Navigating Risks From Chinese Apps

An investigation published last month by Taiwanese independent outlet The Reporter (報導者) found that the Chinese navigation app Amap, also known as Gaode Map (高德地圖), transmits users’ data to servers inside China, according to the outlet’s analysis of the app’s network traffic. The investigation found that the app transmits location data, along with a tracking code capable of identifying users across other apps.
The outlet’s reporting substantiates the risks facing Taiwanese and international users of Chinese-developed map services more broadly, showing that even routine consumer apps from China can double as channels for state data collection — supported by Chinese laws that oblige companies to share user data with security and intelligence agencies on request.
By testing how Amap could pose a threat to users’ personal data security, The Reporter analyzed transmitted data packets, including their content and the frequency with which they were sent to the server, and compared them with those generated by other map services, including NaviKing, owned by the Taiwanese company KingwayTek Technology, and Google Maps.

The result, conducted through tests using the same phone, routes and internet, revealed that Amap uploaded the data roughly every three seconds, while Google Maps and NaviKing did so around every 30 seconds and 22 minutes respectively. Apart from uploading location data, The Reporter also found that sensor information, such as phone brightness and altitude, was transmitted.
“CAID,” a deceiving code used to track users’ data by the China Advertising Association (中国广告协会) and the China Academy of Information and Communications Technology (中国信通院), or CAICT, was identified when running the packet analysis, even after deleting and reinstalling the app. The code is embedded once the app is downloaded, without asking users’ permission.
Amap generated public discussion in April this year, when it released a new function — a detailed prediction of traffic light countdowns in Taipei and Kaohsiung, two major cities in Taiwan. The same month, Taiwan’s Ministry of Digital Affairs (MODA) announced a ban on the use of the app in government agencies, in accordance with the Cyber Security Management Act.
Amap, owned by the Alibaba Group, was found by MODA to exhibit 11 cybersecurity risk behaviors. Amap’s overseas privacy policy states that personal data is stored on servers located in Singapore or China, and could be shared with partners and service providers in China.
Chinese enterprises have played a leading role in the Digital Silk Road, a Chinese-led project to share its technology with the world under the Belt and Road Initiative, according to Article 19, an international human rights organization. The BeiDou satellite navigation system, a Chinese-made technology used by Amap, has reached agreements within the Indo-Pacific region, including in Thailand and Cambodia. Cambodian human rights organizations have also raised concerns about the risk to transparency, according to Article 19.
Chinese law provides a basis for the state to obtain personal data from private organizations. For example, Article 35 of the Data Security Law of the People’s Republic of China (中华人民共和国数据安全法) states organizations’ obligation to provide information for national security purposes.















