Club Factory is not alone: App makers often try to grab as much data as possible“The general public are not nearly aware enough about what and how their data is used, whether it be a Chinese or American app,” says Darren Wray, the chief technology officer of data protection business Guardum. “Everyone should be very aware of what data requirements an app should have and what it's actually asking for. The difference between the two should really be concerning you,” he adds.
Many popular Chinese apps have often acted in similar ways to Club Factory, requesting as much information as possible simply because they can. “When apps have been produced by Chinese companies, they do have a bit of a tendency to gather data,” says Alan Woodward, a cybersecurity professor at the University of Surrey.
The idea of Chinese apps requesting the phone numbers of your family members as well as your precise location may be scary to some. But the fact that apps are requesting this data doesn’t always mean they’re hoovering it up and selling it on, or handing it straight to the Chinese government.
“I don't think necessarily there's anything malicious behind the people building the apps,” Woodward says.
But that’s not to say that everyone should disregard the potential danger of using Chinese software.
Some popular Chinese apps have been infested with malware which can act maliciously and hand user data to Chinese servers, as well as secretly click on ads and make premium rate phone calls to earn money.Google removed 24 of these apps from its app store in February after they had been downloaded more than 382 million times.
The Chinese government can force companies to hand over user data
More importantly, experts say a Chinese law passed in 2017 presents a potential danger to the privacy of anyone using a service run by a Chinese business.China’s National Intelligence Law allows the country’s government to compel any business or individual to hand it information on users of their product, including foreign users. These requests for data cannot be publicly disclosed and are nigh-on impossible to appeal. There’s no suggestion that the Club Factory app has contained malware or that the company has provided data to the Chinese government.
“Regardless of what the companies say, they've got to obey or they're in breach of the law and they've got to keep it secret. Put all of that together and that raises suspicion,” Woodward says.
Large Chinese technology companies have attempted to dispel concerns around this law by publicly pledging to refuse Chinese government requests for data.Theo Bertram, TikTok's head of public policy in Europe, said last month that the company "would definitely say no to any request for data" originating from China.
Huawei has also pledged never to hand over customer data to the Chinese government and has offered to sign “no spy” agreements with several countries.
I was alarmed when I learned in 2017 that the company had begun moving forward with the development of a new version of a censored Search product for China, codenamed “Dragonfly.” But Dragonfly was only one of several developments that concerned those of us who still believed in the mantra of “Don’t be evil.” I was also concerned that Cloud executives were actively pursuing deals with the Saudi government, given its horrible record of human rights abuses.
The structure of the Chinese political system is also a key consideration for experts assessing the risk of Chinese software.Large Chinese businesses are required to have Communist Party committees inside them, although these companies say they serve no operational role. Both ByteDance and Huawei have party committees inside them.
Security experts say it’s unfair to equate all Chinese software with malicious apps that include malware and gather data, but the country that a service is run from is relevant when you look at whether its laws can give a government easy access to data.
“Where data ends up residing is a big thing,” Wray says. “A Swedish company would be operating within the same legal bounds as a London-based company or a French company. Whereas when you go to China, the regulatory framework is obviously very different.”
But could the government require a similar application in the United States or would it be a violation of the Fourth Amendment’s guarantee against “unreasonable searches?” Generally, the Fourth Amendment may be invoked when a search infringes on a reasonable expectation of privacy, or the government’s activity amounts to a trespass, per the Supreme Court’s holding in Katz v.