In-depth: Chinese e-commerce's rush into online finance could put countless users' data at risk

Big data, big brothers

In-depth: Chinese e-commerce's rush into online finance could put countless users' data at risk


Once Jack Ma was the little guy. Now he wants to give the little guy little loans.

Earlier this year MYbank, the online bank affiliated with e-commerce colossus Alibaba, launched with the intent to grant small loans to individuals and small businesses. Last week, rival Tencent announced a new small loan service from which users of its WeChat social network and digital payment launchpad can borrow up to RMB200,000 - without any collateral or guarantee - from its own affiliated online bank, Webank.

On Tuesday Ant Financial, the Alibaba affiliate controlled by Jack Ma that runs MYbank, announced it had purchased a controlling stake in an insurance company with the intent to provide insurance services online to small businesses and consumers. If precedent holds, Tencent can be expected to announce a near-identical investment forthwith.

This back and forth has become a fixture of China's private enterprise landscape: Both companies use their deep pockets and deep reserves of user data to try and gain an edge in the latest nascent Internet-enabled sector, all with an eye toward unseating China’s financial establishment. But new user authentication requirements favoring brick-and-mortar banks don’t just fail to address existing data security and privacy issues in Chinese e-commerce; they could force users to provide Alibaba, Tencent and other online businesses with biometric data such as fingerprints which, once shared or stolen, could prove a problem for life. 

While regulators' stated rationale for the requirements is preserving privacy and stemming systemic risk, they often seem more concerned with the latter. Professor Robin Hui Huang, executive director of the Centre for Financial Regulation and Economic Development at the Chinese University of Hong Kong's Faculty of Law, said China's central bank didn’t have enough confidence in the online facial recognition technology being pushed by Alipay's MYbank, and were pushing back for better biometric verification.

“The more verification the better from the regulator's point of view,” Huang said. Time will tell whether that holds true for the consumers forking over their identifying information, but neither Tencent nor Alibaba wants to wait around to find out. The competition is too fierce to survive standing still.

Rising stakes, staking claims

Both have reason to rush: Figures from the China E-Commerce Research Center indicate that last year the sector grew by 31.4% to a total market value of RMB13.4 trillion (roughly US$2.1 trillion). Leading the third-party payment platform charge are Alibaba's Alipay and Tencent's Tenpay. 

Consulting firm iResearch estimated that in 2014 the value of sales via third-party payment platforms in China was about RMB8 trillion (about US$1.25 trillion) and grew at a rate of 50.3%. That expansion is expected to slow as such services approach market saturation, but the company's January projection of 45.5% growth for this year would still put annual transactions on track for total sales of over RMB11.7 trillion.

The same report indicated Alipay enjoyed a dominant 49.6% market share in 2014,  with Tenpay a distant second at 19.5%. But Tencent's potential capture is a real threat thanks to WeChat, an increasingly comprehensive ecosystem for social media, advertising, games and payment, masquerading as a simple app for social messaging. Monthly active users on WeChat rose to 600 million as of the end of June, according to Tencent's second quarter results (pdf).

Old guard, newly guarded

These former upstarts fired their first big shot across the financial establishment's bow in 2014, when Alibaba announced it would partner with Citic Bank to offer 1 million virtual credit cards as part of its Alipay Wallet app. The next day Tencent boasted it would do the same thing - with the same bank - via its WeChat app. 

The People's Bank of China seized on a technical issue to delay the cards' launch. Bank officials said the bar code-like "quick response" (QR) codes that would be used to ID customers weren't secure enough.

Undaunted, Webank and MYbank ranked among five private banks that regulators approved in 2014. Webank’s January launch was even attended by Premier Li Keqiang, quoted by the state-run China Daily as saying “Internet-based banking is a significant step in China's financial reform.”

But MYbank launched on June 25 without the ability to take on any customers thanks to central bank concerns about user authentication. Tencent’s own online bank, which technically launched in January, quietly rolled out its Webank app over the weekend of August 15-16 with features nearly identical to existing WeChat payment services.

