Support Us
Around 3 billion such numbers and identities are accessible in the publicly available databases and were searched for without the knowledge of data subjects
“Aren’t you Stella from XX Company?” Stella (pseudonym) was shocked when a taxi driver whom she never met managed to say her name and workplace.
This story aroused FactWire reporters’ curiosity, and the issue was found to involve public interest upon investigation. Around 3 billion such numbers and identities are accessible in the publicly available databases and were searched for without the knowledge of data subjects.
On 22 November, FactWire discovered that three smartphone apps with the “Caller ID & Blocking” feature, namely CM Security, Truecaller and Sync.ME, are collecting and integrating users’ phone address books into publicly available databases. Around 3 billion such numbers and identities are accessible. The databases contain the numbers of local and mainland officials, legislators and personalities from the business, politics, media, entertainment sectors, as well as members of the public.
CM Security amended statement for multiple times
Office of the Privacy Commissioner for Personal Data (PCPD) issued statements in two consecutive nights, saying that the PCPD is closely following the development of the case. The PCPD contacted organizations in China, Sweden and Israel that specialize in personal data protection to follow-up the case. The report raised concerns in local and overseas media, which shows that the ways which smartphone apps use the personal information collected from users is a topic of public concern.
CM Security developer Cheetah Mobile held a closed luncheon yesterday with local media who received invitations from the company. A Cheetah Mobile executive said that although the relevant function does not involve loopholes, the company would permanently shut down the “reverse look-up” function, and provide ways to delete personal information.
BBC World picks up this FactWire story on its world news.
However, CM Security released another statement on the same day at 6pm. Released simultaneously, the Chinese statement differs from the English statement. The latter states that “CM Security will temporarily shut down the ‘reverse look-up’ function” whereas the former states that the function was immediately shut down and would not be reopened.
Four days before the report was released, FactWire repeatedly issued enquiries to involved companies regarding the source of the databases, storage of users’ personal information (that of Hong Kong users in particular), the locations of server facilities, whether the companies provided personal data to the Government upon request from law enforcement organizations, ways to remove users’ personal information, etc.
Only Sync.ME CEO Ken Vinner issued a written reply to FactWire; Cheetah Mobile issued a written reply before the release of the report that the company was “currently in the silent period before the earnings release” and declined responding. Cheetah Mobile did not provide any ways of removing personal information.
The report captured the attention of the public after release. CM Security shut down part of the “reverse look-up” feature since Sunday. Cheetah Mobile then amended its released statement for at least three times on Monday and Tuesday. In response to media reports, the company’s first statement was released on Monday at noon, which states that the company was deeply apologetic for causing inconvenience to affected users after the “reverse look-up” function was temporarily shut down. In the evening on the same day, Cheetah Mobile twice updated the statement, stating that “it’s unfortunate that this (the ‘reverse look-up’ feature) was misused by some people who already knew the phone numbers of certain related people”, that “this is a malicious act to twist the privacy safety of CM Security”.
FactWire would not speculate whether Cheetah Mobile was referring “some people” to the local and overseas media that followed the case closely. However, as the first news agency to reveal the issue, FactWire upholds the principles of serving the public interest and the public’s right to know, and reported the truth. The investigation began when a citizen informed FactWire that her personal information had been uploaded to CM Security and was available for search for users. The informant was disturbed, and hoped that FactWire would investigate upon the matter.
After conducting research and tests, FactWire discovered that Cheetah Mobile collects users’ phone address books through its other smartphone app WhatsCall as a source of information for CM Security’s “reverse look-up” feature. FactWire also discovered other smartphone apps with similar features available in the market, only covering more regions and collecting more information. Around 3 billion such numbers and identities are accessible, which reflects the universality and significance of the issue.
Before the release of report, FactWire studied the privacy policies and terms of service of the smartphone apps in question, and solicited legal advice from local law enforcement organizations and legal consultants familiar with related regulations, so as to learn about the definition of “personal information” and the scope of existing legislation.
FactWire found out that these companies have stated in their policies that they require users to gain consent from the contacts in their phone address books before providing the companies with their contact information. This shifts the responsibility to users, so that users in general who rarely read through the policies and terms would provide information belonging friends (data subject) to the apps without knowing. Users may have violated Principle 3 of the Six Data Protection Principles of the Personal Data (Privacy) Ordinance. FactWire thus listed out relevant policies and potential legal risks in the report.
Phone numbers are private personal data
Referring to the statement that “the app does not proactively disclose any personal information in the first place” since the ‘reverse look-up’ function for a name will “only be effective if the user knows beforehand a certain phone number”, the Personal Data (Privacy) Ordinance states that “Personal Data” is defined as: (1) The information which relates to a living person and can be used to identify that person; (2) It exists in a form in which access or processing is practicable. Examples of personal data protected by the Ordinance include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.
FactWire discovered that a mere phone number could lead to search results such as the name, nickname, location, occupation, social networks and email account of the number holder, even if he or she has not consented to uploading and making his or her relevant information available for search. It is possible for outlaws to commit fraud through writing computer programmes to collect relevant information on a large scale.
In addition, many citizens would provide mobile numbers to services bound to “SMS verification” such as social network, email, credit card and bank accounts.
Hackers or fraudsters could steal passwords, read text messages or listen to phone call records through obtaining relevant information and commit illegal acts.
The three apps accumulated to over 2 hundred million downloads in smartphone app stores, involving around 3 billion such numbers and identities. It pertains to potential security risks and is absolutely relevant to public interest. FactWire believes that be the data subjects traced members of the general public, officials or celebrities, it makes no difference and is of equal importance.
