UAE endorses communication apps that compromise data privacy and security

Digital safety platform “SMEX” highlighted the UAE’s promotion of insecure communication apps that violate data privacy, such as “Tiktok,” “Bazz,” and “Botim,” as part of Abu Dhabi’s heavy surveillance and spying practices.

The platform noted that since October 7, 2023, several social media apps began deleting content related to Palestine. This ongoing digital blackout has led to the emergence of “digital protests” demanding the development of an Arab social media app that guarantees freedom of content related to Palestine.

While this demand is legitimate, it overlooks attempts by regional countries to promote “local” social media apps that have been proven to follow less stringent privacy policies compared to companies like “X” and “Meta.” The UAE and Saudi Arabia have promoted most of these apps.

“SMEX” examined a number of apps launched by Gulf-based companies or promoted by Gulf media and conducted a forensic analysis of each app to understand their security levels. This analysis included how these apps collect, store, and share user data and the potential privacy violations involved in these practices.

“Kwai”: The Chinese company “Kuaishou” developed the “Kwai” app, a platform that allows users to share short videos, making it a competitor to “TikTok.” It has gained over 100 million downloads on the “Google Play” store.

Saudi and Emirati media have promoted the “Kwai” app, presenting it as an app “focused on Arab culture,” as described by the Saudi “Arab News” website.

The Emirati “Zawaya” website also promoted the app at the end of last year as a “promising Arab social media platform,” claiming that it “reflects culturally sound Arab content and provides an environment that respects Arab traditions and norms.”

In March 2024, Joyo Technology Pte. Ltd, the current owner and operator of the “Kwai” app, announced its expansion strategy into Saudi Arabia. This strategy includes “localizing the app and customizing it to suit the local community in the Kingdom,” according to “Al Riyadh Daily.”

According to the forensic analysis conducted by “SMEX” team, privacy concerns in the “Kwai” app include the sharing of user data with third parties. The app’s privacy policy states that “your data will be used to exercise our rights where necessary,” without clarifying this process, its scope, or the rights mentioned.

Although the app collects large amounts of data, its policy is unclear about the types of data and the purposes of its collection. The app collects sensitive information such as personal data and bank account details for in-app purchases.

Additionally, the data is not encrypted before being stored in the database, which increases the risk of privacy breaches. Best privacy practices require encrypting data “at rest” to minimize the risk of any breaches.

Connor Mitihean Dormaz, a policy analyst at SMEX, explains that “Kwai’s policy is problematic due to its intensive, unjustified, and insufficiently clear data collection practices.”

Dormaz adds that “the app collects a wide range of data, such as battery status and wireless network information, without offering clear justifications for the significance of this data or its legal basis for collection.”

“TOTOK”: The second app that SMEX analyzed is the Emirati messaging app “TOTOK,” developed by “G42,” a UAE-based company specializing in AI research, and launched in 2019.

However, it later became apparent that the app was a spying tool, according to a report published by “The New York Times,” leading to its removal from the “Google Play” store, although it was never available on the “Apple Store.”

According to SMEX’s forensic analysis, “TOTOK” collects device data that can be used to track and identify individual devices. If this information is linked to user accounts or any other personal data, it can be used to track individuals and monitor their activities across apps and services, raising concerns about privacy and surveillance.

The app also requires permission to disable the security key (DISABLE KEYGUARD) on Android devices, a system that prevents unauthorized access, allowing temporary screen lock deactivation.

Modifying system settings can significantly affect device performance, security, and user experience. Therefore, system settings on Android devices are typically restricted and tightly controlled.

Any app that requires access to or modification of system settings must request specific permissions and comply with strict security guidelines to ensure user privacy and device safety.

When the app obtains this permission, it can programmatically disable the screen lock, granting access to the device without needing to input a PIN, pattern, password, or use biometric authentication (such as fingerprints or face recognition).

“BAZ”: The third app analyzed is “BAZ,” developed by “Baz.Inc,” and marketed as an Arabic version of the social audio app “Clubhouse.” It allows users to join groups and have live conversations. The company is based in San Francisco, but the app was launched in the UAE.

Some users have raised concerns that “BAZ” is a spying tool. However, its availability on both the “Google Play” and “Apple” stores contradicts this claim, as apps are security-verified before being made available for download.

However, since the developer company of “BAZ” has offices in the UAE, it is subject to UAE Federal Personal Data Protection Law, which came into effect on January 2, 2022.

One of the main issues with this law is that its governance scope limits the amount of protection it provides. Among its exceptions is the exclusion of government data, as the law does not apply to government entities controlling or processing personal data.

This means that a large portion of personal data processing is not subject to privacy requirements. By excluding the public sector from the law’s provisions, it paves the way for surveillance activities.

“BOTIM”: SMEX also analyzed the “BOTIM” app, the most widely used online communication app in the UAE, developed by the U.S.-based company “Algento,” specializing in mobile product and service design, development, and sales.

“BOTIM” is considered an alternative to the banned “WhatsApp” for making video and voice calls. While “WhatsApp” employs end-to-end encryption, preventing third parties from accessing user data, “BOTIM” only encrypts data during transmission across the internet, though it also provides users with the option to request data deletion.

In this context, Dormaz explained that “governments can request apps to provide access to user data or cooperate with authorities under the pretext of protecting national security or public safety. If the app refuses to comply, it risks being banned, making it difficult for citizens to freely access and use the platform.”