China Considers Cutting Itself Off From The Global Internet, As Three Home-Grown Browsers Are Found Leaking Personal Data
from the probably-just-a-coincidence dept
Techdirt readers know that the Chinese authorities have been steadily tightening their grip on most aspects of online life in the country, but there’s one area that hasn’t been mentioned much: the Web browser. Recently, a new report from the University of Toronto’s Citizen Lab identified security and privacy issues in QQ Browser, a mobile browser produced by the China-based Internet giant Tencent. Here’s a summary:
The Android version of the browser transmits personally identifiable data, including a user’s search terms, the URLs of visited websites, nearby WiFi access points, and the user’s IMSI [International Mobile Subscriber Identification] and IMEI [International Mobile Equipment Identifier] identifiers, without encryption or with easily decrypted encryption. Similarly, the Windows version sends personally identifiable data, including the URL of all pages visited in the browser, a user’s hard drive serial number, MAC address, Windows hostname, and Windows user security identifier, also without encryption or with easily decrypted decryption.
Now, this could just be the result of some supremely sloppy coding combined with lax privacy practice — in theory, at least. But that generous interpretation becomes rather harder to sustain when you bear in mind that this is not the first time Citizen Lab has found this behavior. To be precise, this is the third time. Last month, it discovered that Baidu Browser, a free Web browser for the Windows and Android platforms produced by Baidu, one of China?s biggest tech companies, has strikingly similar problems to QQ Browser:
The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user?s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
And before that, back in May last year, the same researchers found unauthorized transmission of personal data by another widely-used browser:
UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
Putting these three browsers together, you have a serious chunk of not just the Chinese online population, but across the whole of Asia. As the Citizen Lab researchers point out:
That the three China-based browser applications we have examined all evince strikingly similar data gathering and insecure data handling problems raises an obvious question of whether there is some underlying cause for the similarities.
The post runs through all the options, including the most likely explanation: that the companies were ordered by the Chinese authorities to build in these highly-useful vulnerabilities. Not surprisingly:
The questions we asked the companies about government directives or influence have not been directly answered.
But if anyone still doubts that the Chinese government wants to control every aspect of the Internet, they may like to consider the following recent report in The New York Times:
A draft law posted by one of China?s technology regulators said that websites in the country would have to register domain names with local service providers and with the authorities.
It’s not entirely clear what that means, but there is one possibility that would be very problematic for Chinese Internet users — and for every Western company operating in the country:
If the rule applies to all websites, it will have major implications and will effectively cut China out of the global Internet. By creating a domestic registry for websites, the rule would create a system of censorship in which only websites that have specifically registered with the Chinese government would be reachable from within the country.
China’s technology regulator has rejected that interpretation, and said that there is a “misunderstanding.” But if past experience teaches us anything, it is that there really are no limits to what the present Chinese leadership is willing to do in order to bring the online world under control. And that doubtless even includes cutting China off from the rest of the Internet, if need be.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: browsers, china, data leak, privacy, qq
Companies: citizen lab, tencent
Comments on “China Considers Cutting Itself Off From The Global Internet, As Three Home-Grown Browsers Are Found Leaking Personal Data”
“China Considers Cutting Itself Off From The Global Internet”
That’s not exactly what this article is about. Maybe change that.
There’s no such thing as a bug, only undocumented features.
I suspect the “leaks” in the browsers are deliberate, demanded by the Chinese government so they can monitor their citizens’ use of the Internet.
Pictures Feinstein reading this foaming at the mouth in jealousy.
But if past experience teaches us anything, it is that there really are no limits to what the present US leadership is willing to do in order to bring the online world under control.
Chinese citizens have nothing to fear if they have nothing to hide.
At least, that’s what we’re told here in the USA about our online activities.
Data mining is both expected and normal; because these days it’s in the “boilerplate” (see https://www.techdirt.com/articles/20160404/06162934095/oculus-users-freak-out-over-vr-headsets-tos-though-most-it-is-boilerplate.shtml by Karl Bode).
In the ancient old days (3 years ago), that sort of thing was considered bad: https://www.techdirt.com/articles/20130405/06384622592/microsoft-creative-director-defends-always-online-insults-customers-murders-logicall-one-day.shtml
Nowadays it is “normal”.
Surely there must be treaty violations in the restrictions of websites?
Instead of cutting Chinese citizens off can we please cut China off from the Internet.
That would eliminate one huge purveyor of bad actions, then there would only be Russia India and our own three letter agencies to expunge from the Internet.
As long as China means money nobody besides activists will be worried about doing business with them. Money speaks louder than Human Rights or whatever nowadays.
Nice info, all about China
Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. Natually I’ll give you a link on your web blog. Thanks for sharing.