Chinese digital applications, which are widely used in India, are seeking excessive information from consumers according to an independent study by an information security firm, stoking privacyconcerns amongst experts.
At least six of the ten most popular Chinese apps including Helo, Shareit, TikTok as well as browsers such as UC Browser, ask users to provide access to camera and microphones on their smartphones even when such access is not required, the study found.
“This is 45% more than the number of permissions requested by the Top 50 global apps,” said Sandeep Rao, co-founder of Pune-based Arrka Consulting, which studied the privacy controls of ten of the most popular Chinese apps in India across different categories like entertainment, news and shopping.
The apps that were reviewed include Helo, Shareit, Tiktok, UC Browser, Vigo Video, Beauty Plus, ClubFactory Everything, NewsDog, UC News and VMate.
The study, commissioned by The Economic Times in the second week of January, reviewed the permissions sought and data shared by these apps amongst themselves or with third parties outside India. It also covered the various permissions sought by the apps to access features on users’ phones such as contacts, camera, microphone, sensors, location and text messages.
Given the proliferation of Chinese apps in India the study focused specifically on the privacy aspects of mobile apps – namely the so-called dangerous permissions” being taken by the apps and the data being shared with external parties.
Social platform Tiktok, and UC Browser– owned by Chinese e-commerce giant Alibaba have hundreds of millions of users accessing these apps every day. UC Browser has over 130 million of its global 430 million users in India, according to the company.
The study found that on an average, these apps transfer data to around seven outside agencies, with 69% of the data being transferred to the US. TikTok sends data to China Telecom, VIgo Video to Tencent; BeautyPlus to Meitu and QQ and UC Browser to its parent owned by Alibaba.
“Most of these (agencies) are advertisers and analytics organisations. However, we don’t know how this information is being used by them,” said Rao. “Further, there are instances of information being sent to Singapore which is a hub for data centers,” he said.
ET sought comments on the findings of the study from all the companies surveyed. Detailed email queries sent last Friday to Club Factory, Shareit, Shein, VMate, elicited no response until press time on Monday. ByteDance, the owner of Tiktok declined comment.
Michael Hu, a spokesperson for UC Browser said “every permission targets to fulfill specific crucial functions and to enhance the user experience. Moreover, the permissions are controlled by the users and they get to decline or accept each request,” in an email response to ET’s queries.
In December 2017, Ministry of Defence had identified over 40 Chinese apps that could potentially harvest personal data from users and asked its personnel to remove them from their phones. Most of these apps are being used by first time users in smaller towns across India.
“Beyond third party data, where the first party data is going is something that one should be concerned about,” said Shivangi Nadkarni, co-founder of Arrka.
The study found most apps sought fine location access – to the closest metre of a person using the device, as against regular practice of a location that is within a square kilometer.
“UC Browser asks for fine location that is precise point from where a person is searching for information. I understand that (ride-hailing app) Uber or (food delivery app) Swiggy needs to know because they offer a service. Why does UC Browser need to know the precise location for a search,” said Nadkarni.
Privacy experts are also of the view that it is not just the permissions sought by apps that require review but also data harvested by smartphones sold in India. Majority of the smartphones sold in India are built by Chinese firms such as Xiaomi and Vivo.
“These handsets could potentially become challenges from the perspective of Indian sovereignty and security,” said Pavan Duggal, a cyber-law expert.
Arrka’s Nadkarni said the lack of a privacy law in India is also why companies are able to freely harvest data from Indian users.
“There is no privacy law in India today whereas in the US, there is some legal requirement and in Europe, (there) is the stringent GDPR regime,” said Nadkarni. “Right now, it is like the wild west in India. China has a security law, we don’t have one”.
Handset makers say they are working with the government to allay concerns around data security, which includes locating data in servers in India.
Xiaomi said that it was moving local users’ data to the cloud infrastructure of Amazon Web Services (AWS) and Microsoft Azure located in India from servers in Singapore and the US. It will become the first major smartphone maker to initiate such a migration amid the ongoing debate on information security.
OnePlus said that it will also relocate servers that house data of Indian consumers to India.
Vivo said that to allay consumer fears regarding data privacy and security on their phones, it would be willing to comply with any regulations set by the government. Vivo, however, said that it doesn’t deal with consumer data and has no intent to monetise and benefit from it, like apps do.