That stealth launch reflected a new regulatory reality: On July 31 China's central bank released draft rules requiring multiple verifications of user identity for unrestricted use, prohibiting fund transfers between different users and capping daily payments through both companies’ online payment platforms as low as RMB1,000 for low-authentication users.

“On the surface it seeks to address the two risks,” Huang said. “But as a consequence of that, the interests of traditional banks are protected.”

While he said there were merits in the rules’ stated security aims, “the issue is by doing this whether it would impose unnecessary or unreasonable constraints on the further development of Internet-based finance in China.” 

Before the law

There is a well-documented and increasingly urgent need to shake up China's risk-averse, inefficient and mostly state-run banking sector. But concerns go well beyond those of existing banks and extend to the protection of Chinese citizens’ private data. Those have been difficult to articulate historically due to a lack of any legislation defining what personal information even means.

“The relevant legislation is all at the ministerial level,” said Zhao Yun, director of the Centre for Chinese Law at Hong Kong University. While gains had been made in recent years with various lower-level guidelines, Zhao said, there was still no national-level legislation protecting, or even defining, personal data on the mainland. 

“We need to have a unified law,” he said. “If we really have a personal data law at the national level we can strengthen enforcement.” 

The definitional dearth was addressed, in theory, by a new draft cyber security law, public consultation for which ended on August 5. It has since disappeared into the bureaucracy from which it could emerge quite different. But for a first pass it prompted plenty of discussion.

In a recent briefing (pdf) for the law practice Morrison & Foerster, co-author and firm associate Zhang Wei wrote that the draft law, for the first time, “includes a relatively detailed definition of ‘citizens’ personal information’, meaning personal information such as a citizen’s name, birth date, ID number, biometric data, profession, residence, or telephone number … as well as other kinds of information that, alone or combined with other information, may be used to determine a citizen’s identity.”

That would unify the currently disparate, sector-specific regulations which impose data protection requirements that don’t always reflect rapid changes in business reality. “The data practice of telecom services (including e-commerce service) providers (such as Alibaba, Tencent) are regulated by the data privacy rules of the telecom sector, not by those of the financial sector,” Zhang told China Economic Review

That “telecom” classification given Alibaba and Tencent may give them greater leeway with how they can treat customers’ personal information. But the most empowering access to user data may arise from the privileges baked into the terms of service for the firms' respective payment platforms.

Terms of disservice

Perhaps the best lens on Alipay's approach to users' personal data comes from the terms of service users must agree to in order to open an account—a prerequisite to the use of any of the Alibaba conglomerate’s many online retail outlets and myriad associated financial services.

In the conclusion to her in-depth analysis of Alipay’s terms of service, to be published in the October edition of the journal Computer Law & Security Review, Professor Liu Yue of the Shanghai University of Political Science and Law says the firm’s rules are “not comprehensive, and leave loopholes that could detrimentally affect consumers’ rights in the mobile [commerce] ecosystem”.

Put bluntly: Alipay gets everything, forever, to do with as it pleases. As Liu’s report points out, terms stipulate that the company:

 Is not responsible for any financial losses resulting from identity theft or compromised passwords;

 is not liable if hackers breach the company’s system and steal user data;

 can, at will, disclose the entirety of a user’s identity information - including full purchasing history and real-time or historical location data - to websites accessed using the Alipay wallet, who can then also share it;

 further analyze consumers’ financial, geographic and behavioral information to use as a basis for targeted advertising and other purposes;

 keep all personal information in perpetuity even if users close their accounts; and,

 does not have to compensate users for more than the value of services provided, most of which are typically free. 

Each of these clauses is tucked away in the service agreement's interminable scrawl of 14,000 Chinese characters. The report estimates those translate to about 20,000 words in English, or roughly the same length as Franz Kafka’s famed novella “The Metamorphosis”. 

While not exactly the same as Alipay’s terms of service, Tenpay gives users a list of exemptions that Liu said made it “quite unlikely that Tenpay will take responsibility in a case of identity theft, and there is no law that requires them to do so.” 

