“Investigating WeChat” is a four-part series, exploring the complexities and threats posed by Chinese social apps WeChat and its domestic version Weixin. In this final article, Reporters Without Borders (RSF) outlines proactive steps journalists can take to minimise risks while using Weixin and WeChat.

Using Weixin or its international clone WeChat inevitably is inherently dangerous for journalists as it exposes them and their sources to Chinese regime’s surveillance. However, some reporters might still need to use this app to communicate with sources or relatives inside China. When avoidance is not an option, some measures exist to mitigate these risks. Below are the most common:

Account set-up

  • Install on a dedicated device. Use a secondary device specifically for WeChat to minimise the risk of broader digital identity exposure and to keep sensitive information secure. Ensure this device does not contain other messaging apps or personal accounts.
  • Favour using a non-Chinese SIM card. Utilising a foreign SIM card can help obscure a journalist’s location who may live in or visit China, and they will be subject to a lesser level of censorship. However, using a Chinese +86 phone number immediately subjects the journalist to Weixin policies, functioning under Chinese domestic laws.
  • Setup a login password. Always log out when not using WeChat and ensure logging back in requires a password to enhance security. This measure helps protect against unauthorised access.
  • Perform regular updates. Keeping the app updated helps secure it against vulnerabilities that could be exploited by malicious entities, not just state surveillance.

User data management

  • Disclose as little personal information as possible. Although it is now mandatory to verify one’s ID to set up an account, journalists can put as little personal information as they can when setting it up. This strategy is crucial, for a journalist but also for the sources they communicate with on the app, especially if WeChat later flags one’s account for activities it deems inappropriate.
  • Restrict apps’ permissions. Limiting the apps’ permissions can significantly reduce the data it can access. Adjust visibility settings to maintain a lower profile on the platform, and always turn off location services to prevent tracking.
  • Backup important information. Regularly back up important data to another device to prevent loss from unexpected account deletions, as the lines to define “inappropriate content” are blur and hard to predict when one’s account could be suspended or deleted.

Censorship and surveillance mitigation

  • Anticipate censorship. Be aware of the potential for censorship and surveillance on WeChat. Certain precautions can help identify if communications are being censored, such as confirming message receipt or numbering messages for consistency checks.
    Encrypt messages through other apps. This, to be done in advance through other apps, adds an additional layer of security, safeguarding one’s communications from surveillance and potential censorship despite the security vulnerabilities of the app. 
  • Use format tricks. Using images or voice notes might evade immediate text censorship, and using non-conventional forms of communication like screenshots can sometimes circumvent WeChat’s automated censorship mechanisms.
    Speak with hidden meaning. Journalists are encouraged to develop agreed-upon codes or indirect language that embed meaningful information within innocuous conversation, to evade detection while still communicating sensitive information discreetly with their sources or relatives.

 

← Read: An introduction to social apps WeChat and Weixin
← Read Part 1: Weixin and WeChat, the terrible twins
← Read Part 2: Weixin in China, Big Brother is watching you
← Read Part 3: WeChat, China’s Trojan Horse outside its borders

Co-written by Bence Kócsi. Bence Kócsi is an experienced freelance editor, writer, and researcher. He has been focusing on a wide range of topics including digital security, technology, historical linguistics, politics, and medicine.

Co-written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal enterprise tools across large enterprises, including cybersecurity focused efforts.