Is your Chinese smartphone spying on you?

What if you could get a top-of-the-line Android phone equipped with the latest processor and loaded with slick new features at a steep discount? There's only one catch: It's a Chinese smartphone and the Chinese government could use it to spy on you.

These security concerns have led America's intelligence agencies to warn against using Chinese smartphone-makers Huawei and ZTE. "[A Chinese smartphone] provides the capacity to maliciously modify or steal information," FBI Director Christopher Wray told Congress last week. "And it provides the capacity to conduct undetected espionage."

So: How legitimate are these concerns? They're certainly not unfounded, but they're also more complicated than Wray's testimony alone lets on.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

It's true that China has long been the most aggressive nation-state hacking U.S. businesses and the government. From stealing plans for the advanced F-35 stealth fighter to State Department files, Chinese hackers have made off with invaluable trade secrets, sensitive government data, and personnel records.

But it's also highly unlikely that the Chinese government has taken a sudden interest in hacking into the devices of ordinary Americans. That's not China's style. The country's hackers have demonstrated that their primary focus is on stealing military and trade secrets so it can rapidly develop its armed forces and key industrial sectors.

Chinese smartphones have also come under a lot of criticism for spyware. Over the last several years, there have been multiple discoveries of malware loaded on Xiaomi, Lenovo, Huawei, and other Chinese smartphones.

In 2016, for instance, the mobile security firm Krytpowire uncovered Chinese malware on as many as 700 million budget Android devices. Hidden in a benign support app, the pre-installed, third-party software would secretly send full text messages, contact lists, call history, location data, and other sensitive information to a server in Shanghai every 72 hours. The offending company, Shanghai Adups Technology Co., was reportedly using the data to tailor advertising to users; it claimed the app was only intended for the Chinese market and that a small number of America-bound phones were loaded with it due to a glitch.

Chinese malware hidden in smartphones certainly sounds suspicious, but it's hardly a smoking gun. After all, the greatest threats that computers and mobile devices around the world faced in the past year, Spectre and Meltdown, stemmed from security flaws in American-made chips.

But in the Adups example lies the real problem with Chinese smartphones: data.

For phones to function properly, many core processes require access to your location data, calls, and messages. This is as true of the humble Huawei Honor 7 as the elite Apple iPhone X. So while many Chinese smartphones don't actively use any Chinese apps, as the Adups case reveals, they still have firmware and other relatively innocuous pre-loaded background software that communicate with servers in China.

And unlike America, China lacks data protections.

"The line between private companies and state institutions is often quite blurred," said Maya Wang, a researcher from Human Rights Watch. "In theory, there are protections on citizens' data, but in practice there are no controls about how this data may be used."

Chinese tech companies play a central role in the government's far-reaching surveillance apparatus that closely monitors what its citizens are doing and saying online. Under China's sweeping cybersecurity law, companies are required to give authorities full access to its data upon request.

So when it comes to Chinese-made smartphones, the worry is less about nefarious hackers hiding malware on phones, and more about where data from mundane apps is going.

When a person sets up their new phone and taps "I agree" on the confidentiality agreement, they are essentially handing over their personal data to whoever made their phone. And when in comes to Chinese companies, that might be a mistake.