You are here

Case Study: Super-Apps and the Exploitative Potential of Mobile Applications

Date: 
30 August 2017

For those concerned by reporting of Facebook’s exploitation of user data to generate sensitive insights into its users, it is worth taking note of WeChat, a Chinese super-app whose success has made it the envy of Western technology giants, including Facebook. WeChat has more than 900 million users. It serves as a portal for nearly every variety of connected activity in China. Approximately 30% of all time Chinese users spend on the mobile internet centers around WeChat and over a third of WeChat users spend over four hours a day on the service. WeChat’s multifunctional indispensability for many Chinese users make deep and integrated stores of personal data available for analysis and exploitation – by WeChat itself, by third parties or by the Chinese government.

 

What is WeChat?

WeChat – known as Weixin (微信) in China – is a mobile application developed by Tencent, a Chinese technology company. WeChat first emerged as a chat service, permitting users to send messages using their mobile phones over the internet. Over time, however, Tencent has seamlessly integrated many other features into WeChat, transforming the application into the dominant gateway to the internet for its users. For instance, WeChat is also a social media platform, enabling users to follow each other and post updates, as well as to “subscribe” to other accounts, including media outlets, who use the WeChat platform to deliver content.

WeChat also has a “Wallet” feature, which serves as the hub for virtually any financial transaction. Using the Wallet, users can pay utility and credit card bills, transfer money to friends, and book and pay for taxis, food deliveries, movie tickets, hotels, flights and even hospital appointments, all without ever leaving WeChat. For example:

  • Didi Chuxing, China’s largest ride-hailing company, has a button embedded within the “Wallet,” which directs users to its service to book and pay for rides.
  • WePiao is a WeChat movie app, through which users select their city, theatre location and movie, and then pay for tickets.
  • Some hospitals have set up WeChat accounts, allowing users to use the platform to make appointments and pay for registration and medicine.

Part of WeChat’s success resides in its constant innovation of how users interact with the application. Take, for example, its deployment of the quick-response (“QR”) code. WeChat assigns each user a QR code, which serves as a digital ID, and also integrates a QR scanner into the application. WeChat users rely on QR codes to exchange contact information, make or receive payments (including in-store) or access web links, all without ever having to type anything into their mobile device.

In 2014, WeChat introduced a “Red Packet” feature, based on the Chinese tradition of exchanging red envelopes filled with cash on holidays or special occasions, such as weddings or birthdays. A “Red Packet” is a digital red envelope, which users can fill with predetermined amounts and send to other users. Over the 2016 Chinese New Year, 516 million users sent 32.1 billion red packets. The “Red Packet” feature, in turn, has reinforced user engagement with the WeChat “Wallet” and mobile payment system as well as boosted the growth of chat groups.

Tencent is also eyeing the growing integration of the “Internet of Things” and artificial intelligence (“AI”) into WeChat. In 2014, Tencent unveiled an API for smart devices, which permits hardware manufacturers to develop WeChat applications for those devices. And in 2015, it introduced an operating system for internet-connected devices. More recently, Tencent has begun dedicating resources to researching AI, opening labs in both China and the U.S. WeChat offers a rich resource for training AI including, for example, through the wealth of text and voice “conversational data” it collects.

 

What is the problem?

WeChat’s dominance among Chinese mobile applications has caught the attention of Western technology giants, including Facebook. David Marcus, the Head of Facebook Messenger, has described WeChat as “inspiring” and openly discussed his plan for Messenger to incorporate WeChat-like features and services into its platform. Indeed, Messenger’s product roadmap demonstrates this trajectory with plans, for example, to allow users to send money to one another or to purchase certain products or services directly on the platform.

And yet, rather than merely marveling at WeChat’s success at embedding itself into nearly every facet of everyday life, we should also think critically about its implications for individual rights and society as a whole. Consider first the information that WeChat can collect at the individual level:

  • Biometric information, such as voice data when logging in via “Voiceprint”
  • Contact lists shared with WeChat to connect with “Recommended Friends”
  • Location data – i.e. location of the device, IP address, and other information relating to location (e.g. geotagged photos) – while using WeChat
  • Log data, which includes web search terms, social media profiles visited, and details relating to other content accessed or requested using WeChat
  • Communications metadata (i.e. who, when, where) related to every chat, call and video;
  • Social media posts (text and photographic) and their metadata;
  • Bank and credit card details;
  • Financial transactions and their metadata, including payments of utility and credit card bills, to other users, and for everyday services such as meals, transportation, entertainment, travel, and even health.