Tenpay's service agreement states that its privacy policy is in accordance with that of WeChat, but Liu said it was still unclear regarding how exactly personal data can be used by the company as well as the scope of “affiliate companies” with which the data can be shared—though in her experience, the scope and uses to which it is put are similar to those of Alipay. 

Tenpay’s terms also leave room for the company to keep user data in perpetuity. The payment platform’s integration with the company’s wildly popular and expansive WeChat ecosystem makes that all the more disconcerting for privacy-minded mainlanders.

Uneasy realities

User estimates for Aibaba and Tencent services suggests that many on the mainland are more than willing to trade their personal data for free access to a wide variety of payment options, or are at least aren't aware they're doing so. But keeping that data safe is a real concern for China's smartphone users.

A July survey of users whose smartphones ran Google’s Android mobile operating system points to risks both perceived and real for anyone using an online or mobile payment platform in China. Among those surveyed by the Data Center of China Internet and online security firm Qihoo 360, around seven in ten said personal information included their photos, communication data, account information and passwords; between four and five in ten were worried their phones might leak the same.

Manuel E. Maisog, a partner at law firm Hunton & Williams whose work focuses in part on personal information protection in China, said that while he knew of no scientific or systematic surveys on the subject, adoption of social networks hadn’t outpaced public awareness of the need to regulate the use of personal data.

“Abuses of personal data have been common enough, and recur often enough, that the general public has by now learned of and understands the potential for damage,” Maisog said. “At this point (and once again this is anecdotal more than hard information) the state of public awareness of the need to regulate the use of personal data could be described as an anxious awareness threatening to border on outrage.”

To the extent it’s shared, that sentiment isn’t just the result of media coverage or word of mouth: One in four users from the Android survey had actually had their pictures and communications data leaked. Roughly one in five had their phone’s number, account information and passwords or video leaked. 

Jailbreakers broken

That plays nicely into the now-standard narrative in tech circles of Android as a more vulnerable operating system than Apple’s iOS. But on August 30 the security firm Palo Alto Networks announced it and members of Chinese iPhone developer WeipTech had discovered what they believed was the largest known Apple account theft to date caused by malware (malicious software). Most of the targets were Chinese and were having experiences typical of a mainland hacking attack.

“Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom,” Palo Alto wrote in its announcement.

The new family of iOS malware – christened “KeyRaider” – had stolen more than 225,000 valid Apple accounts, as well as thousands of certificates, private keys and purchase receipts. Palo Alto and WeipTech found the malware uploading the stolen data to a server which itself had vulnerabilities that exposed the user information. They estimated around 20,000 people had been abusing the user credentials in question.

All of the victims had “jailbroken” their iPhones so they could install apps not approved by Apple’s official app store, and most came from mainland China based on the email addresses associated with the stolen credentials: More than half of the addresses belonged to users of Tencent’s (named for the instant-messenger precursor to the company’s WeChat platform).

Incidents like this make clear why mainland media accounts tend to blame users for data leaks. But while users may not know how best to guard their personal data, China’s biggest Internet firms may have also held back improvements to the Chinese Internet’s baseline security.

Leaky pipes

Even those who take reasonable measures to protect their online data in China will find the deck stacked against them. That's due in part to a widespread failure among mainland websites to upgrade to a more secure communications protocol.

In their 2014 analysis (pdf) of around 10,000 of the most popular Chinese websites, researchers at Stony Brook University’s computer science department found only 672 had implemented HTTPS, a secure communication protocol that authenticates websites and protects exchanged user and site data more reliably than the old standard, HTTP. Of those websites, 28% had only one HTTPS page, and over 84% had implemented HTTPS incorrectly.

In addition to upgrade difficulties and operational concerns, the researchers blamed low adoption rates in part on what they perceived to be the Baidu search engine’s lack of HTTPS support. Researchers' comparison of search results for HTTPS sites from Baidu and Microsoft's Bing found that while the latter yielded HTTPS pages for 44% of known sites, the former produced none. 

