By Leslie Harris
Last week, the Biden Administration repealed the ill-considered Trump-era Executive Orders against Tik Tok and WeChat, and replaced it with a new Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries. The new Executive Order requires an assessment of the threats to national security and individual privacy posed by connected software from all foreign adversaries, requiring a careful assessment based on neutral evidence-based criteria. While China continues to pose the greatest threat to our personal data, the new Executive Order wisely takes politics out of the equation and widens the lens to consider potential threats from software from other adversarial countries such as Russia or Iran.
Implementing the new Executive Order will be a formidable task. There are close to 3.5 million apps available in the Google Play store and over two million in the Apple App store. While apps from Chinese developers may be relatively easy to identify, our investigations have found large numbers of U.S. app developers integrating Chinese software development kits (SDKs) and other technologies into their apps.
In previous investigations, IDAC has identified and called attention to inappropriate behavior happening with China-based companies in mobile apps.
For example, in one investigation, IDAC found that Jiguang, a leading mobile developer service provider and mobile big data solutions platform based in China with close to 37 million installations of their SDK was covertly collecting personal and potentially sensitive information—including precise location data and lists of all other apps installed and uninstalled.
In our investigation of Premom, a popular fertility app, which collects highly sensitive personal information from women in order to help them get pregnant, the U.S.-based app developer was using a different Chinese SDK, which was collecting highly sensitive user data and selling it in China.
The growing reliance on Chinese SDKs, advertising and analytics services and the like makes it imperative that the risk assessment of Chinese software, include assessment of the Chinese SDKs and services that U.S. developers are integrating into their applications. Further, as the government begins this assessment, it should consider how to best incorporate the relevant findings of independent investigators and researchers.