A smartphone application developed by Chinese web services company Baidu specialising in “Caller ID & Blocking” contains features that may invade privacy, FactWire can reveal.

The app, DU Caller, offers a search function, called the “search name or number” feature, which allow users to directly search for numbers using the name of an individual or organisation.

The mobile numbers of Secretary for Security Lai Tung-kwok, Commissioner of Police Stephen Lo Wai-chung, Privacy Commissioner for Personal Data Stephen Wong Kai-yi as well as government officials of the Chinese Liaison Office and the Chinese Foreign Ministry in Hong Kong could be accessed.

Baidu cybersecurity
DU Caller. Photo: Factwire.

Through dynamic analysis, FactWire found that the app may send users’ phone address books to Baidu’s server in Beijing before acquiring their consent.

A legal consultant familiar with the Privacy Ordinance said that DU Caller’s features invade privacy to a larger extent, compared to the three apps that were exposed by a FactWire investigation last November.

‘Caller ID & Blocking’

DU Caller, a smartphone app under Baidu, was created by DU Group, which calls itself the “World’s Most Trusted Android Apps Developer.” While the app offers “Caller ID & Blocking” and call recording, it also includes functions that may harm users’ privacy, such as reverse look-up or number search by keywords. When users input a keyword, the system searches its database of two billion phone numbers and shows results that contain same or similar keywords.

Upon installation, users can use the keyword search function and check results three times a day. Once the quota is used up, the user has to create an account with his or her phone number and log in to enquire about the number owner to “ask for details.” However, FactWire found out that users could check three phone numbers again upon reinstalling the app.

The DU Caller database consists of phone numbers from around the world, including Asia, America and Europe. FactWire tried searching for phone numbers in the database with Chinese keywords such as “Liaison Office,” “Hong Kong and Macau Affairs Office of the State Council,” “Ministry of Foreign Affairs,” “Hong Kong Police Force (HKPF)” and “Security Bureau,” and found the mobile numbers of Secretary for Security Lai Tung-kwok, Commissioner of Police Stephen Lo Wai-chung and Deputy Director of the Liaison Office of the Chinese Central Government in Hong Kong Yin Xiao-jing and Lin Wu.

Baidu DU Caller cybersecurity
Records of phone numbers of officials. Photo: FactWire.

FactWire made enquiries to Lai and Lo on the leakage of personal privacy. The Security Bureau replied that “the Secretary for Security did not authorise any mobile app developer or provider to upload his name and mobile number to its database.” The Bureau said it has referred the case to the Office of the Privacy Commissioner for Personal Data for follow-up action. No response was received from the HKPF so far.

FactWire also found the mobile number of the Privacy Commissioner for Personal Data Stephen Wong Kai-yi using the keyword search feature. Wong expressed shock and immediately asked reporters how they obtained his number when he was asked to confirm that the number belonged to him. He then confirmed with FactWire that the number, now no longer in use, was his work mobile number from 10 years ago when he was with the Department of Justice.

Fraud risk

Wong emphasised that names and mobile numbers are important personal information, and that fraudsters may use the information to carry out phone fraud. He added that personal data is the “source of the fraud.”

“[The fraudster] may use your phone number to find and manipulate others’ personal information as the information has a high degree of believability. He or she may be able to find out my former office, and who I worked for.”

“If a stranger calls and says he knows you, and you’ve forgotten him… Older people and those less familiar with technology especially may find it strange how the fraudster knows such information, but would then think they’re just being forgetful and so they could be tricked by the fraudster’s misleading messages,” said Wong.

Stephen Wong Kai-yi. Photo: Factwire.

As for the DU Caller feature that enables users to input an individual’s name to search for his or her phone number, Wong said that the usual “Caller ID & Blocking function” aims to block calls from unknown callers, but that the keyword search feature provides no direct or actual support to block spam calls or detect unknown calls.

Wong added that the developer could be in violation of the third data protection principle of the Personal Data (Privacy) Ordinance (Data Use) unless it has acquired voluntary consent from the data subject.

Craig Choy Ki, convenor of the Progressive Lawyers Group and a legal consultant familiar with privacy policies, said DU Caller’s keyword search feature invades privacy to a larger extent compared to the three apps exposed by a FactWire investigation last November.

Choy pointed out that while a phone number only counts as personal data when combined with a name, the name itself already counts as identifiable personal data. “The apps exposed last time [in the November 2016 FactWire investigation] use non-personal data to search for personal data, but this time [DU Caller] allows users to use others’ personal information to look for more [data subject] information.