Unofficial search engine optimization (SEO) guides for Baidu claim that the search service has poor support for HTTPS and recommend that sites avoid using the more secure protocol if they want to show up in search results. If sites must use HTTPS, they are often recommended to provide the same pages in HTTP in order to still get indexed by Baidu. While Baidu itself now uses HTTPS, such SEO habits mean that unless users take measures to use the more secure version of a page, they will be more vulnerable to malicious sites that impersonate their intended destinations to obtain account info and passwords. 

Corporate privacy

While the situation may be worse in China, such failures are hardly exclusive to the mainland: On July 9 The US Office of Personnel Management admitted the breach by hackers of its computers had affected far more than its initial estimate of 4.2 million federal workers. Disclosures to date indicate a total of 22.1 million Americans - almost 7% of the country’s population - had sensitive information about them swiped from the office's computers. 

That scale puts the incident in the same neighborhood as the number of Alipay accounts Chinese media initially reported had been affected in a breach about four years ago.

When news broke that 15-25 million Alipay accounts might have been compromised in late 2011, a company representative told Tech in Asia the company was certain that a list of leaked e-mails being cited as evidence hadn't come from the company. The firm later stated that there had indeed been a leak of Alipay account IDs—though it maintained that user passwords and funds were safe, according to state media

But in January of 2014 the firm apologized publicly for a former employee’s 2010 theft and subsequent sale of more than 20 gigabytes of personal user information. 

According to an investigative report published ten days before the apology by respected mainland newspaper The Economic Observer, a current and former employee at Alipay had collaborated to sell user data the latter had stolen while still at the firm - including purchase records, home addresses, email addresses, cellphone numbers and users’ real names - to other e-commerce firms. 

The ex-employee was reported to have told police he’d sold user data for 10 million Alipay accounts to online clothing retailer VANCL for “a hefty sum”. That firm’s head of public relations told the Observer that "We have for the time being no record of receiving any police inquiries; if the police require it, we will actively cooperate."

The boast was more indication of the volume of data stolen than reliable indictment of VANCL. It also suggested internal security issues at Alipay, which confirmed to the paper that there had been a case of an employee selling stolen user data, but wouldn’t comment further.

Later, a statement from the company on its website assured users that the data only concerned transactions from before 2010, and “excluded sensitive information such as usernames or passwords, which were ciphered through a sophisticated method that is not available to anyone.” Why such ciphering warranted mentioning if sensitive information was excluded from the breach was left unexplained.

Internal (external) affairs

One manager at Alipay admitted to the Observer the ex-employee had sold stolen data, but also emphasized that the case had occurred years ago, and that the user data had not been widely circulated online.  

But in comments to the paper another unnamed employee familiar with the situation couldn't understand why the thief hadn't been caught the first time he downloaded user data, or why it had taken three years to discover and report the incident. "It must be said, we've had some management issues,” the employee said.

It is unclear whether the 2010 claims of a user data leak and the incident reported by the Observer are related in any way. Alipay did not respond to an interview request from China Economic Review.

But according to a recent Wall Street Journal report, Alibaba Chief Technology Officer Wang Jian told reporters at the launch of a cloud data center in Zhejiang province that security incidents are the price of being first in the industry. Wang said that with security issues in general: “We are pioneers in providing public cloud services in China, so we have to pay the whole price for those who come after us. The greatest lesson is that the price is very high.”

It’s a lesson that Tencent, too, knows all too well: In November 2013, 90 gigabytes of QQ and WeChat user data appeared on Alibaba’s online retail site Taobao, including information affecting 80 million WeChat circles (friend groups) and 1.5 billion QQ instant messaging accounts, according to the same Observer report. The seller claimed to have QQ account data for active accounts covering every industry in China, organized by industry, sector, age, sex, and more.

Tencent’s response on November 21 would set the template for Alipay's January apology: It claimed the stolen user data was from 2011, and that security upgrades had been made at the time in response. That, of course, implied it had known about the breach for over a year without telling the public.