As WeChat strives to embed its platform into the Internet of Things, the sensors on those devices – cars, toys, refrigerators – will also begin to generate data about user behavior. The result is that nearly every facet of our daily lives may soon be expressed as data and collected by WeChat. Pieced together, those bits of data can produce a rich, multi-layered profile of an individual, including his or her religious affiliation, political views and personality traits.

Consider further that WeChat can generate and collect this wealth of data at near-population scale. WeChat boasts over 937 million users, 768 million of whom are active daily. The vast majority of these users reside in China. In China’s Tier 1 cities, such as Beijing, Shanghai and Guangzhou, approximately 93% of individuals are registered WeChat users.

The data generated and collected by WeChat can yield inferences – accurate or inaccurate – about individuals as well as a broader population. Inferences can then be used to make decisions that affect people’s lives and even have a societal impact. At the same time, automated processing techniques like artificial intelligence are increasingly determining inferences and making decisions. The use of AI – a complex, computational system – makes it inherently different to understand and challenge both inferences and decisions.

Today, WeChat sends BMW advertisements only to a select group of users. Tomorrow, will it block services such as taxi-hailing or health appointment booking for certain categories of users? Today, WeChat manipulates timelines by censoring posts with certain keywords, depending on the location of the user. Tomorrow, will it manipulate timelines of users to determine their reactions to different political events? Today, WeChat user data may go towards a determination of creditworthiness by a peer-to-peer lending site. Tomorrow, will WeChat user data become integrated not only into credit scoring, but also into other records, such as health and employment histories? 

Finally, and no less important, the collection of such vast stores of data make that data a honeypot for a variety of third parties. The most visible third party is the Chinese government, which has announced a plan to roll out a “social credit” system nationwide by 2020. That system – currently being piloted by various public and private bodies, but not Tencent – would seek to produce credit scores on the basis of an individual’s social and financial behavior, including internet activity. A person’s credit score could then be used to determine eligibility for a range of public and private services, such as school admissions, travel abroad and financial products. The depth and breadth of user data generated and collected by WeChat – as well as its own inferences generated from that data – make it a rich vein to tap for the social credit system.

China is also home to a pernicious ecosystem of private data brokers. Last year, Guangzhou’s Southern Metropolis Daily published an expose revealing how the sum of approximately $100 can unlock access to an astonishing amount of information about a person – including bank accounts, driving records, apartment rentals, hotel stays, and airline flights. The user data generated and collected by WeChat, which would encompass virtually all of this information, makes it a particularly attractive target to data brokers.

 

What is the solution?

Tencent is looking to expand WeChat beyond the Chinese market. And as discussed above, Western technology companies are enamored with the blueprint offered by WeChat and may seek to introduce similar features into their platforms. But rather than blindly embrace the integrated services WeChat has to offer, we should also seek to consider and challenge the myriad privacy and security concerns presented by such a platform.    

First, we must begin to recognize and confront the problem of data – our data – being generated, collected, processed, and shared beyond our consent and our control. We must further acknowledge and challenge the reality that this lack of consent and control is often by design. In the case of WeChat, users should begin to ask:

  • What is the minimum data about me WeChat can generate, collect, process, and share in order to run the services I use?
  • Can I see a record of all the data about me that WeChat generates, collects, processes, and shares?
  • Can I ask WeChat to delete all prior data about me?

Second, we must simultaneously recognize and address the insecurity of our technology, including our devices, networks, and, in this case, services like WeChat. Users should further ask:

  • How does WeChat secure the data about me it generates, collects and processes? Does it take any measures to ensure third parties secure my data shared by WeChat?
  • Can I seek redress from WeChat (and third parties) if my data is compromised?
  • Does WeChat make its software available for independent review? Does it permit its service to undergo an independent security audit?

Finally, we must recognize and confront the fact that data yields inferences and those inferences undergird decisions made by those in possession of our data. Users should ask:

  • Can I request what inferences WeChat (and third parties) are drawing from my data? What decisions they are making on the basis of those inferences? Can I challenge those inferences? Those decisions?
  • Can I request what societal-level inferences WeChat (and third parties) are drawing from the pool of user data? What decisions they are making on the basis of those inferences? Who can challenge those inferences? Those decisions?
  • Can I opt-out of contributing my data to the development of inferences? If so, can I still access the WeChat services I use?
  • Can I choose to maintain my anonymity when using WeChat? Can I create multiple profiles that are not linked to one another?