Citizen Lab has revealed that WeChat, the popular messaging app operated by Tencent, subjects the same pervasive content surveillance to accounts beyond China that was previously thought to be exclusively reserved for China-registered accounts.
The Canadian research group said that like any other internet platform operating in China, WeChat is expected to follow rules and regulations from Chinese authorities around prohibited content. Citizen Lab said, however, that these rules and regulations are now being applied to non-China registered accounts as well.
"WeChat implements censorship for users with accounts registered to mainland China phone numbers. This censorship is done without notification to users and is dynamically updated, often in response to current events," Citizen Lab wrote.
Citizen Lab said that it had previously not seen international accounts subject to the censorship features, and that users could send and receive messages that users with China-registered accounts could not.
In its report [PDF], Citizen Lab details that documents and images shared among non-China registered accounts are subject to content surveillance and are used to build up the database WeChat uses to censor China-registered accounts.
"By engaging in analysis of WeChat privacy agreements and policy documents, we find that the company provides no clear reference or explanation of the content surveillance features and therefore absent performing their own technical experiments, users cannot determine if, and why, content surveillance was being applied," it wrote.
Citizen Lab ran its experiment to test for document and image file surveillance across three separate days in 2019: November 27, December 2, and December 6.
It said that for each test, it transmitted novel, sensitive documents or images which had never previously been communicated over the platform.
"Our results show that on each day of testing, if a sensitive document is first sent from a non-China-registered account to non-China-registered accounts, before sending it to a China-registered account, they are censored in real time when sent to a China-registered account," it said.
Unlike with documents, Citizen Lab said it observed that WeChat could sometimes censor images in real time.
Out of 60 images sent across three days, 49 images were censored in real time when only sending them to China-registered accounts.
"However, if we first sent them from a non-China-registered account to other non-China-registered accounts, then all 60 out of 60 images were censored in real-time when sent to a China-registered account," it wrote.
The research also saw Citizen Lab conduct a "collision side-channel test", which saw it generate 20 novel, sensitive images with the same MD5 hashes as 20 non-sensitive images.
"We send the 20 sensitive images in the non-China group chat and then send the 20 non-sensitive images in the China group chat one minute later," it explained. "We count how many of the non-sensitive images were not received by the China-registered account."
Citizen Lab then compared the number of censored images from the image collision side-channel test to that of a "collision control test", generating 20 novel, sensitive images with the same MD5 hashes as 20 non-sensitive images.
The 20 non-sensitive images were also sent in the China group chat, with Citizen Lab counting how many were not received by the China-registered account.
It performed the experiment on 30 January 2020, on a University of Toronto network in Toronto, Canada.
In the collision side-channel test, all 20 of the 20 non-sensitive images were censored, whereas in the collision control test, none of the 20 non-sensitive images were censored, Citizen Lab said.
The researchers also conducted a "hash retention test", sending a novel, sensitive document in the non-China group chat in a group chat and then immediately recalling the document.
"One hour later, we send the same document in the China group chat. If the document is censored in real time when sent to the China-registered account, then recalling the document did not remove the hash from the file index," it said.
In all five tests, the recalled document was never received by the China-registered account.
"In cases where documents or images are hashed but the files themselves are not presently censored, it would not be possible to know which, if any, files had been analysed and hashed for potential censorship activities using the experiments we performed," Citizen Lab summarised.
"Put plainly, we have not witnessed censorship between non-China-registered accounts of materials which are censored among China-registered accounts. By conducting our side-channel experiment, we were nevertheless able to measure the existence of content surveillance for such materials transmitted among non-China-registered accounts."
According to Citizen Lab, the experiments show that non-China-registered accounts are unable to remove hashes of sensitive content which they have sent when communicating entirely with other international users as a side effect of recalling their content.
"Consequently, while it may appear to users that they can recall the content of their communications, at least some of the metadata associated with such communications -- such as the hashes of sensitive files -- are disassociated from the retraction system," it said.
"It is unclear based on our technical findings whether such a hash register would be associated with individual accounts.
"Nevertheless, these hashes will be used to build-up WeChat's censorship system."
A Tencent spokesperson told ZDNet that all content shared on its platform by international users is private.
"We received the Citizen Lab report and take it seriously. However, with regard to the suggestion that we engage in content surveillance of international users, we can confirm that all content shared among international users of WeChat is private," they said.
"As a publicly listed global company we hold ourselves to the highest standards, and our policies and procedures comply with all laws and regulations in each country in which we operate.
"User privacy and data security are core values at Tencent, and we look forward to continuing to sustain user trust and delivering great user experiences."
Updated 12 May 2020 at 9:50am AEST: Added comment from Tencent spokesperson.
The filtering systems also censor content that are not critical of the Chinese government.
WeChat's is purging undesirable content on its platform to maintain a 'healthy' reading environment as required by the government.
Drivers will be able to operate the in-car app through voice commands or steering wheel buttons to check unread messages, send new messages, as well as make WeChat calls.