HONG KONG—China's top three Web browsers collected and
transmitted data in insecure ways, making hundreds of millions of
users' personal information vulnerable to unauthorized access,
according to a human-rights research group.
In a report published Tuesday, the University of Toronto's
Citizen Lab said Tencent Holdings Ltd.'s QQ Browser had been
transmitting users' data to its servers either with weak encryption
or without encryption—a method of encoding information to protect
it. Vulnerabilities in the application's updating process could
have enabled attackers to insert hidden spyware or malicious
software known as malware, according to the research group.
There have been no reports of actual cyberattacks.
Tuesday's report follows two previous reports by Citizen Lab
that highlighted similar alleged flaws in Alibaba Group Holding
Ltd.'s UC Browser and Baidu Inc.'s Baidu Browser. The reports by
Citizen Lab reflect studies on the companies' Web and mobile
browsers.
All three browsers collect users' search queries, data related
to users' precise locations and device numbers unique to specific
smartphones and PCs, Citizen Lab said.
Taken together, these reports raise questions about whether
security vulnerabilities in Chinese apps could be used for greater
surveillance by governments or other third parties, said the
human-rights research group, which is known for its studies of
Internet censorship and surveillance.
"Most troubling is the fact that users would generally be
unaware of these risks, unaware that such data is being collected
and transmitted and potentially unaware that a properly crafted
malicious software update attack could lead to malicious code being
installed on their devices," Citizen Lab said in Tuesday's report
on Tencent's QQ Browser.
While Tencent has fixed some of the problems, some data is still
being transmitted with weak or no encryption, said Citizen Lab.
Tencent said it has investigated and resolved the issues with QQ
Browser raised by Citizen Lab. "We value the privacy of our users
and exercise caution when dealing with any data collected," Tencent
said in an emailed statement. The company added that its privacy
policy is consistent with industry standards.
QQ Browser is one of the many apps developed by Tencent, which
is best known for its larger messaging platforms like QQ and
WeChat.
In reports released last month and May 2015, Citizen Lab said
Baidu's browser and Alibaba's UC Browser were transmitting data
with weak or no encryption.
Alibaba said on Monday that it takes user privacy seriously and
there was no evidence that data was compromised. In response to
last month's Citizen Lab report, Baidu said it would work to
strengthen information security.
UC Browser, QQ Browser and Baidu Browser are the three most
popular mobile browsers in China, with penetration rates of 70%,
48% and 29%, respectively, in the third quarter 2015, according to
research firm Big Data Research. The browsers are also common on
desktop computers.
China's government requires Internet companies to assist in
censorship and the tracking of political dissidents, but the
browsers' vulnerabilities could be exploited by nongovernmental
hackers, Citizen Lab said.
According to a document leaked last year by former U.S.
contractor Edward Snowden, Western intelligence agencies had
identified UC Browser's security vulnerabilities as a spying
opportunity.
In the U.S., personal-data privacy and governments' right to
access information collected by companies have been hotly debated
recently due to the clash between Apple Inc. and the Federal Bureau
of Investigation over the government's request to Apple to unlock
an iPhone seized in the investigation of the San Bernardino,
Calif., shootings in December.
In China, where such clashes are unlikely because the country
tightly controls Internet activities, there are questions about
whether technology firms' access to user data could help the
government monitor human-rights activists and others who oppose
Beijing's policies.
"These findings also raise bigger questions about why so much
data is being collected and transmitted in the first place…this is
bad practice especially in China, where the government can access
such data," Ronald Deibert, director of Citizen Lab, said in an
interview.
China's Ministry of Industry and Information Technology didn't
immediately respond to a request for comment.
To be sure, many Internet businesses that rely on advertising
revenue collect personal information. Access to data makes it
possible for ads to target specific types of users.
Even so, Chinese browsers tend to collect more information than
the top browsers outside China, said a spokesman for security firm
FireEye. "This information typically makes it easier to link
activity to a specific individual," he said.
Google's Chrome browser, for example, allows users to control
the information they share as part of their personal settings.
At the start of 2016, China adopted a new counterterrorism law
that explicitly requires technology firms to help authorities
decrypt data in terrorism cases. Aside from the law, Chinese
authorities have wide-ranging powers to demand data from
companies.
China has different data-privacy rules for different industries.
In telecommunications and Internet services, companies are required
to notify users of their data-collection policies and obtain their
consent, said Manuel Maisog, chief China representative for law
firm Hunton & Williams and an expert in data-privacy
issues.
Tencent said users of QQ Browser can review the policy terms and
conditions when they agree to install the app.
Di Jiang, who works in the aviation sector in Guangzhou and
regularly uses more than 20 apps on his two smartphones, said he is
concerned about Chinese apps collecting more data than they
need.
"I want companies to tell me what kinds of data they collect,
and why they collect," said Mr. Di.
Lilian Lin in Beijing contributed to this article.
Write to Juro Osawa at juro.osawa@wsj.com and Eva Dou at
eva.dou@wsj.com
(END) Dow Jones Newswires
March 28, 2016 17:35 ET (21:35 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Baidu (NASDAQ:BIDU)
Historical Stock Chart
From Mar 2024 to Apr 2024
Baidu (NASDAQ:BIDU)
Historical Stock Chart
From Apr 2023 to Apr 2024