Gold rush for data: Paris 2024 Olympic apps are eavesdropping on users


Apps for the Paris Olympic Games 2024 are tracking users, extracting private data, and peddling it to advertisers and big tech. Moreover, their overreaching capabilities exceed what’s being declared.

The Paris 2024 Olympics app, already downloaded more than 10 million times, will be a personal companion for the games, providing schedules, breaking news, medal results, insights into events, qualifiers, and much more.

It will also collect your data, such as your web browsing history, and beam it to advertisers. It asks for multiple dangerous permissions that allow it to tap into the deepest secrets you may hide on your Android phone.

The International Olympic Committee (IOC) openly admits that it collects personal data, builds user profiles, and shares data with advertisers, including Facebook, Google, Apple, or X. IOC told Cybernews that multiple permissions are needed to give “the best possible experience.”

And that’s just one of the tools that Paris visitors will require during the Olympics. The Cybernews Research team selected 12 Android apps relevant to the Olympic Games attendees in Paris.

“We discovered that the apps designed to help you during the Olympics are underreporting their data collection scope on Google Play Store, require excessive dangerous permissions, and share sensitive user data with advertisers,” said security researcher Mantas Kasiliauskis.

Say goodbye to privacy during the Olympics

The French capital has already prepared AI video surveillance to monitor the crowds. However, what’s in your pocket says a lot more about you.

First, we analyzed app developers' self-declared “Data Safety” claims on the Google Play Store. These do not show the full picture but already reveal redundant data collection practices.

Bonjour RATP, a travel app for navigating Paris, buying transportation tickets, and finding routes, is the most data-hungry app in the selection. The Data Safety section reveals that it collects 18 data points from 38 possible and shares most of them with third parties.

Not only does Bonjour RATP collect precise location data for its functionality, but it also shares the user’s location for the declared purposes of advertising, fraud prevention, security, and compliance. The app has more than 10 million downloads on Android.

TheFork, Europe’s leading restaurant booking platform, collects 15 data points and zaps almost all of them to third parties. Even email addresses and phone numbers are shared for advertising or marketing purposes, the app developer declares.

Citymapper, another city transport app with more than 10 million downloads, collects 14 data points, but there is no advertising mentioned among the declared purpose for sharing.

Official apps for the Olympics are next in line, requiring 9-11 data points each.

The Paris 2024 Olympics app, made by the IOC, for advertising purposes, will share users’ web browsing history, email addresses, devices, and other IDs.

The Paris 2024 Public Transport app, made by a government agency, will share names, emails, and app activity. Security and compliance, fraud prevention, functionality, advertising, and analytics are all among the declared purposes.

Some apps declared they collect no data. However, Cybernews researchers discovered they require some of the most dangerous permissions.

For example, Stakeholder Experience & Access Tool (S.E.A.T.) is a new app available for Paris 2024 designed to support specific accredited stakeholders at the Games. It says it collects no data. However, it asks users for dangerous permission to read and write to external storage, read and write contacts, check and update calendars, and access media files on the device.

Even PinQuest, a fun game to discover and test Olympic knowledge, will ask permission to access the camera and files, even if it says it does not collect any user data.

If installed, the full suite of 12 apps could obtain 24 data points from 38 possible. According to the declarations, developers do not collect data on health, race and ethnicity, political or religious beliefs, sexual orientation, SMS, photos or audio recordings, files, contacts, or others.

However, Cybernews researchers discovered that the same apps ask for dangerous permissions and can collect much more.

Some apps hide they want dangerous permissions

Three out of 12 analyzed apps declare they will collect precise location data. However, the team found that three more apps will ask for permission to know your exact latitude and longitude: Paris 2024 Olympics, Paris 2024 Public Transport, and Paris 2024 Transport Accred.

The IOC's privacy policy, which covers two apps, clearly states in English that it collects “general location.” The same policy in French includes even more mentions of location data collection during registration and account creation.

The governmental agency behind the Paris 2024 Public Transport app explains that it “can access your geolocated position from your phone” to provide services like navigation, event location information, and personalized recommendations. The application does not store the data.

“Location data is required for providing services like venue navigation, event location information, and personalized recommendations based on user location. It may be that the data will stay on the device. However, if the service gets compromised, the users may be exposed to both digital and physical threats,” Kasiliauskis said.

Half of the apps want to peek through camera, access storage

The most widely used dangerous permission, asked by seven out of 12 tested apps, was storage access, meaning that apps want to read and write files on the device. Allowing this may be dangerous, as it enables apps to check and modify files, including those on external media, such as SD cards.

“Usually, apps require storage access to cache data, such as maps, downloaded transport schedules, user preferences, and others,” Kasiliauskis explains.