“This method leaks personal data and violates privacy more easily and with more accuracy,” said Choy.

FactWire found the phone address book of Roger Cheng Hon-man, who teaches at the Chinese University of Hong Kong. Cheng uses the course codes, activity name and the Chinese or English names of his students as their contact names in his phonebook.

CUHK Chinese University of Hong Kong baidu Du caller
Roger Cheng Hon-man. Photo: Factwire.

FactWire used Cheng’s course codes and activities between July 2014 to November 2016 in the keyword search, and discovered that contact information involving more than 1,000 data subjects dating up until September 2016 was recorded in the DU Caller database.

FactWire checked the app download records of Cheng’s mobile device and confirmed that he had installed DU Caller via Google Play. Shocked by the discovery, Cheng stressed that he did not download or activate DU Caller, let alone authorise DU Caller to upload his phonebook.

Angrily calling what had happened “a clearly immoral act,” Cheng said that “unless the app could prove that [they gained my consent], I’ll have to believe it has stolen my information.”

Two privacy policies?

FactWire then discovered two completely different versions of privacy policies available within the DU Caller app. The first version is available on the front page of the Android version of the app, while the second one is in the “About” column within the app.

The first version states that if users have “opted in to take part in the DU Caller User Experience Program, we (DU Caller) may collect, use and share certain information,” including IMEI (International Mobile Equipment Identity), IMSI (International Mobile Subscriber Identity), device log, incoming and outgoing calls and phonebook contacts, and that users gave permissions to DU Caller to “use the contact information as a part of the service.”

DU Caller Baidu smartphone application app cybersecurity privacy
Two privacy policies. Photo: Factwire.

The policy also states that users “guarantee all permissions required to share such contact information” with DU Caller, and that by “installing and launching DU Caller, you agree to participate in the DU Caller User Experience Program.”

However, FactWire conducted a dynamic analysis to analyse how DU Caller uploads users’ data. The analysis results show that once the app is downloaded and installed in a smartphone, even if the user did not click “agree” to its privacy policy, the user’s information, including the phone address book, phone number and IMEI of the phone, will be recorded into a folder of the app, ready to be sent to the server of Beijing Baidu Netcom Science Technology Co., Ltd.

In addition, there are clear differences regarding the “storage and transferral” of users’ data in the two policies. The privacy policy available on the front page of the Android version states that DU Caller only stores and transfers the information collected to “countries outside of the jurisdiction” that the user uses the services in, including storage in China and the United States.

On the other hand, the privacy policy available in the “About” column of the app, i.e. the second version of the policy, states that DU Caller “may transfer, process and store personal data in a number of countries,” and “the information collected within the European Economic Area (EEA) may be transferred and processed in a country outside of the EEA.”

Wong stated that developers providing two completely different privacy policies for the same app would mean that the policies may contain fabricated or misleading content, saying that “it is a serious and illegal act which the PCPD would investigate when discovered.”

DU Caller Baidu smartphone application app cybersecurity privacy
Two privacy policies. Photo: Factwire.

The developer may have violated principle one of the six data protection principles (data collection), which states that “personal data must be collected in a lawful and fair way” and the data collected “should be necessary but not excessive.”

FactWire made enquiries to DU Group and Baidu on whether DU Caller’s features and method of personal data collection violates the Ordinance and whether they would suspend the keyword search feature. No replies have been received so far.

Millions of downloads

According to Google Play statistics, the app has been installed around 1 to 5 million times, while Apple’s information shows that the app developer is Baidu (Hong Kong) Limited. DU Caller is not yet available in the Hong Kong branch of the Apple App Store. The app is available in the store’s U.S. branch, but does not offer the keyword feature.

The DU Group website shows that the products developed by app developer DU Group include DU Speed Booster, DU Battery Saver, DU Flashlight, DU Browser, DU Cleaner, and Photo Wonder, which have accumulated among the one billion Android users across the globe.

Baidu was listed on the Nasdaq Stock Market (NASDAQ: BIDU). The 2016 annual report shows that Baidu (Hong Kong) Limited is a wholly owned subsidiary of Baidu, Inc.

Photo: Flickr/Jon Russell.

FactWire discovered three “Caller ID & Blocking” smartphone apps that violated users’ privacy in November last year. The apps, namely CM Security, TrueCaller and Sync.me, compiled users’ phone address books into a publicly-available database involving one billion users and included a large number of well-known politicians and businessmen. The PCPD stated back then they would follow the issue closely and contact the overseas law enforcement organisations concerned for follow-up.

