Privacy is not a given with Chinese Apps and Chinese Clouds – A US perspective

Chinese apps and Chinese clouds

There is a paranoia that privacy is not a given with Chinese apps and Chinese Clouds. By simply opening the app, users agree to some unconscionable and highly insecure terms.

This issue is one of the hottest topics in the US right now. Strong Anti-Chinese sentiment has jumped from less than 20% to well over 70% – an all-time high. President Trump is not doing anything to dispel this vote-winning sentiment.

Sam Bocetta

GadgetGuy asked its US Correspondent and resident security expert Sam Bocetta for his perspective on privacy and Chinese apps and cloud services.

He writes:

Privacy is not a given with Chinese Apps and Chinese Clouds

First, privacy is not a given with any app or cloud at anytime or anywhere!

The issue comes down to a few key elements:

  1. Privacy is only as strong as the published privacy policy. As your Editor says, “You can drive a truck through the loopholes”. If you don’t read the policy and use the app, you are fair game.
  2. Apps may be free, but free apps are not altruistic. They have to make money. The majority do this via data-harvesting. They sell your data to big tech or the dark web to help round out your profile
  3. Data security is subject to the sovereign rules of the storage country. In China’s case, the Chinese Communist Party (CCP) can access it on demand without reason.
  4. The poorer the nation-state, the more determined its citizens are to make money at the expense of others. It is a hard-wired, socio-economic imperative to rise above as many of its 1.4 billion people at any cost. Data-harvesting outside China is easy money.
  5. And a new cold war between the US and China will leave a trail of innocent bystanders. Australia will be a casualty

Let’s look at the last point first – Chinese nation-state surveillance with an Aussie twist

For at least a decade Australia has been mercilessly attacked by Chinese nation-state hackers like the Naikon Group. They are after the pot of gold like the self-destruct keys to ANSTO Lucas Heights facility (read mushroom cloud). But to get that they are out phishing for any small bits of data. Data that helps them know more about how to attack and disable Australia’s infrastructure. Just as the Ukraine electricity system about that!

Chinese Apps and Chinese Clouds

Jokes aside (and this is not a joke) they have subverted apps that we Yanks and Aussies use to:

A clear pattern emerges. First, there is no privacy online. Second, many Chinese apps focus on data-harvesting and exfiltration under the guise of providing a free service.

That data may seem innocuous by itself. But when pooled in vast Chinese clouds and analysed by vast Chinese AIs – the wheat is soon sorted from the chaff.

Chinese AI
China expects to lead in AI by 2025

The cold hard fact is that the CCP has been conducting surveillance operations in the US and Australia for decades.

Thanks to apps and smartphones that surveillance now lives in our pocket and goes everywhere with us.

Supposedly private Chinese app and cloud companies play a major role in providing the CCP with granular data. The CCP openly acknowledges that as some of the most important surveillance tools today. 

Privacy policy. Did you read the fine print?

There is an old legal saying, ‘Education is when you read the fine print. Experience is what you get if you don’t’.

Read the fine print

The average length of a US-based app privacy policy is 2,500 very cleverly crafted words. That is because they now must comply with the leading California Consumer Privacy Act modelled on the EU GDPR policy. Still, a lot of lawyers make big bucks for obscurification – the art of hiding the true intent behind words. Just read Facebook’s privacy policy – it is not one truck but a goddammed fleet of them.

The average length of a Chinese privacy policy is over 4,000 words and ‘often repeated in several ways’. That obscurification is intentional. In one paragraph it may state data is for Company X. But in another, it defines Company X as its friends, suppliers, interested third parties, government etc.

The New York Times read 150 of the more popular company/apps policies. It found you needed a college degree or higher to read them much less understand the implications.

‘They were an incomprehensible disaster, verbose and full of legal jargon. They opaquely establish companies’ justifications for collecting and selling your data. The data market has become the engine of the internet, and these privacy policies we agree to but don’t fully understand help fuel it.’

By comparison, GadgetGuy has 816 words and an exceptionally clear definition as to what is collected and its use. Security camera maker Arlo has a ground-breaking 596-word ‘privacy pledge‘ that we challenge any company to beat.

You see both companies say upfront that “We will not sell your data” – you are not their business model.

Otherwise, if the product is free, the product is you.

The question is, how ‘appathetic’ are you?

You may accept Apple or Google Android’s terms because they are good US companies. You have no choice, and there is a modicum of trust there. The US lawmakers and politicians keep a close eye on them too.

And To give credit where it is due, Apple and Google have released new features to improve people’s privacy, and have even made the process of setting up a VPN on their devices much easier than it used to be.  

Don’t open any app without reading the fine print

But why are more and more Chinese smartphone makers adding their privacy policies – that you never read? Because they want to monetise your data too. One way to sell a cheaper product is to sell your data.

