Hundreds of millions of Android smartphone users have downloaded photo-collage, karaoke and video-chat apps that send location data and other identifying details back to servers in China, a new report has found.
The information is collected by Chinese search and advertising engine giant Baidu, which collects users' GPS co-ordinates, names of nearby wireless networks and a unique device number that can be used to identify a person's phone, according to findings contained in a new report from The Citizen Lab at the University of Toronto's Munk School of Global Affairs.
That information is stored on Baidu servers. The company says it gives Chinese authorities access to its data in accordance with local laws.
But placing such material in government hands could provide a detailed picture of a person's movements and contacts, potentially threatening those who anger the Chinese state, such as human rights campaigners or democracy activists, said Ronald Deibert, the lab's director.
"That is obviously the ultimate and most serious risk," he said.
"The collection of all that fine-grained, detailed information is either poor engineering choices, or this is surveillance by design," he said. And, he added, "don't forget – none of that data disappears."
Baidu does not collect such information from Apple devices. But disclosure of the Chinese company's tracking comes as the iPhone maker faces off against the U.S. Federal Bureau of Investigation, which has demanded Apple help crack the lock on an iPhone used by San Bernardino mass shooting suspect Syed Farook.
Mr. Deibert said Baidu's practices illuminate the privacy battle at the heart of that dispute.
"It's an important public policy threshold now that I think is being crossed," he said.
"We're building a kind of digital house of cards here, and I don't think people fully appreciate just how much information is being given away as part of our daily routine."
The Baidu information tracking is built into the Beijing company's Web browser for Android, as well as apps that use the software development kit for its Baidu Mobile Tongji, which allows Android app makers to track analytical data. Thousands of apps use the service, some distributed worldwide through the Google Play store.
One, ES File Explorer File Manager, claims more than 300 million users and can be used in more than 30 languages.
A Windows Web browser made by Baidu went further, tracking hard drive serial numbers and Web browsing histories – but only a tiny number of users have that browser.
When The Citizen Lab first began looking at the Baidu data collection, it discovered that much of the information was transmitted either without encryption, or in ways that could easily be decrypted.
Mr. Deibert's team sent its findings to Baidu in late November, and the company quickly responded, updating its Android Web browser to what spokesman Kaiser Kuo called "the absolute strictest standards, to basically undecipherable encryption." That work is "basically done," Mr. Kuo said Wednesday.
Encryption on the Mobile Tongji software development kit was also upgraded in December, he said, although Mr. Deibert said checks by his team a week ago found "no fixes."
Baidu has not, however, changed the type of information it stockpiles.
"As far as what data is used, there are perfectly good reasons for developers to need to know a lot of stuff – it's for them to be able to provide a better user experience," Mr. Kuo said. In China, he said, it's also "quite standard" to harvest the 15-digit International Mobile Station Equipment Identity, a unique number that can pinpoint a particular smartphone no matter what apps or online accounts a person uses.
"We don't collect more than most people," Mr. Kuo said.
But one Chinese marketing group, in an online post made in 2013, pointed to Baidu's information collection as one reason to use it, saying "Baidu tracks each individual user, allowing you to see all the pages they visited," a capability Google does not provide.
Google's own analytics software bans the uploading of information that can "personally identify an individual … or data that permanently identifies a particular device."
The Baidu-made software appears to be "sending many critical bits of data," said Nate Lawson, founder of app analytics firm SourceDNA. Developers might want some of that information to spot coding problems. "But the result for end users is a loss of privacy," he said.
The Baidu revelations come amid the global rise of Chinese Internet giants, who are headquartered in a country that severely censors and monitors its online space.
Companies in China, South Korea and Vietnam are behind the most popular apps using the Baidu software. None replied to e-mails sent by The Globe and Mail.
The erosion of smartphone privacy has grown into a major concern for companies and governments whose employee devices can siphon off information that may be sensitive or classified.
On Tuesday, San Francisco-based Appthority released a report that found 100 per cent of the most common apps on corporate smartphones "have data leakage and privacy invasive behaviours." Some smartphone apps go far beyond the Baidu software, exporting text messages, address books and calendar information. Advertisers seeking to profile buyers can profit from this information, but so can scammers and intelligence agencies.
China now ranks among the top national destinations for such transmissions, said Domingo Guerra, president of Appthority, which has analyzed over 3.5 million mobile apps.
Baidu calls the data it obtains "anonymous identifiers," but in other countries it is classified as "personally identifiable information," Mr. Guerra said.
Smartphone apps, often a Frankenstein mix of different software elements from different places – some to push ads, some to report program crashes – have created thorny transnational problems, he said.
"It's really a new frontier, in the sense that a lot of the privacy laws and Internet privacy laws that we have don't necessarily apply to mobile very well," Mr. Guerra said.