China's JD denies illegally collecting private WiFi data through smart-appliance application

Wifi Symbol

By Xu Yuan. 15 August 2017.

Chinese e-commerce company JD.com has denied reports that it violated the country's Cybersecurity Law by collecting customer WiFi information without authorization.

Local media reported that Smart Cloud, JD's Internet of Things, or IoT, platform designed for home appliances that connect to the Internet, uploads and stores customer WiFi information on its server without prior notification.

In response, Smart Cloud said the uploading of WiFi information from connected smart appliances only occurred in the first half of 2016 and was the result of procedural issues related to network distribution-compatibility issues. "Not only was the data encrypted, but no information related to the WiFi was saved on the server," Smart Cloud said in a statement issued by JD.

The company said no WiFi information was uploaded from the second half of 2016 thanks to the application of new technology.

An experiment conducted by an anonymous user on Chinese social media site Zhihu first discovered that Smart Cloud would upload users' WiFi names and passwords to its server without any notification.

JD said this is only possible by "hijacking" a user's cellphone using special techniques. "If the phone is not hijacked, a third party is not able to acquire the information," the company said.

The company, in its response to the media reports, also included statements from six of its connected-appliance partners, including Midea and Honeywell, to support the legitimacy of its uploading of WiFi details.

"Different appliance makers use different algorithms for network distribution, but they all require the conversion of WiFi information," Ma Jianliang, a senior manager at Midea, said. "I personally think Smart Cloud uploads WiFi information to offer flexible compatibility among chips used by different manufacturers and to improve user experience."

The appliance companies also endorsed JD's protection of users' WiFi information. "[JD] encrypts the information so it can guarantee the security of users' privacy," a director from Chinese television maker Changhong said.

The swift response by JD reflects the increasing awareness of both the public and businesses of the importance of privacy protection in China since the implementation of the Cybersecurity Law, which came into effect on June 1. Since then, there have been a series of high-profile advocacy activities and enforcement actions.

The law requires prior consent for personal information collection and asks network operators to take protective measures.

Together with Alibaba and Tencent, JD is among 10 Chinese Internet companies that are under a recently launched campaign by the government to make sure the companies' privacy policies are in compliance with the Cybersecurity Law.

Privacy report