Hong Kong Science & Technology

3 billion phone numbers and identities exposed by mobile apps, investigation finds

Three Smartphone apps with the “Caller ID & Blocking” feature are collecting and integrating users’ phone address books into a publicly available database. Around 3 billion such numbers and identities are accessible, FactWire has discovered.

mobile phone app privacy

The three apps icons displayed on a smartphone screen. Photo: FactWire.

The database contains the numbers of Hong Kong’s Chief Executive Leung Chun-ying and Chief Secretary for Administration Carrie Lam Cheng Yuet-ngor. Also listed are local and mainland officials, legislators and personalities from the business, politics, media, entertainment sectors, as well as members of the public. Privacy Commissioner for Personal Data Stephen Wong Kai-yi would not comment on whether or not the apps were illegal.

mobile phone app privacy

The contact name of Chief Executive Leung Chun-ying could be traced with his mobile number in the CM Security database. Photo: FactWire.

Smartphone apps involved include CM Security, product of US-listed company Cheetah Mobile whose main holding company is Chinese software company Kingsoft Corporation Limited (3888); Truecaller, product of Swedish information technology company True Software Scandinavia AB; and Sync.ME, product of Israeli infotech company Sync.ME.LTD. All three apps are available to download for free in the smartphone app stores of the Android and iOS systems.

mobile phone app privacy

The contact name of Chief Secretary for Administration Carrie Lam Cheng Yuet-ngor could be traced with her mobile number in the CM Security database. Photo: FactWire.

The “Reverse Look-up” feature of the three apps allows users to trace the name of the number holder. When a telephone number is input into each app, the app will run a search in the billions of identified numbers in its database to trace the name of the number holder. Each app displays the name even when the holder is not a registered user and has not authorised the app to make his or her personal information available for search.

mobile phone app privacy

The Sync.ME database integrated Charles Mok’s Facebook, Google and LinkedIn profiles into his contact information. Photo: FactWire.

FactWire downloaded the apps for testing purposes. Using mobile phone numbers held by LegCo members from last session and this session, at least 63 and 68 out of 71 members of the last LegCo session (including lawmaker Alvin Yeung Ngok-kiu who was elected in the New Territories East by-election on 28 February) had their names traced on Truecaller and CM Security respectively; the names of 68 lawmakers were traced with their mobile phone numbers.

mobile phone app privacy

Mobile phone numbers belonging to a majority of lawmakers are recorded in the databases. Photo: FactWire.

For the lawmakers of the current LegCo session (including Sixtus “Baggio” Leung Chung-hang and Yau Wai-ching, who filed a court appeal on 17 November after the High Court ruling on 15 November to disqualify them as lawmakers), 64 and 65 out of 70 members were traceable on Truecaller and CM Security respectively; the names of 67 lawmakers were found in total.

In addition to the “Reverse Look-up” function, the Sync.ME search feature merged the mobile phone numbers with Facebook profiles belonging to lawmakers Raymond Chan Chi-chuen, Junius Ho Kwan-yiu, Eunice Yung Hoi-yan and Tanya Chan Suk-chong.  Some information is locked and users need to pay to gain access. Charles Mok, lawmaker representing the Information Technology functional constituency, has his mobile phone number merged with his Facebook, Google and LinkedIn profiles.

mobile phone app privacy

The contact names traced in the databases are not in any fixed formats. Photo: FactWire,

Mobile phone search results of the Truecaller and CM Security combined together show the names of government officials including Chief Executive Leung Chun-ying, Chief Secretary for Administration Carrie Lam Cheng Yuet-ngor, former Secretary for Security Ambrose Lee Siu-kwong, former Police Commissioner Tang King-shing, Director of Broadcasting Leung Ka-wing, Executive Council member Anna Wu Hung-yuk, Aide-de-Camp of Chief Executive’s Office Lau Chi-tong and Information Coordinator Andrew Fung Wai-kwong.

mobile phone app privacy

CM Security database shows that LegCo president Andrew Leung Kwan-yuen is a WhatsCall user. Photo: FactWire.

