Chinese apps may pose security risks: Experts
NEW DELHI: Software and hardware developed in China often pose the threat of being used for mass surveillance, cybersecurity researchers have said, citing data breaches as well as laws that indicate the presence of mechanisms that can be activated to collect and sift through troves of user data.
One of the strongest hints came last year when Dutch cybersecurity experts discovered billions of messages of users of Chinese apps WeChat and QQ, which were stored in a manner that suggested they were part of a massive dragnet that was used to censor content on these platforms.
“Every Chinese tech company has to comply with the Chinese cybersecurity law which allows the Chinese government to have access to the data these companies collect – this is part of the nationwide mass surveillance systems that are in place in China,” said Victor Gevers, head of research at the Dutch Institute of Vulnerability Disclosure (DIVD), who discovered such databases in 2019.
WeChat and QQ are among 59 mostly Chinese applications banned by the Indian government on Monday after complaints that these were collecting and sending data of Indian users outside of the country, a move that comes in the middle of increased hostilities between the two countries over the disputed border at Ladakh.
“These data collections are not limited to only Chinese users but all users of a certain platform and the data includes every interaction,” contended Gevers, adding that the leaks in 2019 showed the inner workings of these mass surveillance systems for the first time.
Gevers’s concerns were echoed by Anand V, an independent security researcher based in Bengaluru. “Generally, developers from China are used to looking at techno-cultural approach that all data belongs to the government. They believe that it is okay to collect data in such manner because it comes from such a mindset,” he said, while also adding that any user of such apps was at risk.
Among the database were roughly 3.7 billion messages sent on one particular day – March 18, 2019 – on WeChat that had a common theme: they all contained some specific keywords that were likely to have been identified as triggers for censorship or action by law enforcement.
The words included “Jinping”, “power”, “CCP”, “Tiananmen”, and “Dalai”.
“It became very clear that they actually gather everything at some point and sift through it to see if there has to be any interception or human interaction. They copy all the data or take a stream of realtime data and use keywords to trigger a censor system that automatically removes content from applications or flag them for a review,” Gevers said.
Indications of unlawful collection of data emerged afresh last week with another prominent Chinese company, TikTok, which was found to have been logging what people were typing on their iPhones. According to Gevers, logging keystrokes – what people type – may now become one of the key ways such companies intercept the data they are legally required to maintain as more apps deploy end-to-end encryption.
“What we saw with TikTok is likely to happen with other applications,” he warned. The concerns stretch over to hardware as well, he added. “We have observed that China is investing in mass surveillance using not only CCTVs but also other interfaces. The big worries are Huawei with its 5G networks,” he said.
The entry of Huawei in 5Gmobile communication has triggered concerns in some Western nations, predominantly the United States, that it may allow for a backdoor for Chinese intelligence to internet as well as phone data.
Gevers as well as Anand said the risk in particular was because of how free applications work: they collect massive amounts of user data to sustain the business by offering ads. “Chinese developers often use the principles of data collection and data mining commonly used for advertising and uses it to its mass surveillance system,” said Gevers.
“Most of these applications collect far more data than required and that has been a very long-going concern. It is a giant dragnet of data,” added Anand.
The two experts also said China was not the first country to carry out such intercepts, pointing to the disclosures in the documents leaked by American intelligence contractor Edward Snowden that showed similar mass data dragnets being created by United States’ National Security Agency.
In a statement issued by TikTok on Tuesday, its India head Nikhil Gandhi said TikTok “continues to comply with all data privacy and security requirements under Indian law and has not shared any information of our users in India with any foreign government, including the Chinese government”.
A Chinese foreign ministry spokesperson in Beijing said China encourages companies in its country to function under legal obligations.
“I want to stress that the Chinese government always asks the Chinese businesses to abide by international rules, local laws and regulations in their business cooperation with foreign countries,” said spokesperson Zhao Lijian.