Instagram content
This content can also be viewed on the site it originates from.
Meitu lets you transform your selfies into an anime character, but beneath the layers of artificial makeup is a potential privacy nightmare.
Meitu launched MeituPic in 2013 and it soared to the top of the Chinese app charts. The app re-branded as Meitu last year and, following a recent update, has seen a surge in press coverage over the past 48 hours. The application works by taking a selfie, smoothing a person's skin, adding virtual makeup and a number of other effects.
To do this, Meitu needs access to your camera and photo library, but it also asks for your phone's location, Wi-Fi connection information, time zone, local IP address, SIM card number, whether a phone is jailbroken, and, on Android devices, the unique identity number (IMEI). This data is seemingly being sent back to China.
"This information can be used to track the individual’s physical location, day-to-day behaviours, as well as starting the process of performing a cell clone," Greg Linares, from AI security company Vectra told WIRED.
"Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," forensic scientist and security expert Jonathan Zdziarski added on Twitter.
Launched in 2008, Meitu raised $360 million (£291m) in four funding rounds and was valued at $5.2bn (£4.21bn) after a public offering at the end of 2016. The company claims its app has been installed on more than one billion devices, is used in 26 countries, and generates six billion enhanced photos per month, collecting colossal amounts of data.
"Meitu’s sole purpose for collecting the data is to optimise app performance, its effects and features and to better understand our consumer engagement with in-app advertisements," a statement from the company says. "Meitu DOES NOT sell user data in any form."
"As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent."
Meitu also says permissions on Android and iOS are within both app store's guidelines and are similar to other camera apps. The firm checks if phones are jailbroken as it is a requirement from the WeChat SDK, and because "jailbroken devices can manipulate and modify the app source code".
Addressing concerns about hackers being able to get access to this data, Meitu added analytics and advertising units in the app "are limited" and consist of umeng, AppsFlyer and its own ad trackers, meaning data is transmitted through encrypted layers to protect it from cybercriminals. Read more: How to delete your Google search history and stop tracking
"There is a fine line between ‘marketing data’ and ‘target data'," Linares continued. "If I was an individual interested in cloning phones, and had the equipment and knowledge to achieve it, this information would make a great first step in matching people to their unique ID numbers."
He advises users "delete [the app] or put it on a burner device" if they're worried about the implications. "The sad fact is that this data has probably already been stolen by the last four viral applications that you used and since uninstalled."
This is the latest in a line of high-profile data collection concerns. WhatsApp was recently criticised for sharing personal information with parent company Facebook in 2016; privacy campaigners heavily criticised the UK's Investigatory Powers Act that allows for the collection of web history; and some of tech's largest companies have been trying to change how they are seen. Apple has a privacy site, for example, and Google regularly updates its privacy tools.
However, many web services and applications are involved in selling user data to advertisers and other firms. A study in 2013 found 20 of the top health apps were selling anonymised user data to around 70 companies.
This article was originally published by WIRED UK