Businesspeople including founder of Centaline Property Group Shih Wing-ching, SJM Holdings Limited (0880) Deputada Angela Leong On-kei, Convoy Financial Group (1019) Group CEO Daniel Chong Wai-chung and New World Development Company Limited Executive Director Leonie Ki Man-fung all have their mobile phone numbers stored in the app. Media industry executives such as Chief Editor of Apple Daily Chan Pui-man, Chief Marketing Officer of Next Mobile Limited Vincent Tsui Chun-man, known as Tsui Yuen, and now TV Executive Vice-President of News and Business Information Cheung Chi-kong are found as well. Showbusiness celebrities such as Alfred Cheung Kin-ting, Lin Xi, Elizabeth Wang Ming-chun, and Natalis Chan Pak-cheung, are also listed.

The names in the database are not in any fixed format, suggesting that they have been gleaned from users’ phone address books. Lawmakers Leung Kwok-hung and Raymond Chan Chi-chuen were listed as “Longhair” and “Slow Beat” respectively, while artist Natalis Chan Pak-cheung was “Brother Nat”.  Some contacts are stored with their titles. The office telephone number of the Chief Executive was stored as “Chief Executive”; whereas Dai Da-jiang, Commissioner of the Economic Affairs Department of the Liaison Office of the Central People’s Government in the Hong Kong SAR, was recorded in simplified Chinese.

Leung Kwok-hung

Leung Kwok-hung. Photo: Tom Grundy/HKFP.

The “Reverse Look-up” feature of CM Security is only available for local use, yet the feature is not restricted for local use for Truecaller and Sync.ME. Emeritus vice-chancellor of Oxford University Sir Colin Renshaw Lucas, former President of Fudan University Wang Sheng-hong and Cai Chi-meng, researcher at the Chinese Association of Hong Kong and Macao Studies are in the Truecaller database.

Truecaller has a database of over 3 billion telephone numbers, while Sync.ME has collected information of over one billion contacts and their social network profiles including Google, Facebook and LinkedIn. CM Security collects users’ phone address books through WhatsCall, another app developed by Cheetah Mobile. CM Security has hundreds of millions of identified numbers in its database.

mobile phone app privacy

WhatsCall Privacy Policy. Photo: FactWire.

A check of the apps’ privacy policies reveals that users may have agreed to transmit their phone address books to the companies when they downloaded the apps.  WhatsCall’s Privacy Policy and End-User License agreements state that the company may read the contact information stored inside users’ mobile devices. The phone address book stored in each device may be uploaded to WhatsCall’s server “in an encrypted manner”, and the address book will be merged with phone address books belonging to other users.  The data will then be compiled into a database, which WhatsCall will “intelligently and automatically analyse” in its system in order to “provide strange number identification, business phone number identification and other features”.  The users’ information will also be shared with “controlling and controlled third parties” of WhatsCall.

mobile phone app privacy

Sync.ME Terms of service. Photo: FactWire.

Both CM Security and WhatsCall were developed by Cheetah Mobile. FactWire used a new, unused telephone number to set up a WhatsCall account. Later that same evening, the number was traceable in the CM Security database using the “Reverse Look-up” feature. It also showed that LegCo president Andrew Leung Kwan-yuen is a WhatsCall user. Since the WhatsCall privacy policy stated that the phone address book stored in each device may be uploaded to the WhatsCall server “in an encrypted manner” and be merged with phone address books of other users, there is a chance that Leung’s phone address book may have been collected and integrated into the database. FactWire tried contacting Leung this thursday (17 November) to confirm the case, and Leung said that he didn’t have time for discussion. FactWire later tried calling Leung’s mobile number, but no one picked up the phone.

Truecaller’s privacy policy states that the sources of the database include users’ social networks, their contact information, information they provide to the Truecaller database etc, which aims at conducting “Reverse Look-ups” and user search, enhancing results and contacting users. Truecaller’s terms of service states that should users opt to “participate in the Enhanced Search functionality” which includes features such as the “Reverse Look-up” and “Caller ID search”, the company may “collect, use and share certain information regarding the contacts contained in the users’ phone books (contact information)”. The policy also states that when users install and use the app, Truecaller will “collect, process and retain personal information”, including “geo-location, IP address, IMSI, messages, times and date of calls, durations of calls”, etc. The policy requires users to gain consent from the contacts in their phone address books before providing the company with their contact information.

mobile phone app privacy

WhatsCall Privacy Policy. Photo: FactWire.

