By Cameron Abbott and Hugo Chow
A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.
WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.
One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.
As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.
Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.
We expect to hear more about these sorts of concerns from a range of jurisdictions.