June 20, 2022
China’s tightening national security laws on Hong Kong are raising concerns about the Chinese Communist Party’s access to the data of hundreds of thousands of Australian users of the social media and payment application WeChat.
Data including GPS and device information goes to WeChat’s servers in Hong Kong - which in 2020 was subject to sweeping new national security laws imposed by China - according to a white paper by Canberra-based cybersecurity and intelligence firm Internet 2.0, which analysed the WeChat app.
The analysis, which has been circulated among both sides of Australian politics, calls into question the security and privacy of data collected by the WeChat app.
“WeChat states that all its servers are kept outside of mainland China. This is critical because our analysis uncovered that while all chat and audio/video calls are probably managed by servers internationally, all user data that WeChat logs and posts to its logging server about its users goes directly to Hong Kong,” the report said.
“We argue it is reasonable to consider that under the Hong Kong National Security Legislation there is little difference between Hong Kong resident servers and those on mainland China.”
The data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, and version of the operating system of the phone. It does not include information such as the content of a conversation. Internet 2.0 said it could not find anything to suggest conversations were stored anywhere but on the user device.
WeChat did not respond to a request for comment.
Liberal senator and shadow minister for cybersecurity and countering foreign interference James Paterson told The Australian Financial Review: ”This report confirms the well-founded fears of many that despite assurances to the contrary, the private information of WeChat users is likely to be accessible in mainland China and would be made available to the Chinese government when requested.
“Australian users should be extremely wary of the platform and very cautious about anything they post on it,” he added.
Internet 2.0’s analysis also found multiple IP addresses within the WeChat app which touched mainland China. It noted some servers were being used by third parties, and another (ChinaNet) “is China’s national internet backbone and it was impossible to determine what this function was”.
“In our opinion Weixin functions like a marketplace that are enabled for WeChat users and we consider if data was to be logged as Tencent suggests WeChat would advise the user they are coming under Weixin terms of service,” the report said.
China’s National Intelligence Law from 2017 requires organisations and citizens to “support, assist and cooperate with the state intelligence work”. The legislation was a major consideration for the Australian government’s 2018 ban of Chinese telecommunications companies, including Huawei and ZTE, from providing equipment in the rollout of 5G mobile phone networks.
Hong Kong residents have long cherished the freedoms enjoyed since it became a special administrative region of China after it was handed back by the British in 1997. It has operated under the ‘one country, two systems principle’.
However, a sweeping new national security law imposed by China on Hong Kong, passed in 2020, and subsequent nine-year imprisonment of Tong Ying-kit, the first person to be convicted by the new laws in July 2021, tightened the Chinese Communist Party’s grip over the former British colony.
Internet 2.0’s report comes amid revelations from leaked audio of TikTok meetings which showed non-public US user data, which parent company ByteDance promised was stored in the US, had been repeatedly accessed from China, BuzzFeed reported on Friday.
TikTok has come under intense scrutiny due to its ownership by ByteDance, a private Chinese company, and reports and research on the links between ByteDance and the CCP, the spreading of propaganda and censorship.
WeChat is a hugely popularly social media and payments app. The WeChat app is used outside of China, whereas the corresponding app on the mainland is Weixin.
WeChat, in its 2020 submission to the Select Committee on Foreign Interference through Social Media, labelled them “sister apps”, both being owned by Tencent.
The app was thrust into the Australian news cycle in January after then-Prime Minister Scott Morrison lost control of his WeChat account and it was renamed “Australian Chinese new life” and began posting links to Chinese news websites.
“We determined that Weixin is probably hierarchically higher than WeChat in its architecture management. A better term would be parent and daughter than sister apps,” Internet 2.0 said.
“WeChat uses Weixin URLs for its support and agreement functions... There are a total of 1207 references to Weixin URLs in the WeChat source code and Tencent’s QQ domains are the higher hierarchical logging server.”
Its submission said all WeChat’s servers are outside of mainland China and the company is not governed by People’s Republic of China law, while Weixin is. In its submission, WeChat stated it had 690,000 daily active users in Australia as of September 2020.
The Internet 2.0 analysis identified servers in Hong Kong which had ISPs labelled Tencent cloud computing. The logging data is encrypted using a method which makes data look similar once it has been encrypted, making it hard to determine what has been encrypted and uploaded.
“We must note this record was taken at the time of analysis which was the first week of February 2022. WeChat can easily change their logging processes with a simple update and the IP address and logging records we have outlined are only accurate as at the time of analysis,” the report said.
Internet 2.0 also did analysis of Chinese government procurement records which showed at least 10 contracts between 2016 and 2019 from the CCP’s propaganda department to conduct influence or propaganda over Tencent platforms.
The value of the 10 contracts was just over ¥2.3 million ($500,000). They were awarded to subsidiaries owned by Tencent or companies which Tencent chief executive and chairman Ma Huateng has a controlling stake.
Senator Paterson added the report “also lays bare how blatant the cooperation between companies like Tencent and the Chinese Communist Party is for the purposes of propaganda. Liberal democracies must grapple with the serious risk of foreign interference posed by these platforms”.
In WeChat’s submission to the Select Committee on Foreign Interference through Social Media, it said: “WeChat prohibits paid promotional content regarding: a candidate for an election; a political party; or any elected or appointed government official appealing for votes for an election; appeals for financial support for political purposes; and a law, regulation or judicial outcome, including changes to any such matter.”
However, Internet 2.0 said the wording of the policy is muddled and the CCP can exert considerable pressure on WeChat.
“One could argue that any democratically elected politician at all times was either appealing for votes or making content regarding a legislative outcome. This, in essence, is what politicians do,” the report said.
“We also found this policy contradictory in its implementation as most Australian politicians have been making this type of content and distributing it on WeChat.
“Lastly, we struggled to see how WeChat could enforce these policies while also adhering to their other policy of not breaching any applicable laws and regulations,
“In the United States for example freedom of speech is a constitutional right, WeChat’s policies possibly run-in direct contradiction to these constitutional rights.
“Basically, we struggled to comprehend how WeChat could regulate content and combat misinformation while also regulating content which breached any applicable laws but then bar all political content.”