Alex Gillis

University of Toronto undergrad Jing Zhou knows a lot about surveillance issues in China and Canada, but even she’s surprised by findings that hundreds of millions of people are at risk of hacking and surveillance because of a popular internet browser.

This week, the Citizen Lab at the Munk School of Global Affairs released a report showing that the Android version of Baidu Browser, made by one of China’s largest technology companies, leaks a user’s location, browsing history and other data because of poor or missing encryption whenever the browser is used.

And the browser’s Windows version, for computers, leaks even more data, including computer serial numbers. Any individual, company and government can hack a device or spy on users’ online habits.

Zhou is concerned about the human rights implications given the increasing number of people from China worried about hacking and surveillance. She helps to run a U of T student club called Choose Humanity, which raises awareness about human rights abuses.

“I’m very aware of surveillance issues,” says Zhou, who moved from China to Canada in 2001 and is finishing a Management degree at U of T. “In Toronto, there are Chinese officials surveilling students, religious practitioners and community members. Not only in Canada, but in China, the government and police track down your relations and monitor them.”

Baidu runs the most used search engine in China – but it’s also used around the world in Chinese, English and other languages.

Many of the vulnerabilities are due to missing or poor encryption used by something called software development kits (SDKs), which are present in more than 22,000 apps related to Baidu, according to researchers at the Citizen Lab, University of Toronto.

The apps have been downloaded billions of times.

“Baidu and anyone monitoring your traffic can use your hardware’s serial numbers to track your GPS location, nearby wireless networks, and every unencrypted and encrypted web page you visit,” says Jeffrey Knockel, the report’s lead author and a senior researcher at the Citizen Lab. “Most users would have no way of knowing their personal data was being transmitted this way, and would be unable to prevent it.”

In addition, Baidu Browser doesn’t include special codes (a norm with other browsers) when it downloads routine software updates, which would allow hackers to secretly install malicious software on computers and phones.

In May 2015, Citizen Lab identified ​similar security concerns with UC Browser, ​a popular browser owned by e­commerce giant Alibaba, also based in China. The security issues in UC Browser were identified in documents leaked by Edward Snowden that revealed that intelligence agencies in Canada, the United States, the United Kingdom, Australia and New Zealand had used the vulnerabilities to identify users.

Zhou says that she’s heard about China doing similar things.

The report is part of the Citizen Lab’s ongoing research into privacy and security of popular mobile applications used in Asia,​

including China’s censorship of Google, Microsoft, and Yahoo search engines and its censorship and surveillance in TOM-Skype, a Chinese version of Skype.

In November 2015, Citizen Lab researchers notified Baidu of the browser’s security issues. The company released updates that remedied some of the issues in January 2016, but many still remain unresolved.

“I wouldn’t use Baidu anyway, as it’s not as good as Google,” Zhou says. “Now that I know about the problems, I’m glad that I can avoid it in Canada.” But in China, where Google Chrome and other browsers are banned, people have to use Chinese-made browsers like Baidu.

“They have to make Baidu more secure,” Zhou says. “People don’t have to undergo surveillance all the time.”

February 23, 2016