Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone.
Where i felt especially bad was Dead by Daylight mobile.
Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses!
This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
If your business model relies on violating the privacy of others, your business deserves to die.
How is it any different from western apps listening to you and siphoning all data on your local network to 3 letter agencies?
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
Companies have also been known to secretly eavesdrop and not tell users before (Apple + Siri https://www.courthousenews.com/judge-approves-95-million-app...)
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
Do you still get ads for the exact thing you just bought for a week after buying it? :)
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
Not sure where you got that consensus from, it sounds made up to me or at least outdated as of Feb 2026, especially on HN.
Please stop with the hyperbole. Shit is bad enough; more fake news from any direction doesn’t help.
Do chinese apps make use of all data they can access? Absolutely. Do western apps make use of all data they can access? Absolutely.
Both concepts are evil. Talking one is evil while dropping off the other is skew of discussion towards vilifying one side and omitting the subject.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
Oh they break it alright whenever they please. And they have been caught handsomely.
By continuing you agree to us sharing your data with our 954 partners…
It's very different from:
> ps aux # Every running process with full arguments
If you think these two cases are even remotely comparable, I don't know what to tell you.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
[1] https://github.com/achalmgucker/Shelter
(1) https://crdroid.net/
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
Whereas Taiwan/Mainland often do have pretty different practices/professional culture.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
/s/Mainland//
FTFY.
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
Meanwhile they do tell you they collect everything
https://www.mumuplayer.com/privacy-policy.html
Not to defend them, but just feel sad about the world.
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
Specifically: can we market this [feature/change/refusal/etc...]?
iOS maybe. macOS no.
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
All you need is the ability to edit any byte on your hard drive. ;-)