WeChat: how private is your data?

Over the last couple of years, a great deal of attention in western countries has been directed towards the Chinese telecom companies Huawei and ZTE, which have been banned from participating in the 5G market by various governments, due to concerns over cyber espionage.

While debates continue, analysts have also recently been focusing on the use of Chinese social messaging apps. One of these, WeChat, owned by Tencent and known as Weixin in its home country, has over one billion users, making it the most popular chat app in China, and one of the largest in the world.

WeChat has been attracting more publicity as the various concerns associated with its use have been more widely shared. These mainly relate to the issue of data privacy.

Tencent operates a dual system for WeChat and Weixin: the apps should not be viewed as one and the same, as separate rules apply to both. In a statement sent to The Verge, Tencent pointed out the following: “If you register with a Chinese mobile number (+86), you will be using Weixin, the version for Chinese users. If you register by any other method you will be using WeChat, the version for international users. Weixin and WeChat use different servers, with data stored in different locations. WeChat’s servers are outside of China and not subject to Chinese law, while Weixin’s servers are in China and subject to Chinese law.”

The Chinese government has made no secret of its intention to monitor the movements of its population. Its Social Credit System (SCS) is due to be fully implemented by 2020, when all 1.4 billion citizens will have their activities tracked, and they will be given ‘rewards’ based on their economic practices and social actions.

Tencent must certainly adhere to China’s policies and legal framework, and must implement the government’s strict regulation of the Internet. As its privacy policy makes clear, it will always comply with any requests from state authorities for information about data found on its apps. Users of WeChat should therefore be aware that everything they share on the service, or use it for, is open to government access.

What makes this particularly interesting is that WeChat users from other countries could also be affected by China’s censorship rules.

While employees from the US, for example, might continue to use their home mobile number and ISP when working in China, they will doubtless make acquaintances and friends when living there,  and may then download the hugely popular WeChat to join groups populated by their friends, family or colleagues. This is where there could be possibilities for their personal or business data to be harvested and possibly turned over to government authorities on request.

Details shared on these groups could also allow cybercriminals access to information that could be used in phishing campaigns, or to steal financial data. More worryingly, as WeChat does not deploy end-to-end encryption, corporate information that has been shared in a group could be stolen by state-sponsored actors.

It is not just users based in China who are affected. As Beijing blocks Facebook and Twitter, people outside the country will also use WeChat as a way of communicating with friends, families, or business colleagues there.

In an interesting article published this week shortly after the results of the Hong Kong elections were announced, Bin Xie , a security analyst based in Texas, claimed posts on a Chinese-American WeChat group had been censored, and that his own account had been closed down after he wrote: “The pro-China candidates totally lost” on the group. He told The Verge: “If you have censorship in China – fine. But in this country? I’m a Republican but on WeChat I suffer the same as Democrats [using WeChat] – we are all censored.”

Another incident was reported in August, when a student from Hong Kong attended a pro-democracy protest at the University of South Australia in Adelaide. As soon as the demonstration had ended, she began receiving messages from friends warning her that her personal details had been shared on the app. Her photo was allegedly posted on WeChat by a pro-Beijing supporter, along with an image of her at Costco – while she was there. This was all possible because the WeChat app showed her location.

CitizenLab, a group based at the University of Toronto, has been conducting research into WeChat for some years. Most recently, this has included analysing how images – increasingly used as a form of communication – are being censored by the app.

The researchers found that WeChat’s censorship mechanisms are now so effective that various images published by state media outlets are being deleted. They reported: “We found 75 censored images with content related to the Chinese government. These include not only images critical of the government such as sarcastic cartoons but also neutral representations of government policy and photos of government leaders and party cadres.”

The use of WeChat by government officials and departments has been banned in some countries. In December 2017, for example, the Ministry of Defence in India included it on a list of apps which the Indian armed forces were required to remove from devices.

In March 2018, Australia’s Defense Department banned staffed from using the app on work devices, due to concerns about monitoring as well as censorship of messages, and in July 2019 citing potential security threats, Canada’s parliamentary cyber security team emailed all MPs and staff warning them of the risks associated with WeChat, and highlighting its lack of end-to-end encryption.

There is another point worth noting: even if users keep their operating systems and installed apps up-to-date, they still leave themselves open to attack if the developers of the app in question fail to deal with security flaws in a timely manner. Check Point researchers have recently published a new report highlighting the problems with Android vulnerabilities that have been known about for some years, and yet continue to be in use, and have the ability to compromise various apps, including WeChat.

Organisations operating in China are therefore advised to warn employees about the security risks associated with WeChat; while it may be nigh on impossible to avoid using this app as a means of communicating with family and friends, business discussions should certainly take place elsewhere.

Similarly, Chinese people working in facilities worldwide should not use WeChat as their app of choice, as it offers a backdoor for Chinese government surveillance if the individual concerned is continuing to use a Chinese phone number and mobile service provider. It is highly likely they are being watched.