Tencent also requested that Taobao take down the sales page for the hacked data. The Alibaba-owned retailer obliged.

Always in earshot

In late May The Citizen Lab, an information security and rights research center at the University of Toronto, revealed that Alibaba's flagship mobile browser, purchased in 2014 for more than US$1 billion, was leaking sensitive user data.

As the most popular web browser in both China and India, that made the UC Browser a tremendous security risk for its more than 500 million registered users. Citizen Lab singled out UC Browser’s Chinese-language version as markedly more vulnerable than its English counterpart—though both were guilty of blaring unencrypted or shoddily ciphered search query and location data to the world at large.

Jason Ng, senior research fellow at The Citizen Lab and a co-author of the UC Browser report, said he saw little chance of any malign intent from the developers. The issue, he said, “more likely represented the typical developer desire to build products and features first—worry about other issues later.”

In its report Citizen Lab said it had informed Alibaba of the issue in April and been told security engineers were looking into it. But when the group tested the Chinese language version of the browser again one day before publication, they found it was still sending both search queries and personal data to Alibaba’s Umeng analytics service unencrypted—though some improvements had been made.

“Just by installing and opening UC Browser (Chinese), users unwittingly expose a significant number of personal identifiers and location information to numerous third parties,” the group wrote. “Although users must agree to grant the application permission to access personal identifiers and location data, it is not made clear to the user how this data will be shared.”

Ng said the issue of local industry norms was also at play: Nascent Chinese firms and established US companies hold themselves to different standards with regards to privacy concerns. While Chinese firms might catch up in a few years, for now, he said, “I think they’re a little looser on that front.”

“I think most consumers are aware that security flaws are a hazard in apps,” Ng added, “but that awareness would obviously be heightened if it was their financial data at risk as opposed to something like search data.”

The body financial

In announcing it was unsure about the face-recognition technology the Alibaba affiliated MYbank wanted to use to verify account applicants, the People's Bank of China left the new financing outfit hamstrung. But the concept at the center of that conflict will only become more important.

The use of body features in identification, known as biometrics, entered the mobile tech mainstream with the the debut of new iPhone models in late 2013 that replaced the old home button with a thumbprint scanner. Yet it would take years for such hardware to become ubiquitous in China's smartphone market—and Alibaba and Tencent want to vanquish each other now.

In March, Jack Ma made his own biometric intentions clear when he demonstrated Alibaba’s face-scanning authentication onstage at the CeBit conference in Hanover, Germany. It was a canny move, even if the tech later proved a stumbling block for MYbank.

“Generally speaking there is a very serious push by the government to use biometrics for authentication,” said Chris DeAngelis, Beijing-based general manager for Alliance Development Group, which helps foreign tech firms expand on the mainland. 

That demand dovetails nicely with draft regulations mooted by the central bank in early August requiring users to undergo multi-factor authentication in order for payment platforms like Alipay and Tenpay to continue operating without onerous transaction restrictions. The law does not mention what those factors might be, but biometrics could prove a convenient complement to existing methods.

“My understanding is that, for example, three-factor authentication could be the device itself, a pin number and a biometric,” DeAngelis said.

An August report on the new regulations by mainland finance magazine Caixin cited online finance professionals as saying payment platforms already licensed to lend – like Alipay and Tenpay – would gain an edge over the competition. An unnamed central bank official involved in drafting the new rules told the magazine that Alipay already had 300 million real-name-registered clients, with about RMB110 billion (around US$17 billion) parked in customer accounts. 

Tenpay, the official said, had around 100 million such registered customers. That gives Tencent room to build on its 600 million WeChat user base, and both companies will have a substantial head start over any other upstart Chinese payment platforms.

Public-private partnership

Yet growth prospects alone weren't enough to keep the head of Tencent's online bank on board. Cao Tong, the first president of Webank, recently tendered his resignation for personal reasons, according to a report by the mainland newspaper 21st Century Business Herald.

