Hong Kong’s leader Leung Chun-ying and the city’s No 2 official Carrie Lam Cheng Yuet-ngor are among billions who had their mobile phone numbers leaked by smartphone security apps.
The pair were revealed to be victims of leaks by apps CM Security, Truecaller and Sync.ME, which offer users protection against unwanted incoming calls.
The free apps, which can be downloaded for both Android and iOS devices, have been collating users’ phone address books into a publicly available online database, an investigation by Hong Kong-based news agency Factwire has found.
Other victims included Legislative Council president Andrew Leung Kwan-yuen, former police commissioner Tang King-shing, film director Alfred Cheung Kin-ting, actress Liza Wang Ming-chun and television host Natalis Chan Pak-cheung.
Contact details for more than 60 out of 70 sitting lawmakers were available across CM Security and Truecaller, Factwire found.
Users of the apps can trace the names of billions of number holders by inputting their digits into a “reverse look-up feature”. But searching for a contact simply by inputting their name does not tend to produce the relevant contact number. Users agree to share their phone address book with the app companies when they download their products.
They can upgrade their accounts for a fee in order to access more information, but it is not apparent what specific extra details this entitles them to.
Stuart Hargreaves, assistant professor at Chinese University’s faculty of law, said he thought the apps violated two privacy protection laws included in Hong Kong’s Personal Data Privacy Ordinance.
He said it was unlikely users would seek permission from every individual in their phone book before agreeing to share their contact details.
“Not only is this problematic because these privacy policies are the kind of ‘click-wrap’ agreements that people tend to simply click ‘accept’ to rather than actually reading and understanding, given that users often have hundreds or even thousands of contacts in their mobile phone contact lists, it is improbable they would take the time to obtain such consent,” he said.
“The apps don’t even seem to contemplate this individualised seeking of consent actually happening, since a user cannot selectively upload parts of their contact list – it’s all or nothing,” Hargreaves said.
Ki Choy, spokesman for campaigners the Progressive Lawyers Group, said those seeking legal compensation over the leaks might face problems.
“It would be difficult to make a civil complaint against a friend, as you don’t know who has shared your details, and it would be difficult to assess the damage caused by that breach of trust,” he said.
The CM Security app is advertised online as “the most trusted and top-rated free anti-virus, mobile security and anti-theft app”.
Sync.ME chief executive and co-founder Ken Vinner told Factwire that all the app’s data was “publicly available”.
Privacy Commissioner Stephen Wong Kai-yi said he was very concerned and asked the public to delete the concerned data.