Logo of WeChat in the reflection of a broken mirror showing unknow devices login and WeChat privacy

WeChat Privacy Flap: Login Records Show Unknown Devices for Some Users, Company Claims Manufacturer Device Settings Are To Blame

A rash of appearances by unknown devices on user accounts has raised questions about WeChat privacy, as users wonder if some sort of unknown threat actors have found some sort of vulnerability in the system.

But the company insists the issue is being caused by certain manufacturer device settings. However, WeChat called this a “very likely” cause for the appearance of unknown devices but did not confirm it. Users are not necessarily buying the explanation, with chatter on Weibo speculating about Chinese law enforcement inspecting accounts using some sort of a backdoor.

WeChat privacy status in question as unknown devices log into accounts

With over a billion monthly active users, WeChat is not just China’s biggest instant messaging service but also a “super app” that integrates mobile payments, VoIP calling, video conferencing and a number of other features that use its “app within an app” functionality. It has almost become essential for daily life in the country, as one of the two major mobile payments systems that are widely accepted and one of the country’s most active sources for news and public notifications.

The WeChat privacy questions stem from numerous users posting logins from unknown devices to their accounts, sometimes at very late and odd hours. WeChat responded to the complaints by stating that it was “very likely” that manufacturer settings for certain devices were generating a false record of a login by another device; it contends these mystery records are just the user device being misread as unknown devices, and that the late night logins are a result of the app automatically extending the login to stay active.

The WeChat privacy policy states that it will not access private user messages without authorization, but all bets are usually off when government agencies get involved. City and regional police departments have been known to spy on WeChat messages, openly messaging intercepted messages when indicting individuals for anti-government activities or “public disturbance.”

Appearance of unknown devices not the first privacy issue for tencent services

It is at least possible in theory that devices making use of “private resolvable random addresses” that change the device MAC address on networks periodically (a feature fairly common to smartphones) are creating false reports of unknown devices in the app. However, it is difficult for users to take the company solely at their word on this given WeChat privacy history and prior incidents involving parent company Tencent.

Just a year ago, another WeChat privacy issue arose as a Chinese tech influencer discovered that the app was making use of a new Apple logging feature to surreptitiously scan user’s locally stored photos in the background every few hours. WeChat disabled the feature after a deluge of user complaints.

Users put a great deal of trust in WeChat whenever they start it up. In addition to constantly tracking locations, it also maintains access to the camera and microphone due to the range of functionality beyond basic instant messaging. Messages are not encrypted in any way, and the company has been observed censoring them when they contain content that the government might find objectionable. In 2021 the company was also accused of arbitrarily shutting down hundreds of accounts that were openly supportive of the LGBTQ+ community. WeChat is widely regarded as one of the least private communication apps in the world, earning this status long before the unknown devices started appearing.

Tencent has a negative privacy reputation that stretches far beyond WeChat, however. The problems have run so deep that the Chinese government has gotten involved at times, freezing rollouts of new apps and updates in late 2021 to ensure that the company was compliant with its new and stringent privacy laws. State-run companies were restricted in use of Tencent’s apps during this review period. Tencent has faced problems with its overseas operations as well, most notably involving popular online game League of Legends. Published by Riot Games, which is owned by Tencent, the game was criticized in 2020 over the discovery that its “Valorant” anti-cheating system is essentially a rootkit that could potentially pipe data back to servers that the Chinese government has free access to.

Whether government action is taken in the case of the mysterious unknown devices could depend on whether or not the government is involved. While all bets are off for personal privacy when the government is after something, companies are held to fairly stringent standards and punishments have been swift and harsh in recent years. The country’s Personal Information Protection Law and Data Security Law were developed in large part due to a history of domestic tech firms playing extremely fast and loose with user data, including allowing it to make it to overseas third party data brokers.