Privacy Concerns Focus on Tech Firms, Not Government

The news that Apple will hand management of its Chinese users’ iCloud data over to a Guizhou-based state-owned enterprise follows a string of news stories about concerns involving China’s biggest homegrown tech firms. On Tuesday, Caixin’s Han Wei reported, search giant Baidu was sued over its mobile apps’ access to user data:

Two mobile apps operated by New York-listed , a search engine and a web browser, could access a user’s calls, location data, messages and contacts without notifying the user, the Jiangsu Consumer Council, a government-backed consumer rights association, claimed in a statement on its website.

Baidu denied the accusation, saying the apps “do not have the capability of monitoring phone calls and will never do it,” according to a statement publish Monday on its social media account

[…] “Despite rules and laws on consumer’s personal information protection, it has become a common practice for mobile apps to access private information without necessary authorization, posing great risks to individuals,” said the council in the statement.

[…] Baidu said it had conducted rounds of talks with the council over the past several months to explain the scenarios under which it uses authorization to access users’ information. The search giant said “Baidu apps obtain users’ authorization to access location, message and contacts and only use the information in a reasonable scale.” [Source]

Last week, Tencent’s WeChat messaging service was hit by similar accusations. From South China Morning Post’s Li Tao and Andrew Barclay:

The contents of conversations are stored only on the user’s mobile phone, computer or other terminal devices, said in a post on its official account on Tuesday. The social media app also does not use any of the content for Big data analysis, it said.

As WeChat neither stores nor analyses users’ chat content, it is purely a misconception to say that “we are watching your WeChat every day”, according to the statement. “Please rest assured that privacy has always been one of Wechat’s most important principles. We have neither the authority nor reason to look at your WeChat.”

[…] The statement came after Li Shufu, chairman of Chinese carmaker Geely, criticised for invading the users’ privacy on WeChat. chairman Pony Ma Huateng “is watching us through WeChat every day because he can see whatever he wants”, said Li during a public event on January 1, according to Sina.com. [Source]

Quartz’s Zheping Huang summed up objections to the Tencent statement:

This is a false—or at least misleading—statement on many levels. First of all, under China’s sweeping cybersecurity law, implemented in June, all internet companies are required to store internet logs and relevant data for at least six months to assist law enforcement. A new regulation released in September also holds internet companies accountable for breaches of content rules, and require them to establish credit rating systems for chat group users, among other things. WeChat’s own privacy policy notes that it may need to “retain, disclose and use” user information in response to government requests. [Source]

Wei Xingguo, CTO of cybersecurity company MoreSec, pointed out to Sixth Tone that "internet logs and chat logs are not the same thing." But there is abundant evidence, going back several years, that ostensibly private WeChat messages are both monitored and filtered. A report last month by The Wall Street Journal’s Eva Dou noted several cases of users being punished for posting political content, while a Citizen Lab report last April showed automated censorship of text and images.

Meanwhile, e-commerce giant apologized last week for what it described as the "extremely idiotic" decision to automatically enroll participants in a New Year promotion in its Sesame Credit social credit scoring scheme. From AFP:

Alibaba affiliate Ant Financial was forced to apologise on Wednesday after users said they felt misled into allowing its Alipay service to share data on their spending habits with Ant’s credit-scoring arm and other third-party services.

[…] Consumers have come to expect a lack of privacy in a country where the government collects a file of personal data on each person including financial, education and other information, and where video is widespread.

But many Chinese internet users reacted with unusual outrage to learn that Alipay, which is used by millions daily to make mobile and online purchases on Alibaba’s Taobao platform and elsewhere, had automatically checked a box and hidden language showing they agreed to share their data.

“It’s just like Taobao profiting from selling our information, there’s no way to refuse!” one user of China’s Twitter-like Weibo service complained.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that among other things requires services to store user data in China and receive approval from users before sharing their details. [Source]

The Wall Street Journal reported on Wednesday that the Cyberspace Administration of China had summoned representatives of the firm to rebuke them over the episode. From Josh Chin and Chuin-Wei Yap:

Such incidents challenge Western notions that Chinese people are unconcerned about privacy, though researchers say the growing skepticism among Chinese consumers over the use of personal data is almost exclusively focused on companies, rather than the government.

A series of new laws and regulations reflect that split. The national personal information security standards, for example, offer privacy protections on par with the U.S., requiring companies to inform users when they are collecting personal data and to keep data collection to a minimum. Yet China’s cybersecurity law allows broad government access to user data in the name of public security.

“Companies are going to have to answer to both of these drives, and privacy advocates should be prepared to take in both positive moves and disturbing trends at the same time,” said Graham Webster, a senior fellow at Yale Law School’s Paul Tsai China Center. [Source]

As law enforcement access to WeChat messages and other advanced new surveillance technologies demonstrate, the lines between corporations and government are profoundly blurred. The Washington Post’s Simon Denyer noted in a report on Sunday on facial recognition and other surveillance tech that "the Chinese government is working hand-in-glove with the country’s tech industry, from established giants to plucky start-ups staffed by graduates from top American universities and former employees of companies like Google and Microsoft, who seem cheerfully oblivious to concerns they might be empowering a modern surveillance state."

