The report, “Privacy and Security Issues in QQ Browser,” shows how two versions of the browser scoop up information — including things like hard drive serial numbers and nearby WiFi access points — and transmits personally identifiable data without encryption, or using what the researchers called “easily decryptable encryption.” The software updating processes also have vulnerabilities that leave them susceptible to attacks, the study says.
Two previous reports by the same research center found serious — and strikingly similar — security flaws in browsers owned by two other Chinese tech giants, Alibaba and Baidu. While the authors won’t rule out the possibility that it's all a coincidence, they say it's more likely some combination of lax industry norms and pressure from Chinese authorities.
"When you see it once, you say, 'okay, poor design,' and twice, with Baidu browser, you say 'coincidence,' " said Ron Deibert, director of the Citizen Lab and an author of the report, "But three times? This is beginning to look like a pattern."
“Whether it is poor design or surveillance by design, the effect on the user is the same: privacy and security are at risk.”
That is particularly worrisome given that we know, thanks to the leaks by former National Security Agency contractor Edward Snowden, that governments can use these vulnerabilities to track and target people.
A document prepared in 2012 by Canada’s signals intelligence agency, the Communications Security Establishment, and later leaked, noted vulnerabilities in UC Browser, a mobile browser owned by Alibaba. The Five Eyes intelligence alliance, which includes Canada, Australia, New Zealand, the United Kingdom and the United States, used the browser’s vulnerabilities to track users.
Intrigued, the Citizen Lab took a closer look at one of China's most popular mobile browsers. In May it published a detailed report that found serious security and privacy problems in UC Browser. A second study published in February this year zoomed in on Baidu's browser and found similar issues. (You can read Baidu’s detailed response to those findings, here.)
The latest study makes two "potentially troubling" findings about QQ Browser, according to lead author Jeffrey Knockel, who is senior researcher at the Citizen Lab: First, the browser is collecting what he calls a "pathological" amount of user information. Second, that information is then being sent back to the company's servers "without any concern for privacy at all."
That could very well put people who use QQ browser, including those living outside of China, at risk of the kind of snooping Western intelligence agencies did with UC Browser, Knockel said. Given what we know about the Chinese government's online surveillance and censorship practices, and its ongoing campaign against Communist Party critics, that could be dangerous.
"We have to ask, why are they collecting all this info? Why do you collect the hard drive serial number of the device? How does that help your marketing? Deibert said. "In a context like China, where we know the government can get that data, people are really at risk."
Tencent does not seem to think so.
On Feb 5, the Citizen Lab team disclosed its security findings via the company's Security Response Center, an online forum. It also sent a letter to the company asking for additional information within 45 days.
Though it appeared that some updates were made in response to their disclosure (the exchange is detailed in the report), as of Monday morning the Citizen Lab said it had not received a response to the letter.
In an email reply to questions from The Washington Post, Tencent acknowledged the Citizen Lab's report and letter and said it "appreciated" the work. It also insisted absolutely no users were affected by the security vulnerabilities identified in the report. (It did not say how it ruled out the possibility of any breach.)
"Tencent is committed to high standards of security and protection of user privacy and has always treated it as a key priority," it wrote. Identifying and resolving "glitches" is part of its "constant process of review and improvement of products."
Tencent said it had "investigated and resolved" concerns identified in the Citizen Lab report. "Though no users were affected, we are still encouraging all users to download the latest version."
Xu Jing reported from Beijing.