WeChat Case Study: Security With No Privacy
Can you have security without privacy?
Sitting at a train station in Shanghai, China, in February 2019, visiting family for the Chinese new year. My wife approached a man asking if we were interested in buying his train ticket to Beijing. Being a security professional, I gave the person a “go away, bro” look on my face.
My wife stood up and dialogue in Mandarin with the gentleman for a few moments. She selected her OCR code. The gentleman scanned her phone and handed over the tickets.
I had to take a moment just to process what had just happened. My wife exposed her phone to a stranger just as the COVID was happening 435 KM’s away. My wife gave her phone to a stranger. “My love, you scanned your phone.” My wife gave me a puzzled look, “yes, that is how we can exchange money here.”
“Oh”
While peer-to-peer payments for financial services are nothing new, having someone scanning your phone sets off several cyber security alarm bells in my head. After enjoying a few cold beers on the train ride to Beijing, I could not help that this person entirely cloned my wife’s phone, and everything she has is now compromised.
“My love, I bet this guy has everything on you now” My wife gave me a playful wink and began to explain the culture behind WeChat.
“Love, Wechat is everything in China. We pay our bills; we order train tickets. We pay for food. We send videos, pictures, and messages to friends and groups. I order food for my mother and have the deliveries sent to her apartment.” Huh?
While I sat on the train(yes, it was a bullet train traveling at 294Km per hour), I noticed everyone around us was on their Wechat.
“My love, someone now has access to your phone.” My wife laughed. “And more,” she said.
My wife explained that once you hit send on your Wechat, you communicate with over 1 billion people worldwide. The Chinese government and governmental entities have access to every character, every word, every transaction, and every photo. The government processes this data for intelligence purposes in near real-time to determine a “social rating score.”
If any of our comments are “political, insulting to the government, they will downgrade your score.” As a result, you can and will be blocked from taking certain trains, staying in good hotels, and eating in excellent restaurants. Some even have their Wechat account blocked.
My wife explained no one carries a lot of cash. Those that take cash draw suspicion from merchants and others watching. Wechat simplifies the entire digital currency and transaction, social media, and other services.
My wife later explained, “the guy who sold the tickets does not know me or anything about me. So, from a security side, I am hiding behind my avatar character in Wechat.” I looked at her, “ah, that is the security layer; where is the privacy?” She laughed, “there is no privacy. You give up your privacy by having the privilege of using WeChat. You have no idea who has access to your data. What they plan to do with it, or how your social score is impacted.”
Where else is their security without privacy or privacy without security?
When I returned to America, I met my doctor for a routine checkup. After watching my doctor log in to Allscripts EMR systems using her biometrics, I started to think about the WeChat use case.
How many people within the healthcare systems behind the scenes are reviewing my data? Are they compiling my information with others to determine a contextual risk for a medical reason for people my age? Do I need to trust that all medical professionals read the HIPAA compliance regulations cover-to-cover?
After careful consideration, I realized that we all might live in the Wechat world, even without having an account!
Until next week!
John
