Author : Trisha Ray

Expert Speak Digital Frontiers
Published on Jan 06, 2020
The Surveillance State v. China Inc: The dilemma of India’s App Users

An oft-invoked adage of the digital age is that if something is free, you are the product. Global technology giants like Facebook and Google have been under public scrutiny for their privacy and advertising policies; however, they are by no means the only purveyors of free online services that engage in these practices. Beijing has reportedly leveraged free-to-use apps like WeChat for intelligence gathering and has instituted cybersecurity and data laws that facilitate surveillance. India’s Personal Data Protection Bill, a revised draft of which was circulated on December 11, presents a deeply flawed solution, leaving Indian users in the lurch.

China’s Domination of the App Economy

Chinese apps are dominating the app economy in India. In 2017, only 18 of the top 100 apps listed on Google Play were Chinese. By 2018, this number had grown to 44. Most of these apps are free: from usual suspects such as Tik Tok, to games like PUBG and Clash of Kings, as well as e-commerce platforms like Club Factory.

App Parent Company Category Number of Downloads (as on December 5, 2019)
Tik Tok (+TikTok Lite) ByteDance Short videos 13.6 million (+245,874)
PUBG Mobile Tencent Game 22.9 million
Club Factory Club Factory E-commerce 1.3 million
Clash of Clans


Tencent (majority stake)

Game 50.6 million
Likee YY Inc Short video 4.1 million
SHAREit SHAREit Technologies Co.Ltd File sharing 12.7 million
Camera360 PinGuo Inc Photo editing 4.9 million
Helo Bytedance Social 1.1 million
UC Browser Alibaba Group Browser 20.6 million
Xender Beijing Anqi Zhilian Technology Co. Ltd. File sharing 2.2 million
BeautyPlus Meitu Inc. Photo editing 4.2 million
Hago Alibaba Games 3.8 million
WeChat Tencent Messaging 5.7 million
CamScanner INTSIG Information Co. Ltd Scanner 2.2 million
Turbo VPN Innovative Connecting VPN 3.3 million

Table 1: Abridged List of Popular Chinese Apps in India with 1 million+ Downloads

India is thus a major market for Chinese apps and allied services. In addition to marketing apps, Chinese technology companies have invested heavily in Indian technology startups as well: in 2018 alone, Chinese VCs invested $5.6 billion in Indian startups.

Chinese apps have come under the Indian government’s radar a number of times, most notably in the wake of the Doklam incident in 2017 and the 2019 General Elections. In December 2017, the Indian Ministry of Defence directed the armed forces to uninstall 42 Chinese apps that “reliable reports” stated are likely riddled with spyware and/or malware. In April 2019, Bytedance came under fire for hosting falsified information and for their inaction on the rampant use of their platforms by child predators.

From Beijing, With Love 

While Chinese social media and video sharing apps have been repeatedly criticised for their weak moderation and resultant misuse, the broader Chinese app ecosystem suffers from a host of accountability and privacy issues.

In November 2019, there were two major, unprecedented leaks from Beijing detailing the internment and “re-education” of Uyghurs. The documents show that the CCP allegedly used two popular apps -- Zapya and WeChat (Weixin in China) -- to identify and target Uyghurs.

Chinese unicorn Megvii made headlines earlier the same year when the US Commerce Department blacklisted the company alleging that their facial recognition technology Face++ was being used by the Chinese government to persecute Uyghurs. Face++ customers include popular photo editing apps like Camera 360 and Meitu’s Beauty Plus.

Chinese technology giants also score poorly on corporate accountability and transparency. While Tencent (the company behind WeChat) and Baidu have made some improvements on these parameters in response to the Personal Information Security Specification (2018), the Specification itself gives the Chinese government considerable leeway through exemptions under the categories of “national security and national defense” as well as “public safety, public health, and significant public interests”. Weixin and Zapya both include provisos on these grounds that facilitate disclosure of personal information to government agencies.

Personal Data: Unpeeling the Onion

China’s Specification, in conjunction with Multi-Level Protection Scheme (MLPS 2.0), mirrors India’s Personal Data Protection (PDP) Bill in many ways: both identify obligations of data fiduciaries/personal information controllers, both institute data auditing bodies and restrict certain cross-border data flows.

What do these guidelines and regulations mean for the plethora of Chinese apps in the Indian market? The newest draft of the PDP Bill has relaxed data localisation requirements <1> Chinese tech giants, such as Alibaba and Tencent, have already opened data centers in India, with other players like Bytedance announcing plans to do the same as well.

Localisation provisions under Chapter VII therefore help bring the data of Indian users under the aegis of Indian laws. However, this is where Indian law has substantial ground to cover. While the PDP Bill is robust in terms of the obligations of privately-owned data fiduciaries and has even incorporated the concept of the right to be forgotten, it has been widely criticised for the creation of broad exemptions based on national security and law enforcement, granting government agencies virtual immunity to this legislation. In sum, all personal and critical data can be accessed by government agencies under a wide gamut of reasons, including the omnipresent yet vague categories “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, and public order”.

Indian users are caught between a rock and a hard place: wherever their data goes, it is afforded little protection from the overbearing state.

In Search of Alternatives

China’s domination of India’s app economy rides on the aversion of users to pay for online services. This problem is by no means unique to India: surveys in the aftermath of the Cambridge Analytica scandal found that a majority of users would continue to use these apps free, rather than pay a modest fee. Furthermore, the privacy paradox points to the skewed perception of the actual tradeoff between convenience and privacy: users seem to place very little value in the protection of their data.

It is therefore crucial that users be aware of exactly where their data is going, and consider whether the allure of a “free” service is worth the long-term costs of the erosion of privacy and eventual loss of autonomy.

<1> Sensitive personal data (Sections 5-20) is all data constituting of and relating to financial data, health data, official identifiers, sexual orientation and habits, biometrics, genetic data, caste, tribe, religious and political identity.

The Central Government will notify on the definition of critical personal data.

NOTE: The US Department of Commerce based its decision on the 2019 Human Rights Watch (HRW) report titled ‘China’s Algorithms of Repression.’ HRW later issued a clarification, brought to the author‘s attention on 16 January 2020 by the Brunswick Group — which represents Megvii — that the “Face++ code used in the IJOP app was inoperable.” Megvii has denied any connection with the IJOP apps used in Xinjiang. The author thanks the Brunswick Group for the clarification.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.


Trisha Ray

Trisha Ray

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center. Her research interests lie in geopolitical and security trends in ...

Read More +