China May Be Monitoring Hong Kong Protesters’ Off-the-Grid Chats

Hong Kong protesters
Carlos Barria/Reuters

An app called FireChat is making headlines for being the go-to medium for communication among pro-democracy protesters in Hong Kong. It was downloaded 100,000 times in 24 hours. Though the peer-to-peer messaging app boasts “off-the-grid” communication, it was neither conceived nor designed with privacy in mind. FireChat communications are public and therefore can be used by law enforcement authorities against their authors.

FireChat, which works on iOS or Android, allows people within a 70-meter radius to communicate with each other in the absence of Wi-Fi or cellphone service. Protest organizers encouraged participants to download the app in the event Wi-Fi service was shut off. Though the island’s Wi-Fi is currently intact, the app is proving useful since the large number of people are packed into a small area that has heavily congested cell service.

When users download the app on their device for the first time, they are asked to provide a unique username and an email address. Once logged in, they are able to join any number of chat rooms. In an interview with Newsweek, Christophe Daligualt, chief marketing officer of Open Garden (the organization that created FireChat), compared the app to a big party that is made up of many smaller groups. As with a big party, the conversations in FireChat can be fluidly entered and left. But unlike a party, there is no way of telling how many people are there. Users only appear as in attendance if they are actively participating in a chat room’s conversation, allowing any number of incognito viewers.

As of Monday, 97,000 unique chat rooms had been created in Hong Kong. And as long as people are within range of a chat room, they can plausibly see the contents—including law enforcement. Though there is no record of off-the-grid chats, if users opt to connect to the Internet they will be able to see the last 10 messages.

Daligualt concedes police monitoring is entirely possible. “There are people who are joining the chat rooms, reporters,” he says. “So it is probable that police and authorities are doing the same—especially with all the press we’ve gotten.”

To somewhat remedy the fact that communications are currently public, FireChat encourages people to use a pseudonym instead of their real name. But this hardly assures anonymity—the app requires registering with an email address, for starters. So will people using FireChat get in trouble down the road? It depends what they do with it, Daligualt says, adding, “Don’t type anything you wouldn’t want a stranger to read, because a stranger can read it.”

But finding the right conversation isn’t easy, for protesters and potentially snooping police alike. In Twitter you can identify conversations you want to be a part of by searching for hashtags or key words, for example. “But if you are on FireChat and there are 97,000 chat rooms, you can’t even see most of them. When you join in, you’ll have 20 options displayed.... That creates more of a challenge,” Daligualt says.

While there has yet to be proof of FireChat communication monitoring by police, the app’s current vulnerabilities make it possible. And as a chosen method for easy communication and for circumventing social media censorship, it is likely to become a target.

Reports are already trickling in of protesters’ phones being targeted with malicious malware. Researchers discovered a virus that spies on iOS-operated devices and is capable of stealing data ranging from call logs to passwords. The code used to control the server is written in Chinese and is being used to target protesters, according to Michael Shaulov, chief executive of Lacoon Mobile Security. It is the first time in history that you actually see an operationalized iOS Trojan that is attributed to some kind of Chinese entity,he said.

Another virus was recently discovered targeting Android users and was disguised as an app called Code4HK. A link to the app was sent to protesters, urging them to download it to help Occupy Central better coordinate rallies. In reality, Code4HK is a spying app that requests access to a mass of data, including contacts, browsing history, location and messages. Though the spyware’s origins have not been identified, the hosting server’s login is in simplified Chinese, which is predominantly used in mainland China.

With the proliferation of data-swiping viruses in Hong Kong at this time, device communications are especially vulnerable. But the absence of true anonymity is not reason enough to abandon FireChat. Students are using the app in creative and practical ways, says Daligualt. “The chat room will designate a very specific location, a street corner, so people can find out easily what is happening at that particular spot or leave a message for someone who is meant to be there.” It is being used in very practical ways, he adds.

All eyes are on China’s next move, with many wondering if a crackdown would resemble the violence in Beijings Tiananmen Square in 1989 or if the government will wait the protesters out. Either way, digital attacks have begun, and information could be used against protesters even after the demonstrations are over.