China and not just while using VPN software.
QI-ANXIN produces a VPN that is capable of being hosted on Windows, Mac, Linux operating systems, and Apple or Android phones. The QI-ANXIN VPN harvests all available network information on Apple and Android phones, including SIM, MAC Addresses, IMEI, IMSI, Operating Systems information and telephone network information. The VPN software also collects previous network interface information on the device.
Equipped with current and historical device information available to the VPN provider, it is possible to easily identify the user with limited privacy. The VPN’s software design has facilitated all the required information on the user’s device information and historical network information, which could be provided to Chinese authorities, if requested, under the country’s national security laws. Hypothetically, if this information was also combined with telecommunications metadata records, it would be possible to correlate both telecommunications metadata and the information provided by the VPN software to gain a complete picture of the users’ internet usage history, network history and location history. We note that the network architecture crossover for the VPN between Legendsec, QI-ANXIN and 360.net is an integrated network design, which can be seen in the VPN Log file uploads between Android and IOS mobile applications. This is problematic, as Qihoo 360 (with the same branding as 360.net) was placed on the Entities list for the Department of Commerce and is considered a separate company to QI-ANXIN.
Part 2 is a technical analysis of Beijing Kingsoft Office Software Co., Ltd’s (Kingsoft) anti-virus software product. Kingsoft through the “WPS Office” suite of software is an Official Supplier to the Beijing 2022 Olympic and Paralympic Winter Games. This analysis is based on Kingsoft’s publicly available anti-virus software product. On 5 January 2021 the Whitehouse released Executive Order 13873 effectively banning the use of or transaction with WPS Office. As seen in Figure 12 “WPS Office” is a product of the company Beijing Kingsoft Software Co. Ltd which runs the Office software. The “WPS Office” suite is a pillar of the software company Kingsoft.
The Internet 2.0 intelligence team found the anti-virus installer file flagged as potentially containing malicious behaviours or properties. The installer also runs a file that potentially accesses data from internet browsers that are also running on the user’s desktop computer. This file potentially copies all browser cookies as well as personal information and credentials. In our opinion the use of this anti-virus carries risk on use as the software provider could attain access to the internet usage history of the user. In the Android version of the Office suite the team found data collection and upload functions from iciba.com to Kingsoft.com which included GPS location, MAC address, installed applications, the phone number and sim information of the device, operating system information and other features including screenshots and clipboard access.
Download our whitepaper here [https://internet2-0.com/whitepaper/digital-surveillance-in-china/]