“Investigating WeChat” is a four-part series exploring the complexities and threats posed by Chinese social apps WeChat and its domestic version Weixin. In this article, Reporters Without Borders (RSF) introduces the security and privacy risks associated with the Weixin version.
Weixin, at the crossroads of a messaging app, a social media platform and a meeting app, is ubiquitous in the life of anyone residing in China. Not only does it offer a wide array of services including digital communication, online banking, gaming and others, it has even replaced cash payments in many places across the country.
To operate in the much-controlled Chinese market, WeChat proactively collaborates with the Chinese censorship and security apparatus, and has therefore become a tool used by the regime to monitor and control the population. For this reason, journalists and activists should refrain from using this platform as much as possible, or at least navigate it with caution and never use it for sharing sensitive information.
Disastrous in terms of safety
- No end-to-end encryption. Weixin’s approach to data security has consistently fallen short, primarily due to its reliance on encryption in transit (EiT) rather than the more secure end-to-end encryption (E2EE). This method exposes messages to potential surveillance and manipulation once they reach the app’s servers, significantly compromising user privacy.
- Insufficient protection from hackers. Historical data leaks underscore Weixin’s susceptibility to external threats. For example, in 2019, security researcher Victor Gevers unveiled a massive breach affecting 364 million Weixin accounts, revealing sensitive personal details like IP addresses and GPS locations. This incident highlighted the platform’s ongoing security challenges.
- Unprecedented personal data collection. Weixin’s design integrates multiple functions that manage vast amounts of unencrypted personal data, including IDs mandatory for registration, all stored on Chinese servers as per the regime’s guidelines. This centralisation of data significantly eases government access to and abuse of personal data.
Beijing’s eyes and ears
- Compulsory data sharing with the regime. Weixin’s terms, and the broader legal framework it operates within, impose extensive data sharing with the Chinese regime, including not just text but also voice messages, images, and other data.
- Strict implementation of the government’s censorship policies. Because Weixin is supervised by the Chinese regime, it implements censorship policies to the letter. The Chinese government regularly sends out lengthy lists of phrases and terms it wishes communications platforms to censor. This famously includes, but is hardly limited to, criticisms of Xi Jinping, depictions of Winnie the Pooh, Falun Gong, Xinjiang concentration camps, or mentions of the Tiananmen Square Massacre.
- Automatic deletion and reporting. Weixin operates tools that automatically delete messages containing prohibited content as soon as they arrive on servers. Weixin also uses shadow-banning, a method that consists of blocking sensitive or critical content without notifying the sender that the other party has not received it.
Main risks for journalists and their sources
- Accounts can be randomly suspended. In the name of vaguely defined “national security,” “social order,” “rumours” or “heresy,” the platform can, at its discretion, temporarily or permanently suspend users’ accounts. It can impede journalists’ work by preventing them from promoting their articles on the biggest social media app in the country, and by cutting the sometimes only channel of communication journalists maintain with some sources inside of China.
- Criminal prosecution routinely uses Weixin user data. Instances of humour or satire, or any criticism towards the government on the platform, have led to disproportionate sentencing including prison term and fines. For instance, a user in Shandong Province was sentenced to 22 months in prison for only nicknaming Xi Jinping “Xi the Steamed Bun” in 2017. In the same year, a lawyer publicly criticising the justice system was disbarred and charged with endangering national security.
- Information shared may also put sources at risk. Media workers, but also their sources, are at risk when communicating sensitive information on Weixin: as personal identifying information (PII) are transmitted and stored unencrypted on Weixin servers, they can potentially be accessed and used against them by the Chinese regime.
← Read: An introduction to social apps WeChat and Weixin
← Read Part 1: Weixin and WeChat, the terrible twins
→ Read Part 3: WeChat, China’s Trojan Horse outside its borders
→ Read Part 4: Safety advice for journalists using WeChat and Weixin
Co-written by Bence Kócsi. Bence Kócsi is an experienced freelance editor, writer, and researcher. He has been focusing on a wide range of topics including digital security, technology, historical linguistics, politics, and medicine.
Co-written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal enterprise tools across large enterprises, including cybersecurity focused efforts.
