WeChat Surveillance Explained - WeChat Allegedly Monitoring

WeChat Surveillance Explained - WeChat Allegedly Monitoring
Content List

Explaining WeChat Surveillance:

The findings of the Citizen Lab's WeChat surveillance investigation are summarised in this document, along with questions and answers from the research team.

The Citizen Lab released a paper detailing how WeChat (China's most popular social media platform) monitors photographs and files exchanged on the site and utilizes the data to train censoring algorithms. This paper contains a summary of the research findings as well as the research team's questions and responses.

Important Points to Remember

WeChat monitors non-China-registered accounts and utilizes their messages to train censoring algorithms that will be deployed against China-registered accounts.

Censorship on WeChat is only enabled for users with accounts registered to mainland China phone numbers, according to a previous study. Users outside of China may believe that the political restriction and monitoring mechanism on WeChat does not affect them. However, a new study shows that files and photographs sent by WeChat users with accounts outside of China are susceptible to political monitoring and that this content is used to train and improve the filtering system used by WeChat to censor China-registered users. Only our technical tools can inform us whether data and photographs posted on WeChat are being monitored. We don't know if the text of chat messages is being monitored in the same way. Users should be informed that this is a possibility in the meantime.

WeChat Surveillance Explained - WeChat Allegedly Monitoring


Both monitoring and censorship go place behind users' backs, with little transparency.

According to our findings, both China-registered and non-China-registered accounts are subject to content surveillance. It is functionally impossible to identify content surveillance between users of accounts registered outside of China.

WeChat's public policy documents, personal data access request processes, or privacy officers make no mention of the company's monitoring activities.

We examined WeChat's public-facing policy documents, submitted personal data access requests, and emailed Tencent data protection representatives with comprehensive queries. These methods were employed to see if they could uncover or explain the monitoring activities we discovered, as well as whether WeChat staff would explain the company's policies if asked directly about them. None of these approaches offered a clear explanation or description of the surveillance we discovered during our tests.

The Research Team's Questions and Answers

On WeChat, how does censorship work?

We previously discovered that users with accounts tied to mainland China phone numbers are subject to keyword and image filtering on WeChat.

WeChat controls content server-side, which means that all censorship rules are stored on a remote server. When a message is transmitted from one WeChat user to another, it passes via a server run by Tencent (WeChat's parent company), which checks to see if the message contains any blacklisted keywords before sending it to the intended recipient.

When a message is censored, neither the sender nor the receiver receives any notification. A chat between two China-registered accounts is shown in the screenshot below. One user attempts to submit the term "(falun gong) but gets blocked. Neither user receives a notification that the message has been blocked.

Figure 2: A user attempts to submit the keyword "" (falun gong) but is blocked. Neither user receives a notification that the message has been blocked.

What's the difference between a China-registered account and one that isn't?

A WeChat account that was originally registered to a mainland Chinese phone number is known as a China-registered account. Any WeChat account that was not originally registered to a mainland Chinese phone number is referred to as a non-China-registered account (for example an account registered to a Canadian or the United States phone number). China-registered accounts are subject to censorship and are bound by the terms of service in China (particularly Shenzhen). Even if a China-registered account is later paired with a phone number outside of China, censorship continues. Non-China-registered accounts are subject to terms of service that are not governed by Chinese law (specifically in Singapore). While non-China-registered accounts were not found to be subject to political censorship in previous research, our latest findings show that documents and images sent from these accounts are still subject to political surveillance and that this content is used to invisibly build up WeChat's censorship system for China-registered accounts.

How did you find out that accounts that were not registered in China were being monitored?

Someone wondered if non-China-registered WeChat users were safe from political surveillance as long as they didn't communicate with China-registered users. We stated that "we think they are also free from surveillance" because we understood that messages between such users were not subject to political filtering. However, we wondered, "How can we assess this?" Surveillance is rarely carried out in a vacuum, and it can be utilized to facilitate future restrictions. We already knew how image and document monitoring is used to automate censorship on WeChat based on past studies. The tricky part was that non-China-registered users were not subject to censorship, so we had to use two different chat conversations to see if they were under surveillance: one with only non-China-registered accounts to trigger surveillance and another with a China-registered account to measure changes in censorship. We noticed a rise in censorship in the second chat after sending politically sensitive content in the first, showing that the first conversation was under WeChat monitoring despite being among exclusively non-China-registered accounts.

