Mobile numbers of Chinese and Hong Kong officials exposed by Baidu app

An app developed by Baidu may have invaded millions of users’ address books

Society

A smartphone application developed by China’s Baidu may have invaded millions of users’ mobile contacts, exposing mobile numbers of senior Chinese and Hong Kong officials, an investigation by the FactWire reveals.

The app, DU Caller, offers a phone number search function by keywords, termed as the ‘search name or number’ feature, which allow users to directly search for numbers by the name of an individual or organization.

The mobile numbers of Secretary for Security Lai Tung-kwok, Commissioner of Police Stephen Lo Wai-chung, Privacy Commissioner for Personal Data Stephen Wong Kai-yi as well as government officials of the Chinese Liaison Office and the Chinese Foreign Ministry in Hong Kong could be accessed.

Through dynamic analysis, FactWire found out that the app may send users’ phone address books to Baidu’s server in Beijing before acquiring their consent.

A legal consultant familiar with the Privacy Ordinance said that DU Caller’s features invade privacy to a larger extent compared to the three apps that were exposed by a FactWire investigation in November last year.

DU Caller, a smartphone app under Baidu, was created by DU Group, which calls itself the ‘World’s Most Trusted Android Apps Developer’. While the app offers ‘Caller ID & Blocking’ and call recording, it also includes functions that may harm users’ privacy, such as reverse look-up or number search by keywords. When users input a keyword, the system searches its database of two billion phone numbers and show results that contain same or similar keywords.

Upon installation, users can use the keyword search function and check results three times a day. Once the quota is used up, the user has to create an account with his or her phone number and log in to enquire about the number owner to ‘Ask for details’. However, FactWire found out that users could check three phone numbers again upon reinstalling the app.

 

The DU Caller database consists of phone numbers from around the world, including Asia, America and Europe. FactWire tried searching for phone numbers in the database with Chinese keywords such as ‘Liaison Office’, ‘Hong Kong and Macau Affairs Office of the State Council’, ‘Ministry of Foreign Affairs’, ‘Hong Kong Police Force (HKPF)’ and ‘Security Bureau’, and found the mobile numbers of Secretary for Security Lai Tung-kwok, Commissioner of Police Stephen Lo Wai-chung and Deputy Director of the Liaison Office of the Chinese Central Government in Hong Kong Yin Xiao-jing and Lin Wu.

 

FactWire made enquiries to Lai and Lo on the leakage of personal privacy. The Security Bureau replied that ‘the Secretary for Security did not authorize any mobile app developer or provider to upload his name and mobile number to its database’. The Bureau already referred the case to the Office of the Privacy Commissioner for Personal Data (PCPD) for follow-up. No replies were received from the HKPF so far.

Wong emphasized that the name and mobile number are important personal information, which may be used by fraudsters to carry out phone frauds. (Photo: FactWire)

FactWire also found the mobile number of the Privacy Commissioner for Personal Data Stephen Wong Kai-yi using the keyword search feature. Wong expressed shock and immediately questioned reporters how they had obtained his number when he was asked to confirm that the number belonged to him. He then confirmed with FactWire that the number, now no longer in use, was his work mobile number from 10 years ago when he was with the Department of Justice.

Wong emphasized that names and mobile numbers are important personal information, and that fraudsters may use these information to carry out phone frauds. He added that personal data is the ‘source of the frauds’.

‘(The fraudster) may use your phone number to find and manipulate other’s personal information as such information has a high degree of believability. He or she may be able to find out my former office, and what I worked for. If a stranger calls and says he knows you, and you’ve forgotten him … Especially older people and those less familiar with technology may find it strange about how the fraudster knows such information, but would then think they’re just being forgetful and so they could be tricked by the fraudster’s misleading messages,’ said Wong.

As to DU Caller’s feature that enables users to input an individual’s name to search for his or her phone number, Wong said that the usual ‘Caller ID & Blocking function’ aims to block calls from unknown callers, but that the keyword search feature has no direct or actual support to block spam calls or detect unknown calls. Wong added the developer could be in violation of the third data protection principle of the Personal Data (Privacy) Ordinance (Data Use) unless it has acquired voluntary consent from the data subject.

Craig Choy Ki, convenor of the Progressive Lawyers Group and a legal consultant familiar with privacy policies, said DU Caller’s keyword search feature invades privacy to a larger extent compared to the three apps exposed by a FactWire investigation in November last year.

