Chinese governments has warned 222 apps to remove data slurping code

Three weeks after a data privacy protection law has entered into effect in China, the Beijing government has begun warning mobile app developers to remove intrusive data slurping code that collects unnecessary user information beyond an application's primary scope.

The new Personal Information Protection Law was drafted last fall and approved earlier this year in March, entering into effect on May 1, 2021.

The law follows a simple principle—namely that an app or website must collect only the user information they strictly need to achieve their primary functions.

Any collected data that is not used to deliver an app or website feature is considered unnecessary and opens the door for the Chinese government to impose giant GDPR-like fines of up to 50 million yuan ($7.77 million) or 5% of a company's annual revenue.

Tech companies have been warned in March

To help tech companies put their affairs in order, the Cyberspace Administration of China (CAC) published in March a guideline with what type of information apps were allowed to collect, based on 39 categories:

  1. Map navigation: location information, place of departure, and place of arrival.
  2. Taxi & ride-hailing: phone number, payment information, location data (departure place, arrival place, and passenger pick-up location).
  3. Instant messaging: phone number, contact list.
  4. Online communities, blogs, forums: phone number.
  5. Online payment: phone number, name, ID type, ID number, ID validity period, bank card number.
  6. Online shopping: phone number, name, address, payment information.
  7. Food delivery: phone number, name, address, payment information.
  8. Mail and delivery: sender's name, ID details, address, and phone number + recipient's name, address, and contact number + name, nature, and quantity of the items to be delivered
  9. Transportation ticketing: passenger types, names, ID numbers, phone number, departure place, destination, departure time, train number/ship number/flight number, seat type/class, seat number (if any), license plate number, and license plate color.
  10. Online dating: phone number, sex, age, and marital status.
  11. Job searching and recruiting: phone number and resume.
  12. Online lending: phone number, borrower's name, ID type and number, ID validity period, bank card number.
  13. House rental/sale: phone number, housing address, area/house type, expected price or rent.
  14. Used car sale: registered user's phone number, purchaser's name & ID details, seller's name, ID details, vehicle driving license number, and vehicle identification number.
  15. Online consultation: user's phone number, patient's name, ID type and number, hospital and department of the appointment, medical condition description.
  16. Travel: traveler's name, ID details, phone number, destination, travel time, and contact information.
  17. Hotel service: user name, phone number, contact information, hotel name, check-in and check-out time.
  18. Online games: phone number.
  19. Learning and education: phone number.
  20. Local life, housekeeping, home decoration, trading of local services:  phone number.
  21. Women's health: services can be used without personal information.
  22. Car service, car sharing, car rental, bicycle sharing: phone number, ID details, driver's license details, payment info, location data.
  23. Investment and financial management: name, phone number, ID details, ID photocopy, account details, card details.
  24. Mobile banking: name, phone number, ID details, ID photocopy, account details, card details, and when sending money, the payee's name, bank account, and card details.
  25. Email, cloud storage: phone number.
  26. Remote conferencing: phone number.
  27. Webcasting: services can be used without personal information.
  28. Online audio or video streaming: services can be used without personal information.
  29. Short videos: services can be used without personal information.
  30. News: services can be used without personal information.
  31. Sports and fitness: services can be used without personal information.
  32. Browsers: services can be used without personal information.
  33. Keyboard apps: services can be used without personal information.
  34. Cyber-security: services can be used without personal information.
  35. E-books: services can be used without personal information.
  36. Image editing: services can be used without personal information.
  37. App stores: services can be used without personal information.
  38. Practical tools (calendar, translators, calculators, etc.): services can be used without personal information.
  39. Entertainment and ticketing: user's phone number, seating details, performance details, payment information.

Beijing starts enacting its new law

But as soon as the law came into effect on May 1, the Chinese government wanted to send a signal to its tech sector that they were intent on enacting its new user privacy restrictions.

On the same day, the CAC issued its first warning, naming 33 applications—15 keyboard apps, 17 map navigation apps, and an instant messaging client—that have been observed collecting too much user information.

The CAC issued a second warning a week later, on May 10, when it put another 84 applications on notice, this time 36 cybersecurity and 48 online lending apps.

Today, the CAC issued its third warning. The bulkiest one yet, this one listed 105 apps, naming 19 short video apps, 34 web browsers, 51 job-searching apps, and a general utility app.

Some big names caught in Beijing's cross-hairs

While the second warning put Tencent and Baidu on notice, today's Beijing announcement has put TikTok and Microsoft (through its LinkedIn app) on the hot seat as well.

The CAC has given all the app makers listed in its alerts 15 days to remove the data slurping code or face its steep fines, which the government seems intent to apply, as an early warning shot that it means business.

The recent warnings come as part of a wider government crackdown on the Chinese tech sector.

Through unfettered data collection, many Chinese tech companies have become multi-billion dollar behemoths and have slowly started to believe they could assume independence from Beijing's strict control and leadership, a trend the Chinese Communist Party is trying to stamp out.

Furthermore, in recent years, much of the data collected by Chinese companies has also often leaked online or has been stolen by hackers, primarily due to overzealous collection and improper data storage practices.

These vasts amounts of leaked data are an operational-security (OpSec) gold mine for foreign security intelligence agencies, and is why the Chinese Ministry of Public Security was also involved in the law's drafting process.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.