WeChat analyses, flags, and stores sensitive files in what ways?

Sensitive text is scanned into documents. The total image is visually compared to a blacklist of known sensitive images, and sensitive text is scanned. If these files are considered to be politically sensitive, their MD5 hash (a form of digital fingerprint) is tagged, indicating that WeChat will save the hash and use it to filter these files more efficiently in the future.

WeChat uses MD5 hashes to instantly identify information that has been classified as sensitive by the app. What is an MD5 hash, exactly?

Consider it as a digital fingerprint. When you run a file through the MD5 algorithm, it generates a fingerprint, or "hash." A hash is a fixed-length string of bits. In principle, finding or creating files that produce the same hash should be challenging. However, there are flaws in the MD5 method that make this easy to replicate, and we can take use of these flaws in our research. We can analyze WeChat's surveillance system by producing two different photos with the same hash - one politically sensitive and the other benign. Politically sensitive photographs are censored when sent between accounts registered outside of China, but politically neutral images with the same hash are censored when sent between Chinese accounts. These innocuous photographs would not normally be labeled as sensitive, demonstrating that communications between accounts registered outside of China are being monitored.

The process of mapping a file (such as a document or a picture) to an MD5 hash is depicted in the graphic below. Two different photos are fed into a cryptographic hash function in this example, yielding two distinct MD5 hashes.

What are the research's limitations?

Our technical tools can only tell us if photographs and papers are being monitored, which is a limitation. We don't know if the text of chat messages is being monitored in the same way. Users should consider this is a possibility in the meantime. Another drawback is that our study took place over several months. Although we regularly detected political surveillance between non-China-registered users over that period in our measurements, we don't know if this surveillance was just allowed during our trials. It's possible that this pattern of conduct dates back years and has always existed on WeChat.

What does this entail for users who aren't registered in China?

Outside of China, WeChat users may believe that the platform's political restrictions and monitoring methods have no impact on them. Our research reveals that by using WeChat, users are not only putting their files and photographs under political scrutiny, but their content is also being used to train and improve the censorship system that WeChat employs to censor China-registered users.

Do these findings imply that WeChat's international users are being monitored by the Chinese government?

Under China's Cybersecurity Law, information obtained or retained by Chinese firms is subject to disclosure to the Chinese government for national security and criminal investigative purposes. WeChat users in China are bound by Chinese terms of service and privacy policies, whereas overseas users are bound by Singapore terms of service and privacy policies. Our study was prompted by a desire to learn how communications between WeChat's foreign users–who are governed by Singapore-based terms of service and privacy policies–might be shared with WeChat offices in China or other Chinese companies. In other words, we wanted to know if international users' communications were safeguarded from the kind of surveillance that China-based users are subjected to regularly.

Our research shows that communication between overseas WeChat users contributes to a censorship mechanism that is used to censor China-registered users. However, our investigation did not uncover if Tencent is sharing the conversations of international WeChat users with the Chinese authorities. While our research shows that overseas WeChat users are subject to content surveillance, we don't know for sure what is being monitored, what the full scope of the monitoring is, or with whom the monitored data is shared.

Isn't content monitoring something that all social media firms do? What makes WeChat's approach unique?

We claim that WeChat users are being watched because of the type of content being reviewed – specifically, politically sensitive stuff in China. This includes information that is critical of the Chinese government or its policies, as well as content that calls for the government to recognize human rights or mourns the deaths of human rights activists. WeChat's content monitoring differs from that of other platforms not only in terms of what is monitored but also in terms of how the monitoring system is trained and deployed selectively. Our findings show that content supplied by non-China-registered accounts is subjected to political scrutiny and is utilized to build up WeChat's filtering mechanism for China-registered accounts covertly. To our knowledge, WeChat's surveillance system is the only one among social media firms' monitoring systems that watch content supplied by one group of users to improve the surveillance and censorship of another set.

How do these findings contribute to our knowledge of China's digital censorship?

To our knowledge, this is the first study of its sort to give technical evidence that WeChat – a worldwide app — performs surveillance on international users and uses that information to extend its censoring capabilities by targeting China-registered users. Previous research on Chinese digital censorship has primarily focused on how censorship works and what types of content are restricted. Our findings are especially important in light of Chinese enterprises' global expansion, which must strike a balance between delivering an engaging experience to attract foreign customers while also limiting politically sensitive content due to domestic regulatory pressure.