Choy pointed out that while a phone number only counts as personal data when combined with a name, the name itself already counts as an identifiable personal data. ‘The apps exposed last time (in the November 2016 FactWire investigation) use non-personal data to search for personal data, but this time (DU Caller) allows users to use others’ personal information to look for more (data subject) information. This method leaks personal data and violates privacy more easily and with more accuracy’, said Choy.

FactWire found the phone address book of Roger Cheng Hon-man, who teaches at the Chinese University of Hong Kong. Cheng uses the course code, activity name and the Chinese or English names of his students as their contact names in his phonebook.

FactWire used Cheng’s course codes and activities between July 2014 to November 2016 for keyword search and discovered that contact information involving more than 1,000 data subjects dating till September 2016 was recorded in the DU Caller database.

Angrily calling what had happened ‘a clearly immoral act’, Cheng said that ‘unless the app could prove that (they gained my consent), I’ll have to believe it’s stolen my information.’ He is apologetic to his friends for leaking their personal information.

FactWire then discovered two complete different versions of privacy policies available within the DU Caller app. The first version is available on the front page of the Android version of the app, while the second one is in the ‘About’ column within the app.

The first version states that if users have ‘opted in to take part in the DU Caller User Experience Program, we (DU Caller) may collect, use and share certain information’, including IMEI (International Mobile Equipment Identity), IMSI (International Mobile Subscriber Identity), device log, incoming and outgoing calls and phonebook contacts, and that users gave permissions to DU Caller to ‘use the contact information as a part of the service’.

The policy also states that users ‘guarantee all permissions required to share such contact information’ with DU Caller, and that by ‘installing and launching DU Caller, you agree to participate in DU Caller User Experience Program’.

DU Caller has two different privacy policies, one of them stating that once the user installed and launched DU Caller, the user agrees to ‘participate in the DU Caller User Experience Program’. (Photo: FactWire)

FactWire conducted a dynamic analysis to analyze how DU Caller uploads users’ data. The analysis results show that once the app is downloaded and installed in a smartphone, even if the user did not click ‘agree’ to its privacy policy, the user’s information, including the phone address book, phone number and IMEI of the phone will be recorded into a folder of the app, ready to be sent to the server of Beijing Baidu Netcom Science Technology Co., Ltd.

In addition, there are clear differences regarding the ‘storage and transferral’ of users’ data in the two policies. The privacy policy available on the front page of the Android version states that DU Caller only stores and transfers the information collected to ‘countries outside of the jurisdiction’ the user uses the services in, including storage in China and the United States.

 

On the other hand, the privacy policy available in the ‘About’ column of the app, i.e. the second version of the policy, states that DU Caller ‘may transfer, process and store personal data in a number of countries’, and ‘the information collected within the European Economic Area (EEA) may be transferred and processed in a country outside of the EEA’.

DU Caller has two different privacy policies, with apparent differences in the ‘storage and transferral’ of users’ data. (Photo: FactWire)

Wong stated that developers providing two completely different privacy policies for the same app would mean that the policies may contain fabricated or misleading content, saying that ‘it is a serious and illegal act which the PCPD would investigate upon when discovered’.

The developer may have violated principle one of the six data protection principles (data collection), which states that ‘personal data must be collected in a lawful and fair way’ and the data collected ‘should be necessary but not excessive’.

FactWire made enquiries to DU Group and Baidu on whether DU Caller’s features and method of personal data collection violates the Ordinance and whether they would suspend the keyword search feature. No replies have been received so far.

According to the Google Play’s statistics, the app has been installed around one to five million times, while Apple’s information shows that the app developer is Baidu (Hong Kong) Limited. DU Caller is not yet available in the Hong Kong branch of Apple App Store. The app is available in the store’s U.S. branch, but does not offer the keyword feature.

The DU Group website shows that the products developed by app developer DU Group include DU Speed Booster, DU Battery Saver, DU Flashlight, DU Browser, DU Cleaner, and Photo Wonder, which have accumulated among them one billion Android users across the globe.

Baidu was listed in the Nasdaq Stock Market (NASDAQ: BIDU). The 2016 annual report shows that Baidu (Hong Kong) Limited is a wholly owned subsidiary of Baidu, Inc.