Regulations are growing more daunting, and good government relations are clearly key to maintaining an e-commerce lead--a fact to which Jack Ma has long been savvy. On June 19 Ant Financial announced the launch of the IFAA, which despite its acronym has no official English but can translate roughly as “Internet Finance Authentication Alliance”.

Sina’s tech news site described the IFAA as a joint initiative between the Ministry of Public Security’s First Research Institute and major tech companies. At launch the alliance included Samsung, Huawei, ZTE, Oppo Electronics and Coolpad, as well as chipmakers including Qualcomm, Watchdata and security vendors, among others. All would work with the security ministry to help standardize thumbprint, face and eye authentication.

Yet biometrics also pose their own challenges, some more severe than existing identification methods. Perhaps most troublesome is their permanence: It’s easy to change a password once it’s cracked, but it’s much harder to change one’s fingerprints if hackers get a hold of them.

Worse, from a consumer perspective, neither Alipay nor Tenpay take responsibility in their terms of service if users suffer identity theft, nor is there a law requiring them to do so, said Liu at the Shanghai University of Political Science and Law. Liu also expressed concerns about other possible misuses of biometrics.

“The use of biometric technology has raised much discussion [in China], especially concerning security and privacy risks,” Liu said, adding that facial recognition like that Alipay was now attempting to use currently came up short compared to other biometric methods.  

It is also unclear against what authoritative source of personal identification face scans would be checked. But brick-and-mortar banks typically require customers to present an official identification card issued by the Ministry of Public Security, replete with a color photo that could provide a handy basis for comparison.

Keeping secrets

The draft cybersecurity law also remains vague on the subject of how biometrics and other personal data - for example, location, browsing and purchasing history - should or can be used. While it states that network operators “must not gather citizens' personal information unrelated to the services they provide,” so long as users agree to the Alipay and Tenpay terms of service, both platforms are free to use users' data as they please.

“It’s a problem in China the same way it’s a problem elsewhere,” DeAngelis said of the service agreements. But if China’s e-commerce conglomerates succeed in using biometrics to pass muster with the Public Security Bureau and central bank, users of Webank and MYbank may end up giving up far more permanent personal and financial data than they realize to both.

Yet while both Alibaba and Tencent expect users to trust them, neither seems to trust the other not to spy on its own employees given the chance. Such concerns may have prompted Alibaba’s chief risk officer, Shao Xiaofeng, to send an internal memo to the rest of the company one Monday in June of 2013 advising employees to only use the company’s products to communicate with coworkers.

Shao explained that compared to other companies, “Alibaba's staff are granted far more authority and flexibility in their jobs, with access to a lot of key product information, business plans, customer information and digital information.”

But while Alipay wouldn’t admit that an employee had stolen over 20 gigabytes of user data for about another six months, Shao’s internal memo went public far more quickly. It was leaked and had spread around the web by the afternoon of the very same day. 

Update (9/21): Shortly after this piece was published, Chinese developers disclosed a new form of malware that had infected 39 known popular apps on Apple's official store, including Tencent's WeChat and ride-hailing service Didi Kuaidi (jointly backed by Tencent and Alibaba). Later reports pushed that estimate to 344 infected apps. According to Palo Alto Networks, developers of the apps had used a corrupted version of the iOS development tool kit, Xcode, which they downloaded from Baidu's cloud service because mainland China's Internet filtering system made getting the kit directly from Apple onerously slow. (Baidu has since removed the offending files.) 

The infected apps can leak information about a user's device and cause a phone to send fake prompts to steal passwords for Apple's iCloud service, among other thingsAccording to WeChat's official update log, the infection was introduced in the app's September 10 update, meaning the malware would have been circulating for over a week before the issue was disclosed. Statements posted to official sites and social media by Tencent and other companies whose apps had been compromised maintained that no sensitive customer information or funds had been stolen. 

Author: Hudson Lockett (@KangHexin)

Correction: This piece originally misstated the nature of an SEO guide for Baidu's search engine. The guide was unofficial, not official, as claimed by researchers from Stony Brook University in their analysis.