What is the extent of China's censorship?

China has a complex censorship system that includes limitations on the Internet, apps, and media.

All Internet platforms operating in China must adhere to local content control rules and regulations. Companies that supply these services are held responsible for the material on their platforms, and if they do not follow content standards, they face fines or lose their business license. The content requirements are vaguely stated, which makes this system complicated. Posting content that "disrupts social order and stability," for example, is prohibited, although it's unclear how that assessment is reached. Corporations may receive general orders during politically sensitive occasions, but according to our research, there is no centralized list of phrases that companies are required to suppress. As a result, businesses must decide how to implement censorship and what content to filter to stay within the government's wide standards and directions.

WeChat frequently censors information during sensitive times, such as the death of Liu Xiaobo, the 19th National Communist Party Congress, and, most recently, the coronavirus outbreak, according to a past study.

What are the legal ramifications of these findings? Isn't it the responsibility of privacy policies to alert users about this kind of monitoring?

Apple and Google, for example, require developers to include privacy rules with their apps. In many jurisdictions, corporations must also explain how they acquire, analyze, and store data. According to our findings, WeChat International's privacy policies and terms of service materials do not effectively warn users about how their data may be used.

In some places, privacy regulators may have grounds to punish the corporation for misrepresenting users as a result of this failure. Fines might vary from hundreds of thousands to millions of dollars, depending on the agency. Residents in other jurisdictions, such as Canada, could file a complaint with their federal privacy authority, which could then make non-binding recommendations to the corporation on how to improve its services.

App store owners such as Apple and Google may potentially take action and remove the app from their stores if it is found to be misleading consumers and providing erroneous privacy information.

Finally, government committees may look at how WeChat has incorporated content surveillance onto its app. The results of such investigations might include banning the service from certain government departments or even forcing app shops to remove it from their stores due to national security concerns.

What is the relationship between this study and prior Citizen Lab research that found WeChat restriction of COVID-19 content?

COVID-19-related content was widely prohibited on WeChat, according to our previous research on the platform's censorship. The COVID-19 censorship impacts all China-registered accounts regardless of where the users are physically located because to WeChat's "one app, two systems" censorship design.

We illustrate in our most recent study that WeChat's information control extends beyond China-registered accounts and that WeChat employs monitoring among non-China-registered accounts. Even though we did not sample or analyze COVID-19 content in our newest research, our findings show that WeChat could potentially employ COVID19-related conversations among overseas users to increase its domestic censorship list.

In prior research, we identified WeChat COVID-19 censoring, as shown in the screenshot below. A user tries to send messages with the censored keyword combination "(US Center for Disease Control) and "(US Center for Disease Control) (coronavirus). Because the mails contain the censored keyword combination, the person with the China account does not receive them.

We investigated how WeChat performs monitoring among overseas users in this research. We'll keep an eye on WeChat's surveillance of non-China-registered users' photographs and documents, and we'll look into how such monitoring might apply to other media like chat message text.

What are your research plans for the future?

We investigated how WeChat performs monitoring among overseas users in this research. We'll keep an eye on WeChat's surveillance of non-China-registered users' photographs and documents, and we'll look into how such monitoring might apply to other media like chat message text.

WeChat's Background and Previous Research

With 1.15 billion monthly active users as of late 2019, WeChat (Weixin in Chinese) is one of the most popular social networking apps in China. WeChat has stopped revealing the number of overseas users since 2013. According to the most recent data available, the app has over 100 million international users. Tencent, one of China's top technological giants, owns and operates the app.

Instant messaging (e.g., one-to-one private chat, group chat), WeChat Moments (a feature similar to Facebook's Timeline where users can share text-based updates, upload images, and share short videos or articles with their friends), and the Public Account platform are all available on WeChat (a blogging-like platform that allows individual writers as well as businesses to write for general audiences).

WeChat users with accounts registered to mainland China phone numbers can be censored, according to previous Citizen Lab research. The platform's censorship is fluid, responding to current events such as the National Communist Party Congress and the start of COVID-19.

WeChat is allegedly spying on its international users.

WeChat users in China are subject to censorship and surveillance, but overseas accounts appear to be no longer safe.

