China Considers Cutting Itself Off From The Global Internet, As Three Home-Grown Browsers Are Found Leaking Personal Data
from the probably-just-a-coincidence dept
Techdirt readers know that the Chinese authorities have been steadily tightening their grip on most aspects of online life in the country, but there's one area that hasn't been mentioned much: the Web browser. Recently, a new report from the University of Toronto's Citizen Lab identified security and privacy issues in QQ Browser, a mobile browser produced by the China-based Internet giant Tencent. Here's a summary:
The Android version of the browser transmits personally identifiable data, including a user's search terms, the URLs of visited websites, nearby WiFi access points, and the user's IMSI [International Mobile Subscriber Identification] and IMEI [International Mobile Equipment Identifier] identifiers, without encryption or with easily decrypted encryption. Similarly, the Windows version sends personally identifiable data, including the URL of all pages visited in the browser, a user's hard drive serial number, MAC address, Windows hostname, and Windows user security identifier, also without encryption or with easily decrypted decryption.
Now, this could just be the result of some supremely sloppy coding combined with lax privacy practice -- in theory, at least. But that generous interpretation becomes rather harder to sustain when you bear in mind that this is not the first time Citizen Lab has found this behavior. To be precise, this is the third time. Last month, it discovered that Baidu Browser, a free Web browser for the Windows and Android platforms produced by Baidu, one of China’s biggest tech companies, has strikingly similar problems to QQ Browser:
The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user’s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
And before that, back in May last year, the same researchers found unauthorized transmission of personal data by another widely-used browser:
UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
Putting these three browsers together, you have a serious chunk of not just the Chinese online population, but across the whole of Asia. As the Citizen Lab researchers point out:
That the three China-based browser applications we have examined all evince strikingly similar data gathering and insecure data handling problems raises an obvious question of whether there is some underlying cause for the similarities.
The post runs through all the options, including the most likely explanation: that the companies were ordered by the Chinese authorities to build in these highly-useful vulnerabilities. Not surprisingly:
The questions we asked the companies about government directives or influence have not been directly answered.
But if anyone still doubts that the Chinese government wants to control every aspect of the Internet, they may like to consider the following recent report in The New York Times:
A draft law posted by one of China’s technology regulators said that websites in the country would have to register domain names with local service providers and with the authorities.
It's not entirely clear what that means, but there is one possibility that would be very problematic for Chinese Internet users -- and for every Western company operating in the country:
If the rule applies to all websites, it will have major implications and will effectively cut China out of the global Internet. By creating a domestic registry for websites, the rule would create a system of censorship in which only websites that have specifically registered with the Chinese government would be reachable from within the country.
China's technology regulator has rejected that interpretation, and said that there is a "misunderstanding." But if past experience teaches us anything, it is that there really are no limits to what the present Chinese leadership is willing to do in order to bring the online world under control. And that doubtless even includes cutting China off from the rest of the Internet, if need be.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: browsers, china, data leak, privacy, qq
Companies: citizen lab, tencent
Reader Comments
Subscribe: RSS
View by: Time | Thread
Misleading headline
That's not exactly what this article is about. Maybe change that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
-
But if past experience teaches us anything, it is that there really are no limits to what the present US leadership is willing to do in order to bring the online world under control.
[ link to this | view in chronology ]
At least, that's what we're told here in the USA about our online activities.
Data mining is both expected and normal; because these days it's in the "boilerplate" (see https://www.techdirt.com/articles/20160404/06162934095/oculus-users-freak-out-over-vr-headsets-tos-t hough-most-it-is-boilerplate.shtml by Karl Bode).
In the ancient old days (3 years ago), that sort of thing was considered bad: https://www.techdirt.com/articles/20130405/06384622592/microsoft-creative-director-defends-always-on line-insults-customers-murders-logicall-one-day.shtml
Nowadays it is "normal".
[ link to this | view in chronology ]
WTO?
[ link to this | view in chronology ]
That would eliminate one huge purveyor of bad actions, then there would only be Russia India and our own three letter agencies to expunge from the Internet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Nice info, all about China
Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. Natually I’ll give you a link on your web blog. Thanks for sharing.
[ link to this | view in chronology ]