Futuristic global network showing data sharing of WeChat ecosystem

First Major Analysis of WeChat Ecosystem Network Requests Finds Privacy Gaps, Undisclosed Data Sharing

While most of the world’s major social media platforms have been thoroughly scrutinized in terms of data handling, there is a comparably small body of research on China’s WeChat (particularly in English). A first-of-its-kind study from Citizen Lab Toronto explores the WeChat ecosystem and finds that data sharing can exceed what the user expects, and that the privacy policy does not always make the extent of this sharing clear.

“Mini programs” in WeChat ecosystem share more data than expected

WeChat is China’s largest social media platform, and the third largest globally with about 1.2 billion users. Since its debut in 2011 the WeChat ecosystem has expanded to a scope beyond most of its social media peers, acting as a widely-used payment and ride sharing system and what is essentially an app store with its massive collection of “mini programs” that install and run through the platform. At times, the platform has made up about a third of the total annual internet traffic in China.

Over the last decade, WeChat’s sprawling functionality and widespread acceptance has gradually made it essential for daily life to a significant portion of the Chinese population. But though it has been around for nearly as long as its major rivals in the global market, research has been more limited due in part to its use of a proprietary encryption protocol (MMTLS) that masks most of its network communications. The Citizen Lab project had to develop its own unique tools to explore the WeChat ecosystem and capture meaningful information about the regular flow of network requests.

One’s data privacy experience in the WeChat ecosystem will depend on whether or not they sign up with and link a mainland China phone number; this is something that is disclosed in the company’s privacy policy, with accounts from outside the mainland enjoying a more limited collection of data that is supposed to be restricted to what is necessary for basic function. However, the privacy policy has language that may be misleading to both types of users. And if non-mainland users opt to install mini programs, they could have data funneled to WeChat in addition to the program developer. The developer may also be collecting more data than the user is aware of.

Mini programs have opaque data policies

Most of the trouble in the WeChat ecosystem originates when users download mini programs. WeChat facilitates access to assorted sensitive device operating system functions, in addition to providing the developer access to user contact and stored payment information.

Mini programs have already been the focus of controversy, with prior research finding that a good deal of them were not encrypting sensitive user data in transit or properly notifying users of information sharing with third parties. WeChat has responded to these issues by forcing mini programs to make requests through its own API, which imposes things like encryption standards. But the Citizen Lab study finds that this also provides WeChat with an alternate pipeline of first-party data that the user might not otherwise share with the app, and that it is unclear what is being done with this data as it passes through WeChat servers.

The Citizen Lab report acknowledges that it must make inferences based on the proprietary nature of the platform, but that it is likely that the “WeAnalyze” analytics component of the platform is privy to user data shared with mini programs. The report bases this on observable logging data, and compares it to a hypothetical scenario of Google forcibly injecting its internal analytics tools into everything listed on the Play Store.

And due to the structure of the platform, any operating system permission granted to a mini program must also be granted to WeChat by default. Non-mainland accounts might not normally be subject to granting this level of access during basic use of the app, but will unwittingly provide it upon installing a particular mini program.

Unexpected data access for non-Chinese WeChat accounts

While the vast majority of the app users are in China, the WeChat ecosystem has millions of users spread throughout Southeast Asia, and an additional two to three million or so in the United States. These users are routed to servers located in Hong Kong and Singapore. There are two separate privacy policies, with mainland China users subject to the “Weixin” policy (named for the parent company).

Users outside of China are supposed to only have a very limited set of necessary data shared with Weixin. However, the wording of the privacy policy does not make clear that third-party mini programs are subject to different terms that allow for more permissive sharing. The research also notes that non-mainland users have first-party analytics data shared directly with Weixin, something that is not necessary for operation of the app.

Citizen Labs recommends that foreign users of the WeChat ecosystem avoid any in-app features labeled with the Weixin name, and make use of Android’s inherent permission restriction system to have the app and mini programs manually request these as needed (and deny them when they are not necessary). The report also notes that the more modern the version of Android is, the stronger and more granular this permission system will be.