Ronald Deibert is the director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy

Work-from-home and self-isolation measures during the covid-19 pandemic have highlighted and amplified our dependence on technology. But have they made us more aware of the risks? Do we really know what’s going inside those apps that have suddenly become our lifeline? If you’re one of the millions of users of the social media app WeChat based outside of mainland China, our latest report shows you should beware.

WeChat is an enormously popular application owned by China-based tech giant Tencent, used by more than 1 billion people worldwide. Although WeChat hasn’t published numbers on its users outside mainland China for years, with 100 million installations of the international version of the app from the Google Play Store alone, we know the figures are substantial and growing. WeChat combines many features in a one-stop social media shop: instant messaging for private and group chats, WeChat Moments (which resembles Facebook’s Timeline) and a public account blogging platform.

As with all social media in China, however, WeChat actively censors on its platform, including around politically sensitive topics and (as we showed in a report published in March) discussions related to the coronavirus pandemic. However, our research has also shown that WeChat only undertakes censorship of users with accounts registered to mainland China phone numbers; users who register with a phone number outside mainland China are exempt from censorship. This “one app, two systems” strategy is probably intended to enhance WeChat’s appeal to users outside China who may be justifiably concerned about whether they are subject to China’s information controls.

As for surveillance, all China-based companies are required by law to share user data with China’s authorities upon request, WeChat included. But it has always been an open question whether WeChat’s surveillance extends to non-mainland-China users. Many times we have been asked, “Does the ‘one app, two systems’ approach to censorship mean non-China-registered users are exempt from surveillance, too?"

We now know the answer is most definitely “no.”

In a Citizen Lab report published Thursday, evidence from our tests shows that communications among users with WeChat accounts registered outside China are under political surveillance. Moreover, we demonstrate that they are also being used to train the algorithms WeChat uses to censor and monitor China-registered users.

We were able to confirm the political surveillance by undertaking carefully controlled experiments using two different chat conversations: a first conversation between only non-China-registered accounts, and a second conversation containing a China-registered account through which we observed changes in censorship practices. When we sent documents and images containing politically sensitive content solely among non-China-registered accounts, we observed that shortly thereafter those files were censored for China-registered users.

There are several implications of these findings. First, for the millions of WeChat users based outside mainland China, this experiment provides conclusive proof that the company is actively monitoring the images and files (and possibly more) those users share for politically sensitive content. Although all users should rethink using WeChat in light of these findings, for high-risk users based abroad, or for those discussing classified or other sensitive content, WeChat (which is also not end-to-end encrypted) is an especially risky choice.

Second, even if you weigh the risks and decide you’re still comfortable using WeChat, you should know that in using the platform you are actually helping the company improve its censorship and surveillance system to which mainland China’s users are subject. Every politically sensitive document or image you share over WeChat helps the company’s engineers beef up their algorithms and clamp down on dissent. While all users of social media are accustomed to platforms monitoring their data to refine their algorithms, to our knowledge WeChat is the only one that actively monitors content sent by one set of politically defined users to undertake censorship and surveillance of another set (in this case, users in China).

Third, our research shows a disturbing lack of transparency on the part of WeChat and its parent company Tencent. It’s the epitome of what engineers call “a black box” — data go in one end and out the other, but it’s a mystery as to what’s going on inside. In addition to our technical tests, we also analyzed WeChat’s public-facing policy documents, made personal data access requests and sent detailed questions to Tencent. Our research shows that the privacy policies and terms-of-service documents of the international version of WeChat do not adequately inform users that their data will be surveilled in this manner, let alone used to train WeChat’s censorship regime for users in China. At the time of publication, our communications to the company about our report had gone unanswered.

Such practices are the antithesis of the type of responsible social media management that users should expect at any time, and especially during a pandemic. They run contrary to app store policies and some government’s laws requiring companies to explain how they collect, process and store data. We believe these findings should prompt urgent investigations by privacy regulators and other government agencies to explore WeChat’s potential liabilities. App stores may consider removing WeChat from their listings on the basis of misleading consumers with inaccurate privacy information. Governments may decide to ban the use of WeChat altogether for national security and privacy reasons. Human rights activists, journalists and other high-risk users may want to avoid the platform entirely, or at least think twice about what they share through it.

Read more: