In the last few years, usage of the mobile messaging app WeChat (Weixin), developed by Chinese corporation Tencent, has skyrocketed not only inside China but also around the world. For 500 million mobile users in mainland China, WeChat is one of the only options for mobile messaging available, due to frequent or permanent blockage of apps like WhatsApp, Viber, Line, Twitter, and Facebook. For more than 100 million mobile users in the rest of the world, a highly polished user experience, celebrity marketing, and the promise of “free calls and texts” has proven to be nearly irresistible for far-flung members of the Chinese diaspora. This global user base also includes the Tibetan exile diaspora, who through WeChat have become connected on both sides of the Himalayas in near real time like never before.
Instead of Chinese users scaling the wall to get out, people around the world are walking up to the front gate, knocking on the door, and asking to be let in. Just as you might expect with a service like WhatsApp or Twitter, every time you send a message on WeChat it is routed through centralized servers, managed by Tencent. In most cases, these servers are located inside China, often in Shanghai-based data centers, though in some countries, local servers are being set up. These servers, though, are still within reach of Chinese law, regulations, and influence, and all data passing through them is vulnerable to surveillance and censorship.
The first concern is that China’s demand for censorship of particular topics and keywords will begin to extend beyond its borders. As detailed analysis from the Citizen Lab’s Asia Chats study has shown, censorship keyword lists can vary by geography. If you mention “Occupy Central” in a message sent from WeChat in Beijing to someone in Chengdu, it will likely be blocked and your profile flagged. If you send the same message using WeChat in Toronto to someone in New York, the message will likely go through, though your profile will most likely still be flagged.
The second concern is that communications by users outside China, be they Chinese citizens or not, can be surveilled, logged, and used against them in the future. If you are in San Francisco, and you join a WeChat group chat that is sympathetic to Tibetan self-immolations or the Uighur community, and some members of that group are located in Tibet, Xinjang, and China, then all of your messages and the fact that you are participating in that group chat are communicated to servers managed by Tencent, licensed under the authority of the Chinese government. Since your WeChat account is tied to your real phone number and SIM card, and your full address book is accessible by the app, then your real name and entire community are now flagged as being sympathetic to groups that China considers as harmful as the Islamic State or al-Qaida. Good luck getting a visa!
The third concern is that this type of service can be used for wholesale extraction of data and insertion of malware into targeted devices. Like most social media apps, the WeChat app on iPhone and Android has full permission to activate microphones and cameras, track your location, access your address book and photos, and copy all of this data at any time to their servers. These types of capabilities are a godsend to attacks known as a RAT (Remote Access Trojan), and usually have to be snuck onto a laptop through infected PDF files. In the case of WeChat, the user is opting in to these capabilities, entrusting what may be a well-meaning social messaging service with “god mode” while unknowingly providing an easy backdoor on their phone for adversaries higher up the Chinese cyberwar food chain.
Combined with the rise of attractive, low-cost mobile handsets from Huawei and Xiaomi that include China-based cloud services, which are being sold in India and elsewhere, the world is witnessing a massive expansion of Chinese telecommunications reach and influence, powered entirely by users choosing to participate in it. The fundamental question is: Do the Chinese companies behind these services have any market incentive or legal obligation to protect the privacy of their non-Chinese global user base? Do they willingly or automatically turn over all data to the Ministry of Public Security or State Internet Information Office? Will we soon see foreign users targeted or prosecuted due to “private” data shared on WeChat? Finally, from the Glass Houses Department, is there any fundamental difference in the impact on privacy freedom for an American citizen using WeChat versus a Chinese citizen using WhatsApp or Google?
For those of us in the global community who care both about ensuring that all humans can be more interconnected and provided free, unlimited access to knowledge, while also ensuring their privacy and dignity is protected, these are primary issues we must study, understand, and take action on. The next 5 billion people on Earth tend to live in more repressive places than free ones, and we must ensure that their desire to be connected in a “free and unlimited way” does not leave them in a virtual panopticon.
This essay originally appeared in Internet Monitor 2014: Reflections on the Digital World, published by the Internet Monitor project at Harvard’s Berkman Center for Internet & Society. It is licensed under a Creative Commons Attribution 3.0 Unported license.