China Intercepts WeChat Texts From U.S. And Abroad, Researcher Says
The popular Chinese messaging app WeChat is Zhou Fengsuo's most reliable communication link to China.
That's because he hasn't been back in over two decades. Zhou, a human rights activist, had been a university student in 1989, when the pro-democracy protests broke out in Beijing's Tiananmen Square. After a year in jail and another in political reeducation, he moved to the United States in 1995.
But WeChat often malfunctions. Zhou began noticing in January that his chat groups could not read his messages. "I realized this because I was expecting some feedback [on a post] but there was no feedback," Zhou tells NPR at from his home in New Jersey.
Chinese cyberspace is one of the most surveilled and censored in the world. That includes WeChat. Owned by Tencent, one of China's biggest companies, the chat-meets-payment app has more than 1 billion monthly users in China and now serves users outside the country, too, although it does not divulge how many. Researchers say its use abroad has extended the global reach of China's surveillance and censorship methods.
As Chinese technology companies expand their footprint outside China, they are also sweeping up vast amounts of data from foreign users. Now, analysts say they know where the missing messages are: Every day, millions of WeChat conversations held inside and outside China are flagged, collected and stored in a database connected to public security agencies in China, according to a Dutch Internet researcher.
"The intention of keeping people safe by building these systems goes out the window the moment you don't secure them at all," says Victor Gevers, co-founder of the nonprofit GDI Foundation, an open-source data security collective.
Zhou is not the only one experiencing recent issues. NPR spoke to three other U.S. citizens who have been blocked from sending messages in WeChat groups or had their accounts frozen earlier this year, despite registering with U.S. phone numbers.
"It doesn't matter where the user is, as long as I send a message to more than three people, my message cannot be seen in any group," says Stephen, a Chinese American technology professional. He declined to share his full name because he fears his criticism could draw retaliation against himself or his family by the authorities in China, where he travels often and where most of his family lives.
Stephen is baffled that he was blocked. He doesn't consider himself political. "It isn't shocking that China has that kind of censorship," he says. "The shocking piece is that China is exporting that kind of censorship to other parts of the world."
Every day, Gevers scans the Internet for vulnerabilities to find unsecured databases, and he has exposed a large number of them, particularly linked to China.
This March, Gevers found a Chinese database storing more than 1 billion WeChat conversations, including more than 3.7 billion messages, and tweeted out his findings. Each message had been tagged with a GPS location, and many included users' national identification numbers. Most of the messages were sent inside China, but more than 19 million of them had been sent from people outside the country, mostly from the U.S., Taiwan, South Korea and Australia.
Estimates of total WeChat accounts outside China are hard to come by, and the number is believed to be low — possibly in the tens of thousands — in the U.S. compared with popular networks like Facebook and its Messenger and WhatsApp platforms.
Gevers says he found patterns in the texts: Messages containing certain word combinations were archived in the database. Most of the flagged phrases were political, such as Tiananmen, the site of the 1989 protest crackdown, or Xi Jinping, the name of China's leader. Messages with such phrases sent by users in China were immediately flagged and the user information was sent to police, according to Gevers after examining the code.
He says the system resembles the global surveillance methods used by the U.S. National Security Agency.
For decades, the U.S. had unparalleled capabilities to monitor Internet traffic passing through servers within its borders. But Chinese tech companies like Tencent are now global, meaning this dragnet is believed to be sweeping up information about users from outside of China.
"I think that really raises serious questions and challenges for users but also for regulators outside China," says Sarah Cook, a senior research analyst at Freedom House, an independent democracy watchdog.
Cook points out WeChat is used internationally not just by traveling Chinese citizens, but also by politicians in democracies communicating with Chinese constituents and dissident communities. "They're communicating with somebody else who's outside of China who has WeChat, but they're still for the most part often operating under the rules that are inside China," she says.
For some, the censorship came in stages. For example, a user could be temporarily blocked, as if to encourage better behavior. Sometimes a cat-and-mouse ensues between the censors and users.
Last February, David, a Chinese American doctor who does not want to use his last name for fear of backlash against his relatives still living in China, noticed his posts on WeChat's Moments — akin to a Facebook news feed — were not going through. Undeterred, he kept sharing politically charged articles.
Within days, he couldn't send messages to any group chat: "Although I was able to read the other people's messages, when I posted my message, nobody could see it. It was like I wasn't there," he says.
David then dialed back his sharing of news articles, limiting his conversations to trivial chitchat and music-sharing. His group chat function was quickly restored. Emboldened, he began sharing his political posts in group chats, only to find himself blocked again.
"Now I am very careful [on WeChat]. I feel like this censorship has affected both my psychology and my behavior," says David. He says he has abandoned his old account and created a new WeChat account to talk to loved ones in China. He lost thousands of contacts in the process. "This is just my main connection to my Chinese friends inside and outside of China."
Tencent, WeChat's owner headquartered in the southeastern city of Shenzhen, declined to comment.
Whether China's government can compel companies to hand over data access is a key question facing the country's major technology companies as they seek a larger share of world markets. For instance, telecommunications giant Huawei is trying to build a mobile network upgrade, known as 5G, around the world and says it would refuse Chinese government requests for data access. But legal experts say national security trumps privacy in China, even if companies put up a fight. U.S. officials allege that Huawei is controlled by the Chinese government, something the company and China's government have repeatedly denied.
"It's a bit of a red herring I think to argue about what the law says or does not say," says Donald Clarke, a George Washington University professor who specializes in Chinese law. Despite economic reforms, Clarke says, "China is essentially a Leninist state in which the government does not recognize any limits on its power."
Back in New Jersey, the activist Zhou says he will continue using WeChat in spite its vulnerabilities. His work depends too much on it.
"I have to use it to communicate. I just have to know what's going on [in China]. But it is very dangerous," he concedes. "It's a natural choice. We have to use WeChat even though I know it's under surveillance all the time."
Copyright 2019 NPR. To see more, visit https://www.npr.org.