What if we had an app on our phones that combined the functions of Facebook Messenger, Venmo payments, MyPatientChart health records and WhatsApp for making voice calls, and also allowed us to download all sorts of mobile apps and games like Apple Inc.’s App Store?
Furthermore, what if such an app had absolutely no privacy controls, so the federal government could monitor, censor and track users, conversations and all activities?
Well, such an app exists. It’s called WeChat and it has 1.2 billion monthly active users, mostly in China, with about 3 million users in English-speaking countries. By comparison, Meta Platform Inc.’s WhatsApp has at least 2 billion users.
Because of its ubiquity, the app is essential for Chinese people to participate in their society. If you’re banned from WeChat — which can happen, if you post objectionable content for example — you can’t go to the store or the doctor or communicate with your friends and family. You are shut out of Chinese society.
How serious are the privacy issues with WeChat? Recently, the researchers at The Citizen Lab in Toronto did a deep analysis of WeChat’s privacy ecosystem — or the lack thereof. They reverse-engineered the app and tracked network traffic coming from an Android phone that was registered to a U.S. phone number. They did this deliberately, because they were testing the operation of the app outside China.
This wasn’t the first time WeChat’s features have been examined. When the Mozilla Foundation looked at products that had major privacy failings, it said in 2021 that “WeChat is one of the least private messaging apps we’ve come across. Just don’t expect anything you do on WeChat to be private.”
That advice is only reinforced with the latest research. Earlier this year, Forbes’ Arthur Herman looked critically at WeChat in this review. He wrote: “Chinese citizens living abroad can become a covert spy service for Beijing, whether they want to be or not, because the government has access to their location and other personal data.” He calls the app “China’s other Trojan Horse,” referring to TikTok.
WeChat does all those things mentioned at the top of this post. But perhaps its most pernicious features can be found in those other downloaded apps, called Mini Programs. That’s because these lightweight apps automatically enroll a user into the WeAnalyze program for wholesale data collection.
There is no reasonable way to opt out of this, and also distressing is that activities in each Mini Program are linked to the WeChat identity. On top of that, all Mini Programs manage their own app permissions.
The report goes into detail about how a typical user interacts with a typical Mini Program, saying it uses “extremely verbose logging data which is sent to WeChat servers” and offers this illustration:
WeChat has a poor privacy history
WeChat has come under scrutiny over the years. Back in 2021, the FastestVPN blog asked if the app was safe and documented its various privacy shortcomings. It recommended tightening its privacy controls, or avoiding use of the app entirely.
An academic study back in 2020 found WeChat’s “extensive list of app permissions concerning, as well as code that may lead to keylogging,” or covert capture of key strikes. The team found five places in the app that could retrieve data placed in the phone’s clipboard, although that’s an element found in most instant messaging apps.
Previous research from Citizen Lab in 2020 has observed that even communications entirely among North American accounts were still used to train Weixin’s Chinese political censorship system secretly.
On top of all these issues is overall message privacy. Julia Angwin wrote recently in the New York Times about the assault on messaging apps’ encryption schemes and the pressure placed by governments on the app vendors to reveal conversations without requesting any search warrants.
WeChat avoids this problem, because though it does employ some encryption, it isn’t completely end-to-end, as some of its competitors such as Signal and Telegram. Signal, for example, encrypts metadata, which many messaging apps don’t do. So Chinese government agencies can review anything across the entire WeChat network.
But this isn’t a new issue either. Message privacy was all in the news back in January 2021 when Meta, the owner of WhatsApp, gave its users an ultimatum to allow their data to be shared across all Meta properties, including Facebook. Tens of millions of users signed up for either Signal or Telegram, forcing Meta to clarify its policies.
Since then, Signal has continued to be the most privacy-preserving messaging app. Compare the following two screen captures from the Apple Store; the top one is from Signal, the bottom from WeChat. The fewer data elements that are listed, the more private is the messaging app. Also, note the different language between the two: Signal doesn’t link contacts to an identity. WeChat links all sorts of things.
Recommended privacy practices
Although Chinese citizen have no choice on whether or not to use WeChat, the rest of us can a few things to be more private. Citizen Lab recommends the following:
- Avoid features delineated as “Weixin services” if possible. By using these services, your data is shared with an entity operating in Shenzhen, China.
- Limit the number of Mini Programs downloaded to the phone.
- Use stricter app permissions, particularly regarding location access.
- Apply regular security and operating system updates.
Images: WangXuefei/Pixabay, The Citizen Lab
Your vote of support is important to us and it helps us keep the content FREE.
One-click below supports our mission to provide free, deep and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.