WeChat, China's omnipresent social networking software, reigns supreme in the country, with features ranging from chat to mobile payment that meet users' current needs.

With over one billion active monthly users globally, it has an unequaled user base among the Chinese diaspora and netizens across Taiwan and Southeast Asia.

However, if recent suspicions of Chinese surveillance of the app's international users are true, that huge expansion could begin to decelerate.

In a new study paper, the Citizen Lab at the University of Toronto asserts that WeChat uses systematic algorithms and a specific task force to monitor everything emailed, posted, and shared by the app's international users.

According to Citizen Lab, these WeChat users may be collateral targets, as the primary intent may be to tighten control of messages aimed at mainland Chinese netizens.

According to Citizen Lab, the system assigns a digital signature to anything deemed sensitive based on keyword searches, while data analysis analyses information to determine whether it should be added to a blacklist for further scrutiny.

The covert content filtering involves screening messages, photographs, files, and links sent or posted by WeChat users in other countries, as well as the censoring of any content deemed inappropriate if a cautionary flag is raised.

Citizen Lab claims that anything on the censorship list will not be shared on WeChat's mainland edition. According to the company, the technique is being designed to control the Internet and censor communications between WeChat users at home and overseas.

The surveillance was reportedly prompted by the fact that an increasing number of Chinese students and vacationers studying and vacationing abroad may have joined connections on the app who are from Hong Kong, Taiwan, or other parts of the West and converse about sensitive themes.

Tencent, the Shenzhen-based internet behemoth whose market capitalization is routinely among the world's top 10, has been coy about the app's international version until now. The corporation, no doubt, wants to reassure its global users that Beijing's censorship does not affect them.

Even though the topics may be regarded as sensitive or politically incorrect in Beijing's eyes, messages or content shared by accounts registered outside of mainland China are usually not blocked or monitored. This includes criticism of Beijing's handling of the Covid-19 outbreak as well as its repression of whistleblowers.

Anti-government protests in Hong Kong last year morphed into an open revolt against Beijing's authority over the former British colony, Taiwan's presidential election in January, in which the independence-learning incumbent Tsai Ing-wen won a second term, and anti-China sentiment spreading in response to the coronavirus pandemic are all touchy subjects in China.

Users in Hong Kong and Taiwan have long wondered why they may post photographs and links about protests and elections on Moments, WeChat's bulletin, and sharing page, but their mainland Chinese contacts couldn't view them.

Citizen Lab could not say whether the Chinese government censors pore through chats and messages on WeChat's international edition firsthand, or if Tencent is reportedly doing it at the behest of authorities.

When it comes to the governance of China's cyberspace, a Tencent official recently stated that the company's business in mainland China, including its core WeChat activities, must be on message with the government.

The latest findings of Citizen Lab, published in a paper titled "We Chat, They Watch," will stoke fears that WeChat is putting its abroad users in the same censorship straitjacket that previously solely applied to mainland netizens.

If users were not concerned before, they should be now, according to Ron Deibert, director of the Citizen Lab, and re-evaluate the hazards of using the app. He also emphasized the moral issue of international WeChat users being complicit in Beijing's desire to restrict free speech among Chinese citizens.

"I would encourage overseas users to reflect that by using this site, you are essentially contributing to the strengthening of China's digital repression," he stated.

According to claims from 2018, a Shenzhen public security agency kept a specialized staff next door to Tencent's headquarters to intercept, monitor, and back up messages and conversation history of any WeChat user in real-time, regardless of whether the user was online or not. According to the reports, government agents can access every user's profile as well as their friends' profiles via WeChat's back-end systems.

Tencent has stated that chat data will only flow via their servers "to be sent to the users you have chosen to send communications to." WeChat's user agreement, on the other hand, states that the app maintains the right to use its users' personal information and material "for providing, marketing, and developing WeChat and our other services."

On its corporate website, the tech behemoth states that privacy is at the heart of its services, and that access to users' data is strictly governed by appropriate laws and regulations, but it's unclear whether this refers to Chinese laws or laws in the country where the app is being used. Tencent claims that all of its products and services are designed to protect users' personal information.

Users may simply manage how much of their data is gathered, used, and shared with the firm's products and services, including WeChat, according to the company. WeChat has received TrustArc and ISO/IEC 27018 accreditations, as well as CISPE and ISO 27701 accreditations from Tencent Cloud.