Sync.ME CEO and co-founder Ken Vinner told FactWire that the app’s data is “a collection of publicly available phone data, data from third party companies and crowdsourced user data”. Its terms of service also requires that users have gained their contacts’ consent before sharing their personal information with Sync.ME.

Choy Ki: Users may have violated Principle 3 of the Personal Data (Privacy Ordinance)

According to the Six Data Protection Principles of the Personal Data (Privacy) Ordinance, Principle 3 (use of personal data) states that personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.

alien-mobile-phone-1

Photo: Wikicommons

Legal consultant Craig Choy Ki said that WhatsCall, Truecaller and Sync.ME did state the purpose for collection in their privacy policies. However, if users of these smartphone apps (data user) share information of their friends (data subject) with these companies into the databases without their consent, this differs from the original purpose of collecting telephone numbers for contact use, and thus qualifies as a new purpose. Choy stated that “this may have violated Principle 3 although citizens may not have intended to act against the law”.

Citizens could request to remove personal information

Choy reminded users that Truecaller was under the data protection rules of the European Union and Sweden. If users found that their personal information was on the Truecaller database without their consent, they had the right to ask the company to delete it, he said.

Truecaller and Sync.ME allow users to delist their numbers and opt-out of making contact information available for search in the databases. The companies claim they will process such requests within 24 hours. FactWire asked Cheetah Mobile to provide information on their procedures for removing personal information. They replied that the company is “currently in the silent period before the earnings release” and declined responding at the moment.

mobile phone

Photo: GovHK.

FactWire consulted the Office of the Privacy Commissioner for Personal Data (PCPD) on the legitimacy of the “Reverse Look-up” feature and the collection of users’ phone address books in apps. Privacy Commissioner for Personal Data Stephen Wong Kai-yi said that if there was sufficient reason to believe that the app operations violated the Personal Data (Privacy) Ordinance, the PCPD could begin an investigation.

FactWire asked Kingsoft, Cheetah Mobile, Truecaller and Sync.ME about the location of their servers and whether the companies provided personal data to the Government upon request from law enforcement organisations.

Sync.ME told FactWire that its server was located in the United States. The company did not provide users’ personal data to the Government and law enforcement organisations, it said.

truecall

Truecaller has not yet replied. The company’s privacy policy states they may “transfer, process and store personal data in a number of countries”, and “may share users’ personal data with trusted third party service providers and partners”.

Kingsoft and Cheetah Mobile replied that they are “currently in the silent period before the earnings release” and declined responding at the moment. The WhatsCall privacy policy states that users’ information may be transferred to the company’s facilities; their servers are hosted in leased internet data centres in different areas of China as well as in other Asian countries, the United States, Europe, Australia and Brazil. The headquarters are in Beijing.

CM Security and WhatsCall were developed by Cheetah Mobile (NYSE:CMCM), listed company at the New York Stock Exchange, in which Hong Kong-listed company Kingsoft Corporation Limited (3888) holds a 47% stake.  In the first half of 2016, Cheetah Mobile generated 1.598 billion yuan from mobile phone businesses, 74% of total revenue, while Kingsoft generated 2 billion yuan from Cheetah Mobile. WhatsCall has recorded over 10 million downloads, 1 million users worldwide and a collection of hundreds of millions of telephone numbers since its launch in December 2015.

Stephen Wong Kai-yi

Stephen Wong Kai-yi. Photo: GovHK.

Lei Jun, Kingsoft and Cheetah Mobile’s Chairman of Board of Directors, is also a co-founder of Chinese electronics company Xiaomi. The Xiaomi Security Centre app, currently default on Xiaomi smartphones and also provided by Cheetah Mobile, is equipped with virus-scanning, virus protection and “Caller ID & Blocking” features. In late August, Truecaller announced a deal with Chinese company Huawei. They will be preloaded with the new Truecaller app starting with the Honor 8 Android smartphone model. The additional feature will be available to customers on Huawei mobile phones in America, the Middle East, North Africa, Southeast Asia and India by the end of September 2016.

Comments

3 billion phone numbers and identities exposed by mobile apps, investigation finds