Half of the analyzed apps also want access to your camera, meaning they could potentially take photos and record videos without additional permission.

“Cameras have many legitimate uses, such as scanning ticket QR codes or credit cards, verification, taking selfies, reporting issues, and capturing moments. It is important to remain vigilant and ensure that cameras are only used for stated useful purposes, and not something malicious,” our researchers said.

Three apps want permission to communicate with NFC tags, which may be useful for specific features like ticketing and public transport systems.

Two apps ask permission to record audio, which might help users interact with an app via commands. However, if exploited, this permission can be used for unauthorized surveillance or unconsented marketing.

None of the app developers declared to Google that they collect video and audio recordings, and three apps declared that they collect photos.

“The general rule of thumb is the principle of least privilege – if there’s no obvious need, do not grant the permission. If the permission is no longer needed, revoke it. The apps should only require essential permissions for their functionality. However, multiple researchers reveal that they often ask for excessive permissions,” Kasiliauskis said.

Amount of permissions the Paris 2024 Olympics app requires might be unjustified

The Paris 2024 Olympics app, the gateway to the games, requires a combination of dangerous permissions.

Precise location, camera, record audio, read media images and videos, modify audio settings, and even access high sampling rate sensors, which could be used to track detailed user activity and movements.

Together with the personal information the app collects, this can paint a very detailed picture of the user.

In its privacy policy, IOC confirms that the data will be shared with Facebook, Google, and Twitter. Here are some of the many use cases what IOC plans to do with user information:

  • Carry out fan and audience analysis and other marketing activities.
  • Analyze your interaction with IOC’s Services and your interaction with third-party sites, services, and advertising.
  • Build a profile of you and your interests and browsing activity. When building user profiles, the IOC may combine the data they collect about you with the data we receive from other organizations.
  • Analyze or predict certain aspects of your personal situation, such as your preferences and interests, and append that to your profile.
  • Deliver relevant advertising and other content (including marketing communications) via our Services or platforms managed by other organizations.
  • Show and measure advertisements on the Services, on third-party services like Google, Facebook, YouTube, and Twitter, and on the sites and services of other organizations that IOC works with.

The full list of permissions, including the non-dangerous but still risky ones, contains dozens of entries.

In theory, if all those permissions were utilized, the app would automatically start after the phone reboot and run in the background, tracking the precise location. It could potentially record audio and video, access and potentially upload other photos and videos.

Other capabilities include monitoring nearby Bluetooth devices, accessing personal information, including location history, network, and Wi-Fi connection details, accessing high-sampling-rate sensor data, and controlling the device’s settings, such as audio and vibration.

Permissions allow the app to prevent the phone from sleeping, potentially draining the battery. The app can also use the internet connection for its own purposes, send notifications, and connect to Wi-Fi networks independently.

Just having access to all these permissions doesn’t mean that they’re abused or even used at all. Also, Android has some built-in protections, such as notifying users when the camera or microphone is used or putting unused apps to sleep. However, the sheer number raises some red flags.

“Sure, the app should help you enjoy the Olympics, but it shouldn't need to know your whole life story or what websites you visit to do that. This appears as a textbook example of privacy overreach. It’s concerning, given the stated intentions to build detailed user profiles and share data with tech giants. Unfortunately, invasive data collection is a longstanding industry trend, and lots of apps try to grab more data than they need,” Kasiliauskis said.

State-sponsored threat actors’ attention to the games increases the significance of privacy invasion risks. Google already warned about Russian, Chinese, and other cyber operations targeting the Olympics.

Improperly handled permissions and data can leave users vulnerable to unauthorized access, identity theft, data breaches, and other cyber threats.

To manage and revoke app permissions, check the “Application Manager,” “Apps,” or similar sections in your device’s settings. Cybernews researchers also recommend uninstalling unused apps.

IOC’s goal – the best possible experience

IOC shared a comment with Cybernews saying that the official Olympic and Paralympic app has been redesigned for Paris 2024 “with the goal of giving the best possible experience to fans.”

“When required, prompts are presented to users to allow them to consent to specific features to enhance their app experience. When first interacting with the app, users may agree to or reject cookies. At any time, users have control over the permission they granted via the device and app settings,” IOC said.

“Consenting or choosing to disclose information such as favorite team means users can receive a more tailored, experience, such as the display of results, medals table, or schedules based on preferences. It is also designed to improve experiences at the Olympic Games, such as helping to navigate to venues.”

The app also has an audio commentary function, which is enabled by an Audio SDK, so users can listen along.

“This is a library import code, that does not collect data or drop cookies,” IOC assured.