China camera apps may open up user data to Beijing government requests

Chinese companies are behind some of the most popular photo and video apps around the world. That may mean vast troves of user data are at risk of falling into Beijing’s hands, according to cybersecurity experts.

Concerns are on the rise globally about internet privacy security and data protection, and a recent focus has centered on photo apps. China’s mobile programs count hundreds of millions of active users, but their capacity to ensure privacy remains a matter of debate — especially since there’s less of an emphasis on that factor at home.

In fact, Robin Li, the billionaire CEO of tech giant Baidu, sparked an uproar last year when he said Chinese people “are not so sensitive about privacy issues and they are often willing to exchange privacy for efficiency,” according to CNBC’s translation.

The recent overnight popularity of Russian FaceApp’s aging feature evoked some worries about tech companies’ potential collaboration with governments. The app’s CEO, Yaroslav Goncharov, reportedly told The Washington Post that Moscow does not have access to the photos and that the company does not share user data with any third parties.

But unlike FaceApp, some of China’s biggest camera apps explicitly state in their privacy agreements that they provide data to third parties. It remains unclear, however, whether the so-called third parties include any government agencies.

China isn’t lawless when it comes to cybersecurity. In fact, the country has several sets of guidelines, according to Samm Sacks, a cybersecurity policy and China digital economy fellow at think tank New America.

In May this year, Beijing proposed new regulatory policies to punish companies who breach privacy agreements.

Still, China employs “vague” language, Sacks said, and those laws are “enforced selectively as a tool as needed by the government.”

Government control is the salient point in China’s approach to regulating digital businesses, experts told CNBC. In fact, that’s part of what’s driving Washington’s warnings about telecommunications behemoth Huawei.

“If companies don’t comply with government requests, they’ll get into trouble with the Communist Party,” Leland Miller, CEO of independent data tracking company China Beige Book, told CNBC during a phone interview.

“That does not mean government requests always happen,” he said, adding that “there is no law sufficient enough to safeguard user data if the government chooses to request this information.”

That is, the data privacy situation in China isn’t a “legal issue,” but rather a “structural issue,” according to Miller. He said that anyone using a Chinese app is realistically “vulnerable” to Beijing’s reach.

Even one of China’s most well-known tech companies, Tencent, was ambiguous on the issue. It wrote in its general privacy policy web page that it “may disclose your personal information … to comply with the applicable laws and regulations.” Tencent is the parent company of WeChat, the most widely used social media app in China, and various other internet services including photo editing app Tiantian P-Tu.

When asked by CNBC whether the wording in its privacy policy means Tencent-developed apps provide user data to authorities, a company spokesperson simply said “no comment.”

Miller said language like Tencent’s policy “is typically added in to provide notice that the company reserves the right to respond as it deems necessary to any laws or judgments that happen in the future, which (of course) opens a huge door for Beijing to utilize if it so chooses.”

As long as an app is developed by a Chinese company — even if the user lives abroad or the company is registered overseas — it will fall under the country’s cybersecurity laws, and therefore will be subject to Beijing’s requests, according to a blog post from Sara Xia, an attorney at Harris Bricken.

Chinese photo-editing app Meitu, which means “beautify pictures” in Chinese, offers features that can remove wrinkles, smooth pores, and lengthen legs. The mobile app had 332 million monthly active users in December last year, of which, nearly 68% were Chinese users and 32% were from the rest of the world according to its 2018 annual report.

According to Meitu’s privacy policies, it collects personal details such as names, genders, locations, types of devices, and even what network operators are used.

The company wrote to CNBC it only uploads user information to the cloud with “expressed consent.” Most of the content is processed on users’ devices, according to Meitu.

When asked for how long the company retains user information, Meitu responded by saying that its “retention period strictly abides by the applicable local laws and regulations of where our users are based.”

After repeated inquiries from CNBC, Meitu declined to deny it would ever share data with the Chinese government, instead saying that, as of now, it had not done so. “Meitu strictly abides by the applicable local laws and regulations,” a spokesperson told CNBC.

Meanwhile, the most downloaded non-game app worldwide, TikTok also has ties to China.

The app was originally developed by Beijing-based Bytedance under the name Douyin. The international version (which does not serve China) was relaunched in 2017 under the name TikTok.

A spokesperson for the company said the app “neither shares information with the Chinese government, nor operates in the country.”

“We work with leading third-party data partners and store all user data outside of China,” the representative said. “We are working with an independent, US-based internet privacy firm to audit our practices and confirm that we are employing industry-leading standards for the storage and protection of TikTok user data.”

Still, TikTok’s 2018 privacy policy said the company can transfer international users’ data to China, according to archived versions of that web page. The company, however, appears to have removed that clause in its updated 2019 privacy policy page.

It now says, “We may share your information with a parent, subsidiary, or other affiliate of our corporate group.” That means it would include China-based Bytedance.

Sacks said Bytedance goes to great lengths to separate TikTok as an international operation. But content created outside China could be a “major threat to the (Chinese Communist Party) and domestic stability. So they have a lot of incentives to keep international content and data pretty carved off,” he added.

“There has been no public evidence contradicting TikTok’s statement … we have no way to really know beyond speculation,” Sacks pointed out.

But Miller holds his skepticism. In reality, if the China-based parent company is requested to share information by Beijing, it will “adhere to any demand by the Party.”

TikTok has been installed by more than 1.1 billion users globally (excluding China), and has grossed $80 million from in-app purchases, according to April figures from app data tracking company Sensor Tower.

— CNBC’s Wendy Ye contributed to this report.