There are limits to public trust in the government’s collection and use of data, as a recent report by WSJ’s Jeremy Page and Eva Dou illustrates:

The “Safe Zhejiang” app enables users to notify authorities of problems ranging from leaky drains and domestic disputes to traffic violations and illegal publications, in text or photographic form, as long as the informants reveal their location and identity.

In exchange, they get perks including discounts at upmarket coffee shops and coupons for taxi-hailing and music-streaming services, as well as for the Alipay online-payment system, run by the financial affiliate of local tech giant Alibaba Group Holding Ltd.

Fengqiao, a township of some 80,000 people in Zhejiang, is being hailed nationwide as a showcase for the platform. Resistance so far has been stiff, principally from citizens who resent being forced to use a surveillance tool, or fear official retribution for voicing their concerns. For some, it smacks of the Mao era, when the party gathered detailed files on citizens and incentivized them to inform on each other.

[…] Over two recent visits to Fengqiao, Wall Street Journal reporters couldn’t independently find a single person using it. Many said they hadn’t heard of it. [Source]

The rollout of these apps comes amid similar moves by tech companies to outsource the task of content moderation to the public.

But a recent report by WSJ’s Alyssa Abkowitz highlighted anxiety on social media not about corporations empowering the government, but about them wielding too much power over it. The article focused on recent and ongoing schemes to allow Tencent and Alibaba IDs to be used in a range of official contexts in Guangzhou and Wuhan, respectively. South China Morning Post subsequently reported similar pilots in 26 cities.

China’s state-run Xinhua News Agency reported this week Tencent Holdings Ltd. and the Ministry of Public Security have launched a pilot digital identification system in the city of Guangzhou in the southern Guangdong province, which it said would eventually be rolled out nationwide.

[…] Separately, Ant Financial Services Group—an affiliate of e-commerce giant Alibaba Group Holding Ltd.—is testing a program in the central Chinese city of Wuhan. It allows citizens to carry out online police business, such as making appointments to apply for a passport, via its Alipay mobile payment system.

[…] “The data these companies collect is richer and thicker than what the government can collect, so the typical case now is the government going to the companies to get information,” said Severine Arsene, managing editor of AsiaGlobal Online at the University of Hong Kong’s Asia Global Institute. “This shows how much power the companies hold.”

[…] “WeChat has penetrated into the government,” one commenter said. “No one can stop it!”

Added another: “It is Tencent’s Republic of China now.” [Source]

As Arsene notes, in some cases the private sector is outpacing the government, a situation the latter is moving to reverse, or at least harness. For example, Alibaba and Tencent are "elbowing aside banks to take a growing role in daily commerce," as WSJ’s Abkowitz also described last week. This channels still greater volumes of data to and through the two giants:

Though the U.S. saw $112 billion of mobile payments in 2016, by a Forrester Research estimate, such payments in China totaled $9 trillion, according to iResearch Consulting Group, a Chinese firm.

For Alibaba and Tencent, the payoff isn’t just the transaction fees they make from merchants, typically 0.6%. It’s also the consumer data collected, which can transform their apps into marketing platforms for an expanding array of services, from bike sharing to travel.

Some of the repercussions of increasing mobile payments are just coming into view. The payments haven’t been required to go through the central bank’s clearing system, making it harder for China’s monetary authorities to follow capital flows and watch for money laundering and fraud. The People’s Bank of China has ordered a new payment-clearing platform that will require nonbank financial firms to give it a clearer view of mobile payments by the summer of 2018.

[…] Alibaba can monitor the shows people watch on its Youku Tudou video-streaming site and push ads targeted to them, generating ad commissions and product sales for Alibaba, plus a clearer picture of consumer behavior. While using the data within their ecosystems, both internet giants say they don’t sell it to others. [Source]

One of the most prominent examples of tech sector collaboration with the government has been China’s nascent , toward which both Tencent and Alibaba have contributed experimental pilot programs. But Yale and China Law Translate’s Jeremy Daum has repeatedly pointed out, alongside other warnings about misleading reports, that these private pilots are neither the same thing as nor broadly representative of the eventual national scheme. A CDT roundup last month highlighted recent social credit coverage including a feature article on the official and corporate systems by Mara Hvistendahl at Wired, as well as an overview by researchers at MERICS. Further reporting has since come from The Globe and Mail’s Nathan Vanderklippe. While giving a voice to the scheme’s defenders such as Guangzhou University’s Chen Tan and Lin Junyue, "an academic sometimes called the founder of China’s social-credit theory," Vanderklippe highlighted several cases in "the system is exacting an outsized toll even now, in its earliest days,". These include a man blacklisted for stealing cigarettes, and a two-year-old girl reportedly blacklisted for failing to pay a $25,000 fine inherited from her father after his execution for murdering her mother.