As Paris attracts sports tourists for the 2024 games, mobile apps marketed to attendees are tracking them, collecting their private data, and then hawking it to advertisers and big tech.
For those of you who are not at the Summer Olympics in Paris right now, I feel your pain. I’m not there either. If you are there — enjoy yourself but be careful, because Paris can be just as bad as it is beautiful.
If you’ve been downloading some apps to your phone to help you navigate the Olympics and the City of Lights, you want to be careful about that too. Researchers at Cybernews, an independent media outlet focused on cyber research, are putting out the word that many Olympics-focused apps are asking for a lot more privileges than they need, taking more privledges than they admit, and seem to be sharing data they collect with the highest bidder.
The Cybernews research team selected a dozen Android apps relevant to Paris’s Olympic Games, tested their permissions, and found that many apps designed to help users during the games are underreporting their data scope on Google’s Play Store, require excessive (and dangerous) permissions, and share the data they collect with advertisers.
“There is no privacy during the Olympics,” the folks at Cybernews said.
To which I would answer, “Why should the Olympics be different from any other time?”
Finding the Bad Apples
Here’s a look at the apps that raised red flags:
- Bonjour RATP: This is a travel app for navigating Paris, buying transportation tickets, and finding routes. It’s also the most data-hungry app in this list. The Data safety section in the Play Store reveals that it collects 18 data points from 38 possible and shares most of them with third parties.
As expected for a navigation app, Bonjour RATP collects precise location data, but it also shares location for the declared purposes of advertising, fraud prevention, security, and compliance. The app has more than 10 million downloads on Android.
- TheFork: This is Europe’s leading restaurant booking platform. It collects 15 data points and sends almost all of them to third parties. This includes email addresses and phone numbers, which are shared for advertising or marketing purposes, according to the app’s developer.
-
Citymapper: This city transport app has more than 10 million downloads and collects 14 data points. Advertising is not mentioned among the declared purposes for sharing.
The Paris 2024 Olympics and The Paris 2024 Public Transport apps require 9-11 data points each.
- The Paris 2024 Olympics: Even though we’re early in the Olympics, this one’s already been downloaded more than 10 million times. It collects web browsing history, email addresses, devices, and other IDs, and sends the data to advertisers. It also asks for multiple dangerous permissions that allow it to tap into the deepest secrets you may hide on your Android phone.
The International Olympic Committee (IOC) openly admits that it collects personal data, builds user profiles, and shares data with advertisers, including Facebook, Google, Apple, or X.
“When required, prompts are presented to users to allow them to consent to specific features to enhance their app experience,” the IOC told Cybernews. “When first interacting with the app, users may accept or reject cookies. At all times, users have control over the permissions they granted via the device and app settings.”
- The Paris 2024 Public Transport: This one’s issued by a government agency, and will share names, emails, and app activity. Security and compliance, fraud prevention, functionality, advertising, and analytics are all among the stated purposes.
Stakeholder Experience & Access Tool (S.E.A.T.) and PinQuest require some of the most dangerous permissions.
- S.E.A.T.: This app is designed to support specific accredited stakeholders at the Games. Although it says it collects no data, it asks users for dangerous permissions to read and write to external storage, read and write contacts, check and update calendars, and access media files on the device.
- PinQuest: A fun game to discover and test Olympic knowledge, will ask permission to access the camera and files, even though it says it does not collect any user data.
Some apps hide they want dangerous permissions
Permitting Danger
There’s a good reason why Google requires apps to get approval from an Android devices user for certain permissions, just as there’s good reason why most people won’t let a stranger hang out in their home all day while they’re away at work, and that reason has everything to do with trust. Before granting an app a permission, you must trust the app — and the organization behind it.
According to Mantas Kasiliauskis, an information security researcher at Cybernews, the most widely used dangerous permission, asked by seven out of 12 tested apps, was storage access, meaning that apps want to read and write files to the device. Allowing this can be dangerous, as it enables apps to check and modify files, including those on external media such as SD cards.
“Usually, apps require storage access to cache data, such as maps, downloaded transport schedules, user preferences, and others,” Kasiliauskis saids.
Half of the analyzed apps also want access to your camera, meaning they could potentially take photos and record videos without additional permission. It is important to remain vigilant and ensure that cameras are only used for stated useful purposes, and not something malicious.
None of the app developers declared to Google that they collect video and audio recordings, and three apps declared that they collect photos.
“The app should help you enjoy the Olympics, but it shouldn’t need to know your whole life story or what websites you visit to do that,” Kasiliauskis said. “This appears as a textbook example of privacy overreach. It’s concerning, given the stated intentions to build detailed user profiles and share data with tech giants. Unfortunately, invasive data collection is a longstanding industry trend, and lots of apps try to grab more data than they need.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
