“Investigating WeChat” is a four-part series exploring the complexities and threats posed by Chinese social apps WeChat and its domestic version Weixin. In this article, Reporters Without Borders (RSF) brushes over the main characteristics of these apps and provides journalists with recommendations for usage.

WeChat (and its domestic version Weixin), an app developed by Chinese tech company Tencent, is the second most widely used messaging app in the world. It offers messaging, social media, payment, web browsing and many more, and has over the past decade become an indispensable part of life for Chinese people. For journalists, WeChat is an essential tool to communicate with their sources inside the People’s Republic of China. But WeChat is simply unsafe to use and is routinely used by the Chinese state for censorship and surveillance purposes. Here is a summary of what the app is, what it does, and what users can do to protect themselves.

Security and surveillance concerns

  • Encryption and security shortcomings. The apps use Encryption in Transit (EiT), which allows for decryption at the server level, contrasting sharply with the more secure end-to-end encryption used by platforms such as Signal and WhatsApp. Historically, WeChat has experienced numerous data breaches, exposing sensitive user information like names, government IDs, phone numbers, and addresses. These breaches highlight the platforms’ insufficient security measures and the potential risks to user privacy.
  • Government oversight and censorship. Both apps operate under the stringent surveillance and censorship mandates of the Chinese government. Tencent, the parent company, has established strong ties with the Communist Party, facilitating extensive monitoring and control over communications. This includes real-time censorship of texts and images and the monitoring of voice calls and videos. Notably, the government often accesses user communications without their knowledge, leading to legal actions against users for seemingly trivial offences.

A global threat

  • Blurred lines between domestic and international operations. In 2013, Tencent attempted to differentiate WeChat for international users from Weixin, its domestic counterpart, ostensibly to shield international users from Chinese state surveillance and censorship. However, this separation is not as distinct as it appears. The core functionalities and the underlying architecture of WeChat and Weixin remain interconnected, suggesting that surveillance and censorship capabilities extend beyond Chinese borders. This integration means that international communications involving Weixin users are subject to Chinese jurisdiction, affecting even those who use WeChat outside of China.
  • Data storage and jurisdiction concerns. For international users, certain data, including messages sent for in-app translation and web browsing history, are stored on servers in China, falling under Chinese legal jurisdiction. This exposes users to potential surveillance and data access by Chinese authorities, regardless of their location.

Recommendations for safe usage

  • Utilise a secondary device. Journalists should operate WeChat on a secondary device that does not contain any sensitive or identifying information, and which is kept physically and electronically separate from other devices.
  • Enhance anonymity. One should register with a non-Chinese phone number to increase anonymity, and avoid linking WeChat to any personal social media accounts or using real names.
  • Implement strong security practices. Upon downloading WeChat, users should limit the app’s permissions, maximise security settings, use a strong and unique password, and be cautious of accepting connection requests from unknown individuals.
  • Use encrypted communication. If transferring sensitive files, one should encrypt them on a different device before sending them via WeChat or Weixin. Recipients must receive decryption keys through a secure, separate channel that is not on the app.

 

→ Read Part 1: Weixin and WeChat, the terrible twins
Read Part 2: Weixin in China, Big Brother is watching you
Read Part 3: WeChat, China’s Trojan Horse outside its borders
→ Read Part 4: Safety advice for journalists using WeChat and Weixin

Co-written by Bence Kócsi. Bence Kócsi is an experienced freelance editor, writer, and researcher. He has been focusing on a wide range of topics including digital security, technology, historical linguistics, politics, and medicine.

Co-written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal enterprise tools across large enterprises, including cybersecurity focused efforts.