FactWire discovered three ‘Caller ID & Blocking’ smartphone apps that violated users’ privacy in November last year. The apps, namely CM Security, TrueCaller and Sync.me, compiled users’ phone address books into a publicly-available database involving one billion users and included a large number of well-known politicians and businessmen. The PCPD stated back then they would follow the issue closely and contact the overseas law enforcement organizations concerned for follow-up.

Five months later, FactWire found that while CM Security had suspended part of the ‘Reverse Look-up’ feature last November, the two other apps were still operating as usual.

Privacy Commissioner for Personal Data Stephen Wong Kai-yi stated that although section 33 has yet to be implemented, the PCPD published a ‘Guidance on Personal Data Protection in Cross-border Data Transfer’ in 2014. (Photo: FactWire)

Privacy Commissioner for Personal Data Stephen Wong Kai-yi admitted during an interview with FactWire that the PCPD has no authority to enforce laws under the current legislation.

The operators of the three smartphone apps are located outside Hong Kong borders. Since the Personal Data (Privacy) Ordinance is of no legal effect outside Hong Kong, the PCPD ‘could not monitor or regulate but only seek assistance’ from overseas watchdog organizations, according to Wong.

Wong explained that the PCPD had already reflected the problems in November last year with the authorities in the countries where the companies that developed the three apps are located, namely China, Sweden and Israel. Among them, only the Chinese app CM Security had suspended part of its ‘Reverse Look-up’ feature.

Wong stated that ‘while they (overseas watchdog organizations) responded to requests from the PCPD every time, their replies are usually a bit of a bluff’. The PCPD could only keep contacting the organizations. ‘We deliver our grave concerns to the authorities, and we rely on them to proceed with the regulations’, Wong said.

The Personal Data (Privacy) Ordinance took effect in 1996, making Hong Kong the ‘first jurisdiction in Asia to have a dedicated piece of legislation on personal data privacy’. However,  section 33, namely ‘ Prohibition against transfer of personal data to a place outside Hong Kong’, has yet to come into effect. The law does not prohibit cross-border flows of personal data.

Although section 33 of the law has yet to be implemented, the PCPD has published a ’Guidance on Personal Data Protection in Cross-border Data Transfer’, so that ‘the industries already got used to what section 33 is aiming to protect’, according to Wong.

Wong then said that the PCPD had already completed and submitted a research report on the effectuation of section 33 of the law to the Constitutional and Mainland Affairs Bureau (CMAB) back in 2013. While the PCPD is an independent watchdog organization, it lacks the authority to regulate the speed of legislation, and could only urge the government to speed up the process.

‘Of course we did urge the government. The former Commissioner especially made conspicuous nudges,’ said Wong, who added that the PCPD could only wait for the government to ‘handle, assess, evaluate and announce’ their investigations.

Section 33 of the Personal Data (Privacy) Ordinance states that if a region is specified by the Commissioner ‘as one which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance’, it can be added into a ‘white list’ to allow data users to transfer personal data to any regions on the list.

Many companies locate their servers in places such as China, India and Southeast Asia, where they may transfer and store user data. However, the privacy regulations abroad may differ from that of Hong Kong.

Wong pointed out that the ‘white list’ was submitted to the CMAB along with the research report in 2013, but he refused to disclose whether China and India was on the list. Wong merely stressed that the jurisdictions on the list must have privacy ordinances similar to Hong Kong’s, and that the PCPD is currently waiting for the CMAB to conduct research and publicize the relevant policies.

FactWire made an enquiry to the CMAB on the progress of the implementation of section 33 of the Personal Data (Privacy) Ordinance and asked for the countries or regions on the ‘white list’. The CMAB replied that ‘the PCPD passed a consultant research report to the government in December 2013 and the consultant commissioned by the government is making evaluations on the competitiveness of the business environment in accordance with the implementation’.

The CMAB added that the report would be completed ‘during the first half of 2017’, and that it would ‘go through the research results and then consider follow-up work’. The Bureau also pointed out that the consultant collected information and comments from stakeholders in various industries, including members of the information technology sector, to assess the effects of the implementation. However, the CMAB did not reveal whether countries such as China or India were included in the ‘white list’.  

The Commerce and Economic Development Bureau recently launched a public consultation on strengthening the regulation of person-to-person telemarketing calls, with one possible option of promoting the use of call-filtering applications in smartphones. It mentioned that the ‘Reverse Look-up’ feature may involve privacy problems, stating that should this option be adopted, the government would consider providing fundings to developers vowing to write up more stringent policies to safeguard the privacy of users.

Related stories