If you encounter this insidious practice, don’t buy the phone. Stick to pure Google Android like Google Pixel or Nokia (both manufactured in China). In the US, South Korean companies, Samsung and LG are experiencing a huge upsurge in sales. That is because, like the US, the Government and enterprise are separate and don’t have to agree!

Summary – read the privacy policy and be prepared to walk away.

Apps, data harvesting and making money

Let’s get one thing out of the way first. When it comes to data-harvesting Chinese apps are not necessarily any worse than other apps. It is just that

a) there are way more of them and
b) there are no Chinese laws to stop them

Even innocent games data-harvest

Good apps explicitly spell out how, when, and where they collect your information, limit it to what the app needs to function and do this legally. The vast majority are not upfront about their business model or terms.

The problem is that no-one reads the privacy policies anyway. Yes, you are screwed.

Then there are apps that ‘accidentally’ collect data, even after you tell them not to. Last year Google found more than 1,000 apps that skirted its tight restrictions. These were gathering precise geolocation data and phone identifiers from other apps – behind your back.

Recent research has shown that many apps now read through unprotected files on a device’s SD card. They harvest data they do not have permission to access. 

In other words, apps routinely collect far more data than they require. There is little we can do about that as consumers, whether these apps are Chinese or not.

To give credit where it is due, Apple and Google have released new features to improve people’s privacy. They constantly track down and remove ‘spyware’ in their app stores.

But money hungry app makers continue to search for hidden ways to get around these protections. 

All this is a roundabout way of saying that, before we start to blame the CCP for collecting our data, let’s pay attention to our backyard as well.

Data security of Chinese clouds – there is none

FACT: It is impossible to maintain any privacy when there are so many Chinese apps and Chinese clouds. All are hungry for your data.

Why? Two reasons.

First Chinese apps use a lot of Chinese state-developed/sanctioned APIs from Tencent and others that have mandated nation-state embedded spyware. Think maps, location, e-commerce, camera, contacts, recorder, phone, email…

Western apps use Google or Apple APIs that have more scrutiny or at least more legal privacy.

Second, the Chinese nation-state has a sovereign right to see and analyse any data stored in Chinese clouds. There is no exception and no legal or social appeal to protect it.

That is the opposite of the US, Australia, and much of the rest of the western world. Here at the very least, a properly qualified court has to approve strictly limited, one-time access. And often such requests play out in mainstream and social media – a citizen conscience.

While it’s possible to avoid purchasing Chinese smartphones and apps that openly undermine your privacy, the Huawei scandal showed otherwise. Many Chinese smartphones compromise privacy even when they claim to protect it.

We don’t want to paint all Chinese smartphones black – most are not

But those doing well in the US are moving manufacture or clouds to politically neutral countries. Vietnam, Thailand, Malaysia, Singapore or India where the threat of nation-state spying does not exist.

Even if consumers could limit their exposure to Chinese spying on smartphones, it is far from clear that this would meaningfully limit their exposure to other Chinese data acquisition technologies. 

Companies such as Hikvision that produce cameras to spy on citizens on behalf of the CCP have been banned. However, their products continually re-surface under different names. It would be optimistic to believe that our lawmakers have the expertise to whack-a-mole at the rapid rate they appear.

Chinese Apps and Chinese Clouds

And finally US-washing

An increasing number of Chinese app and tech makers are reinventing themselves in the US, Canadian, UK or other safe-haven countries. All they have to do is buy a minnow competitor based there (or set up a company) there and invest is a western-style website.

And then they sell via Amazon or eBay but ship from China. In fact, Amazon actively courts Chinese companies (this is a must-read article) and will even help US-wash them.

Chinese Apps and Chinese Clouds

They get to claim a US heritage (usually embellished anyway) and rent ‘white-eyes’ for credibility. What do you think the sham of TikTok and Oracle is all about?

GadgetGuy’s take – Privacy is not a given with Chinese Apps and Chinese Clouds

Please remember that Sam, a highly respected cybersecurity expert without tin-hat tendencies, has presented the current US perspective.

Is it so different here?

Until the Coronavirus, any overt Australian Sinophobia was just simmering under the surface. In fact, the Labor Party and sympathetic ABC painted closer relations as a necessity.

Let me be clear – it is the country and the CCP that are the focus, not the wonderful people who have made Australia home.

We did a Google search for ‘Australian anti-China sentiment’. It came back with 17,200,000 eye-opening results. Our retail sources say that maybe 20% or more people now will not buy a Chinese made handset. Other sources point to consumer rejection of Chinese white goods, and even many European brands are now Chinese-owned.

Sam’s message is not just about Chinese apps and Chinese clouds. At its base level is that you need to be proactive if you value your privacy. Buy from reputable brands/companies, read the privacy policy first and walk away if it disturbs you.

Otherwise its caveat emptor – ‘let the buyer beware’.

The images presented in this post are published under the Creative Commons provisions for a scholarly article.