Is Baidu Secretly Collecting Japanese User Data?

On December 26th, the Japanese government’s National Information Security Center warned roughly 140 central government ministries, agencies, research institutions and public universities to either disable the cloud-input function of the Baidu input method editors (IMEs) or stop using Baidu IMEs. When the IME cloud-input function is enabled, data is automatically sent to the Baidu servers.

Baidu IMEs can be found on Windows platforms, often bundled with other software, or preinstalled in new PCs with the cloud-input function enabled by default.  On Android platforms, Simeji, app owned by Baidu, had been sending input information to Baidu even when the cloud-input function was disabled.

Baidu Denies Spying Activities

In response to Japan’s recommendations, Baidu pointed out that the cloud-input function helps make user’s input more accurate by constantly referring to the most current dictionary in the cloud. Personal information such as credit card numbers, passwords, addresses, phone numbers have not been sent to the servers even when cloud-input function is enabled. The IME servers are located only in Japan, and the data collected from users are securely managed.

Baidu emphasized that the cloud-input function can be found in the user agreement, but it was difficult-to-find, resulting in the inadvertent use of the Baidu IME cloud-input function. As part of their response, Baidu has made the user agreement easier read and they have also fixed a bug in the Simeji app that was sending information without cloud-input on. The bug fix was released on December 27th for cloud-input function disabled as the default setting.  This setting applies to updated users as well.

Baidu IME App-ID is Forthcoming

We recommend that Baidu IME users check their app settings to ensure that no data is being transmitted without their knowledge. In addition, we are in the process of creating an App-ID for the Baidu IME cloud-input function for both Windows and Simeji applications. When the Baidu App-ID is available, customers will be able to control Baidu IMEs for specific users or groups, or block the use of Baidu IMEs across their entire network.

The Baidu IME App-ID will be delivered in an upcoming content update.

[Source: Palo Alto Networks Research Center]

Leave a Reply