China’s “mini apps” — third-party programs accessible within multifunctional mobile apps — may be just as bad as their larger counterparts when it comes to harvesting user data.

A report Tuesday from the Nandu Personal Information Protection Research Center, a think tank under the influential Southern Metropolis Daily newspaper, enumerates the many examples of malpractice researchers found, including over-collection and over-sharing of user data and inadequate terms of service.

The report, released as part of China’s annual cybersecurity week, investigated 52 widely used mini apps on several hosting platforms including messaging app WeChat, mobile payment service Alipay, and news aggregator Toutiao.

Researchers found that 25% of the mini apps shared user data with third parties, and 94% didn’t tell users how they could opt out of this.

Just 38.5% of mini apps had their own user privacy policies, and when such policies existed, they often conflicted with the host app’s user agreement, according to the report. Moreover, many applets considered users logging in as a de facto agreement to their terms of service.

Only one of the 52 mini apps evaluated asked users to agree to its privacy terms.

WeChat launched the in-app “mini program” ecosystem in early 2017, and several of its competitors have followed suit since. Particularly during this year’s COVID-19 outbreak, mini apps have exploded, with Alipay, WeChat, and provincial government-developed platforms all providing “health codes” as helpful — and sometimes compulsory — means of contact tracing.

On WeChat, there are mini apps for buying face masks, disinfectant products, and groceries that can be delivered directly to self-isolating households. In mid-February, data from Tencent, WeChat’s parent company, revealed that grocery and fruit shopping through mini apps had increased by 115% and 168%, respectively, year on year.

Privately developed mini apps have also played a role in the stringent outbreak control measures enforced at some residential compounds. However, scams and privacy concerns have come hand in hand with utility and convenience, as supposed security features often required users to divulge their personal information such as name, government ID number, date of birth, and even facial data. But according to the report, it has never been necessary for mini apps to collect biometric data for the purpose of confirming a user’s identity.

Data collection and user privacy are long-standing issues in China as elsewhere. In 2018, the country’s state-backed consumer rights association found that over 90% of 100 apps surveyed were over-collecting user data. And in July of last year, cyber-police in the southern Guangdong province said that over 1,000 apps were secretly accessing or saving users’ text messages, calendars, private conversations, and GPS locations without permission.

The Chinese government is developing a raft of legislation to combat these problems. A guideline released in December, for example, provided a clear definition of “illegal personal information collection” for app developers to follow, and warned against using jargon in their terms of service.

Ordinary internet users are becoming more vigilant, too. A 2019 survey by the same think tank found that 90% of over 6,000 respondents said they were concerned about how facial recognition systems use, store, and share their biometric data.

Editor: David Paulk.

(Header image: EyeEm/People Visual)