See also: 3 billion phone numbers and identities exposed by mobile apps, investigation finds

Five months later, FactWire found that while CM Security had suspended part of the “Reverse Look-up” feature last November, the two other apps were still operating as usual.

Privacy Commissioner for Personal Data Wong admitted during an interview with FactWire that the PCPD has no authority to enforce laws under the current legislation. The operators of the three smartphone apps are located outside Hong Kong borders. Since the Personal Data (Privacy) Ordinance is of no legal effect outside Hong Kong, the PCPD “could not monitor or regulate but only seek assistance” from overseas watchdog organisations, according to Wong.

Wong explained that the PCPD had already reflected the problems in November last year with the authorities in the countries where the companies that developed the three apps are located, namely China, Sweden and Israel. Among them, only the Chinese app CM Security had suspended part of its “Reverse Look-up” feature.

Wong stated that “while they [overseas watchdog organisations] responded to requests from the PCPD every time, their replies are usually a bit of a bluff.” The PCPD could only keep contacting the organisations. “We deliver our grave concerns to the authorities, and we rely on them to proceed with the regulations,” Wong said.

Personal Data Ordinance

The Personal Data (Privacy) Ordinance took effect in 1996, making Hong Kong the “first jurisdiction in Asia to have a dedicated piece of legislation on personal data privacy.” However, section 33, namely “Prohibition against transfer of personal data to a place outside Hong Kong,” has yet to come into effect. The law does not prohibit cross-border flows of personal data.

Stephen Wong Kai-yi
Commissioner Stephen Wong Kai-yi. Photo: PCPD.

Although section 33 of the law has yet to be implemented, the PCPD has published a “Guidance on Personal Data Protection in Cross-border Data Transfer,” so that “the industries already got used to what section 33 is aiming to protect,” according to Wong.

Wong then said that the PCPD had already completed and submitted a research report on the effectuation of section 33 of the law to the Constitutional and Mainland Affairs Bureau (CMAB) back in 2013. While the PCPD is an independent watchdog organisation, it lacks the authority to regulate the speed of legislation, and could only urge the government to speed up the process.

“Of course we did urge the government. The former Commissioner especially made conspicuous nudges,” said Wong, who added that the PCPD could only wait for the government to “handle, assess, evaluate and announce” their investigations.

Section 33 of the Personal Data (Privacy) Ordinance states that if a region is specified by the Commissioner “as one which has in force a data protection law which is substantially similar to, or serves the same purpose as the Ordinance,” it can be added into a “white list” to allow data users to transfer personal data to any regions on the list.

Many companies locate their servers in places such as China, India and Southeast Asia, where they may transfer and store user data. However, the privacy regulations abroad may differ from those of Hong Kong.

Wong pointed out that the “white list” was submitted to the CMAB along with the research report in 2013, but he refused to disclose whether China and India were on the list. Wong merely stressed that the jurisdictions on the list must have privacy ordinances similar to Hong Kong’s, and that the PCPD is currently waiting for the CMAB to conduct research and publicise the relevant policies.

File photo: Tookapic, via Pixabay.

FactWire made an enquiry to the CMAB on the progress of the implementation of section 33 of the Personal Data (Privacy) Ordinance and asked for the countries or regions on the “white list.” The CMAB replied that “the PCPD passed a consultant research report to the government in December 2013 and the consultant commissioned by the government is making evaluations on the competitiveness of the business environment in accordance with the implementation.”

The CMAB added that the report would be completed during the first half of 2017, and that it would “go through the research results and then consider follow-up work.” The Bureau also pointed out that the consultant collected information and comments from stakeholders in various industries, including members of the information technology sector, to assess the effects of the implementation.

However, the CMAB did not reveal whether countries such as China or India were included in the “white list.”

See also: Five Chinese mobile payment apps record users’ sensitive information

The Commerce and Economic Development Bureau recently launched a public consultation initiative on strengthening the regulation of person-to-person telemarketing calls, with one possible option of promoting the use of call-filtering applications in smartphones.

It mentioned that the “Reverse Look-up” feature may involve privacy problems, stating that should this option be adopted, the government would consider providing funding to developers vowing to write up more stringent policies to safeguard the privacy of users.

Founded in 2015 and funded by the public, FactWire is a non-profit investigative news agency.