
WeChat Surveillance Explained - simonpure
https://citizenlab.ca/2020/05/wechat-surveillance-explained/
======
muglug
Previous discussion:
[https://news.ycombinator.com/item?id=23109997](https://news.ycombinator.com/item?id=23109997)

~~~
lysium
Thank you. That is the full report. This site is its summary and an FAQ.

------
srl
If I've understood correctly, the test used was something along the lines of:
two non-chinese accounts send back-and-forth messages including benign content
(maybe a picture of a pie) and less-benign content (maybe "I like Falun Gong
almost as much as I like the CDC"). Then, chinese accounts would observe that
the picture of the pie might be censored. I don't actually see an unambiguous
description of what messages were sent, or how strong the effect is. Those
questions don't really matter for addressing "are non-chinese accounts
monitored?" (unless CL is outright lying, obviously yes), but they _do_ matter
for the _fun_ question:

Can this be used to construct an attack on WeChat? Providing targeted
misinformation for training, to suggest correlations where there really are
none, thus triggering WeChat to have a higher false-positive rate when
censoring messages?

I'm reminded of RMS's famous practice (and a script in emacs, IIRC):
automatically append various keywords to the bottom of emails to screw with
any US surveillance that might be getting too nosy.

EDIT: I'm a dope, and should have read the full report (here:
[https://citizenlab.ca/2020/05/we-chat-they-watch/#part-2---
t...](https://citizenlab.ca/2020/05/we-chat-they-watch/#part-2---technical-
assessment)) before commenting.

As far as I can tell, an attack isn't possible. WeChat would ideally like to
analyze each document or video sent for sensitive content, but it takes some
time (on the order of 20 seconds, maybe), and so that analysis can't be
performed before messages are supposed to be delivered. However, if WeChat has
already seen the video, then it can make the judgement quickly, and perform
real-time censorship. Thus, sending a sensitive video the first time won't be
blocked, but all subsequent sends will be. CL's result seems to be that if the
first video send is between non-chinese accounts, that's still enough to get
it analyzed and blocked the second time.

~~~
gnur
That it actually takes 20 seconds implies to me that actual people are viewing
the content. I don't see any automated system taking that long as I do believe
they would just throw more resources at the problem.

~~~
srl
I dunno, to process a video (maybe 20-80 seconds) and scan for suspicious
text/speech? I was impressed that it was under a minute.

I wonder though... do we know enough now to know at what rate actual people
view the content, vs just automated processing?

------
floatingatoll
If they’re using pure MD5 such that collisions work, then using steganography
techniques to embed random bytes encrypted with some obvious cipher will
bypass the initial autocensor while simultaneously driving the Chinese
intelligence services crazy trying to decrypt the random bytes in every image
sent. Note that using this approach may cause threat of harm to any sender or
recipient within China’s sphere of influence.

~~~
gnur
Or the other way around: send clean content first, then use a collision for
the nasty content.

~~~
floatingatoll
That's what they tested in the article.

------
lysium
Reminds me of the “free” online games, where the free players provide the
environment for the addicted “pro” players who pay a fortune for “extras” and
upgrades.

------
hkai
It's sad to see that the media drama around some of the Facebook's practices
made some of my friends/colleagues quit Facebook and switch to WeChat.

It's like refusing to eat eggs and milk for ethical purposes and then
switching to steaks.

~~~
nirui
Any good alternatives?

I'm a Chinese here, many "Digital immigrants"(1) from China uses Telegram as
replacement to WeChat, because I guess it's groupchat feature.

However, Telegram itself is not a surveillance-avoidance/privacy protection
tool of course, as you need a phone number to register, and an valid phone
number is really hard to get anonymously.

Foot notes:

1: "Digital immigrants" means people who digitally lives outside the network
border of their own country, not the dumb buzzword that Wikipedia tries to
feed you

~~~
Shared404
Never used WeChat for obvious reasons, but matrix(1)/riot.im(2) may be what
you're looking for.

1\. [https://matrix.org/](https://matrix.org/) 2\.
[https://about.riot.im/](https://about.riot.im/)

------
Dig1t
Why is this being downvoted?

