Many recent studies related to cybersecurity have addressed the vulnerability and threats in mobile devices, such as the current hot topic of banning Huawei and ZTE equipment.
Yet, not many reports have focused on the security risks associated with Chinese mobile apps. Most people think that mobile apps’ security issues are often related to the underlying security practices, such as choosing a secure password and updating the privacy setting. However, Americans should also be on high alert about the risks associated with popular Chinese mobile apps and national-security risks related to Beijing’s mobile expansion worldwide.
On the topic of Chinese infiltration in the United States, there’s been one large omission for policymakers: Tencent’s WeChat app, the most popular app in China, which claimed to have 1 billion users in 2018. This Chinese social-media platform/messaging app/payments channel/retailer is the dominant digital player on the mainland, and such reliance on WeChat is accentuated because WhatsApp and Facebook Messenger are blocked in China.
The most prominent flaw is that WeChat didn’t provide essential end-to-end encryption—the gold standard for privacy. This vulnerability means that its messaging system could be easily accessed via a “back door.” Also, WeChat didn’t publish transparency reports on government requests for information.
That means people should understand clearly that nothing they say on WeChat is private and safe, whether they are inside or outside of China. This brings about a common China dilemma: Is the price of engaging with China worth what may have to be given up? The dilemma is made more difficult as foreign businesses (including media, academic, and government delegations) are often asked to download the WeChat app when they first arrive in China, in the name of better communication.
While Tencent always denies that its operation violated users’ privacy, one recent case would suggest otherwise. In September 2018, a man in Beijing was sentenced to nine months in prison because of a joke he made about the terrorist group ISIS in a WeChat group. Although in other countries, people are also imprisoned for joking about terrorism online, the key issue in this case is that Zhang’s comment was not made in a public forum but in a private group. His messages in this private chat were later tendered in court and used to convict him.
China’s Cybersecurity Law, introduced in June 2017, requires network operators to store select data on servers within the country, monitor and record network operations, and maintain related logs for not fewer than six months. As messaging platform operators, Tencent’s WeChat and Sina Corp.’s Weibo are also required to warn users against breaking relevant laws, restrict the publication of posts, and suspend or close accounts while preserving related records for the authorities, according to a policy statement posted on the website of the regulator Ministry of Industry and Information Technology.
According to this decision, all Indian military personnel were instructed to delete WeChat and more than 40 other apps with ties to China.
So, how can the U.S. government (USG) improve the protection of data privacy, metadata, and intellectual property when facing threat from Chinese mobile apps and its desire for America’s big data? Here are some policy recommendations:
• USG should identify WeChat or any other dangerous mobile apps developed by Chinese companies and make a public announcement to ban the usage of these apps on any government phones, not just of military personnel. • USG should require employees to store their personal mobile phones outside their working areas during working hours if these phones were installed with Chinese apps, such as WeChat. • Collect, evaluate, and publish a list of social apps, search engines and websites that have insecure back doors or deliberate insecurity, to educate the public on mobile security to protect privacy data. • A reciprocal approach: If Chinese mobile payment systems are allowed to operate in the United States, China should open its market to allow U.S. mobile payment systems to work in China as well.