JD Finance App’s Privacy Breach Prompts Online Backlash

JD Finance App’s Privacy Breach Prompts Online Backlash
People use their phones outside the Legislative Council offices in Hong Kong on July 26, 2016. (Anthony Wallace/AFP/Getty Images)
2/20/2019
Updated:
2/21/2019

A finance app run by Chinese e-commerce giant JD.com was recently caught storing users’ screenshots without permission, in the latest instance of privacy breaches plaguing China’s tech space.

On Feb. 16, two videos posted on China’s Weibo, a Twitter-link platform, showed how the JD Finance app stored user’s screenshots and photos without asking for permission, while the app was running in the background.

The video went viral and prompted severe criticism from Chinese netizens. The company has since apologized, and fixed the problem.

In the first video, the user named “Skinny Amu” opened a banking app and took a screenshot of the interface while the JD Finance app was running in the background. He then showed that the screenshot he just took appeared as file under JD Finance’s program.

Similarly in the second video, the user showed how a picture taken using a third-party camera app appeared as a file under JD Finance’s app.

The videos were viewed more than 2.5 million times within a day. Many commenters said they found the same result when they tested it on their phones.

In response to the outcry, JD Finance issued a statement on the same day saying it “would never collect any information without user’s authorization, nor would we ever steal unauthorized information.”

It also claimed that the storage of screenshots was to “make it more convenient for users to communicate with customer service” when they needed to show a screenshot to address certain issues.

“Skinny Amu” and other Chinese netizens, however, were not convinced by the explanation.

“In my second video, I showed that JD Finance stole a picture I took with BeautyCam, which was not a screenshot and had nothing to do with customer feedback. How do you explain that?” Skinny Amu wrote.

The user also said that storing screenshots for feedback purposes does not require copying the original image, only a cache of its file path. He therefore had reason to believe that JD Finance did this for other purposes.

An unnamed cyber security expert told China Business Journal that copying user’s data to JD’s own directory is totally unacceptable, whatever the reason.

JD Finance issued a second statement on Feb. 17, saying after investigation it found that only apps installed on certain versions of the Android system had this issue. The company said it removed the function.

JD Finance also apologized for making a “rudimentary mistake,” and for hurting users’ trust.

A cyber expert who chose to remain anonymous told the self-media outlet “Unicorn Finance” that JD’s claim did not stack up.

“In general, technical development must go through peer review. So it’s very unlikely to be an accidental mistake,” he said.

Last March, CEO of Chinese search giant Baidu, in a speech given at the China Development Forum, said: “Chinese people are more open, and less sensitive to privacy issues.”

“In many cases, they are willing to sacrifice privacy in exchange for convenience, which allows us to do more with the data we collect.”

His speech was met with a wave of condemnation online.