Revisiting BAT Browsers: Protecting At-Risk Populations from Surveillance, Censorship, and Targeted Attacks
Authors: Esther Rodriguez (Arizona State University), Lobsang Gyatso (Tibet Action Institute), Tenzin Thayai (Tibet Action Institute), Jedidiah R. Crandall (Arizona State University)
Year: 2025
Issue: 1
Pages: 16–23
Abstract: A major use case for the use of VPNs by at-risk users is to put their web browsing activity outside the purview of potential attackers. State-sponsored attackers, specifically, can carry out various attacks against at-risk users who do not use a VPN within their country’s borders. This can include censoring websites, performing surveillance of a user’s web browsing activities, using this surveillance to build up censorship apparatus, or injecting malicious code into web traffic. The BAT Browsers study presented at FOCI 2016 demonstrated that common web browsers send web activity along with personally identifiable information (PII) to servers in China, often using poor or missing cryptography. Has this situation changed in the past 8 years? What does it mean for today’s circumvention tools? How does it affect diaspora populations that are not in China? Do new incognito modes added by these browsers ameliorate the situation? In this paper we examine security and privacy concerns associated with six prominent Chinese web browsers: Baidu Searchbox, UC Browser, QQ Browser, OPPO Browser, Redmi Browser, and VIVO Browser. Our analysis focuses on sensitive data collection, weak or missing encryption of information during transmission, and third party SDKs that are granted privileges that put users at risk. We found that these browser applications consistently expose sensitive data, including PII, geolocation, device information, and browser activity, often with poor transport-layer security, e.g., purely symmetric cryptography. Some of the browsers transmit this private information even when using incognito mode. We make recommendations for at-risk users and circumvention/privacy tool developers in light of these findings.
Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
