Home / Companies / News /  In the new China, Didi’s data becomes a problem

Bolstered by its wide swath of data on users, mapping and traffic, Didi Global Inc. became the dominant ride-hailing company in China. Now, that data is turning into a liability.

On Friday, China sent state-security and police officials and other regulators into the company’s offices, as the government zeroes in on its cybersecurity practices and collection of personal information. The visit was a part of a review ordered just days after shares sold in Didi’s $4.4 billion initial public offering started trading publicly in New York.

Their target is a company with 377 million annual active users and 13 million annual active drivers in China. Users turn over their cellphone numbers, which in China are linked to their real names and identifications. They also often voluntarily share photos, frequent destinations such as home and office, their gender, age, occupation and companies. To use other Didi services such as carpooling or bike sharing, customers might also have to share other personal information including facial-recognition data.

Drivers must give Didi their real names, vehicle information, criminal records, and credit- and bank-card information.

The company in securities filings touts its repository of real-world traffic data as the world’s largest. The 25 million daily rides on its platform in China feed a database of pickup points, destinations, routes, distance and duration. In-car cameras and voice recorders capture conversations.

Adding to the sensitivity, the company in 2017 won a government license to produce high-precision maps, a sector shut to foreign companies for national-security reasons. It is a rare privilege—only 29 Chinese entities are licensed to do detailed surveying and mapping, according to data compiled by researcher IDC and government statements. That, combined with Didi’s real-time location data, could raise national-security concerns, analysts and lawyers said.

“Mapping points to potentially sensitive areas such as Chinese defense zones, and this can be a treasure trove of information for hostile actors," said Carly Ramsey, a Shanghai-based director at consulting firm Control Risks Group.

Didi didn’t respond to requests for comment.

The company has said it stores all its domestic user data in China. In addition to ride hailing and bike sharing, the company operates financial services, a group-buying grocery business, and a van-hailing service for moving or carrying large items.

A 2015 collaboration between Didi and a unit of China’s state-run Xinhua News Agency provided startling visibility into what this data could reveal about the government. The project analyzed rides to or from various government departments, including 1,327 trips in 24 hours to or from the Ministry of Public Security, China’s police. The article gave a detailed hourly breakdown of the arrivals and departures, then cross-referenced them to investigations in the news to speculate about what cases might have been keeping officers busy.

Xinhua and Didi also compared rides to and from about 20 other ministries and government departments. The data showed 298 rides left the now-dissolved Ministry of Land and Resources between the hours of 6 p.m. and 2 a.m. in the two days the study was conducted, leading the authors to conclude the ministry had the “most ruthless" overtime hours.

All this information puts Didi on the radar of a government that is wary of private control of massive databases and the risk that such information could fall into the wrong hands.

“The Chinese government is really concerned about foreign adversaries getting access to data on Didi’s platform," said Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center and an expert on Chinese cybersecurity policies. Those concerns grew as the company prepared to list its shares in the U.S., where China worried Didi could face scrutiny, she said.

The Wall Street Journal reported earlier that Didi pushed ahead with its IPO despite being urged by China’s internet regulator to submit itself to a cybersecurity review. After the IPO, the Cyberspace Administration of China blocked the company from accepting new users and ordered mobile app stores to pull Didi from circulation. The government hasn’t specified what data held by the company has sparked its concerns.

Didi didn’t respond to requests for comment.

Beijing is clamping down on technology giants such as Alibaba Group Holding Ltd. and Ant Group Co. over monopolistic practices and other issues. China was also concerned that Didi and other Chinese companies listing in the U.S. would be required to hand over to U.S. regulators audit documents that could contain sensitive information, the Journal has reported.

Didi’s case is unfolding as China tightens its grip on the data collected by its powerful internet companies. The country passed a new Data Security Law in June that governs data-processing activities within the country, defines core state and important data, and limits such data flows out of China. Beijing has proposed a Personal Information Protection Law aimed at protecting consumers from companies that might exploit their data without their authorization. Draft rules on managing automotive data were released in May. Priorities for protection include information about the flow of people and traffic in military zones, areas related to the Communist Party and certain government sites, as well as precise mapping data.

Driving the moves is the belief that data accumulated in the private sector should be considered a national asset.

In 2017, state-run CCTV ran an exposé showing how a consumer’s Didi user records, including pickup and drop-off locations and timings, could be purchased on the black market for the equivalent of around $8.50 for a page of data.

Didi didn’t respond to requests for comment.

Didi at times has offered to use its data to help the state.

In March, a Didi executive speaking at a “smart transportation" conference in Nanjing, in eastern China, said the company could be a valuable partner to the Transport Ministry, according to material posted on the event organizer’s website. Didi cars travel Beijing streets hundreds of times every day, if not more, and the data gathered gives an accurate picture of the city’s traffic conditions, said Ding Neng, a vice president at the company. The in-car cameras Didi has installed in more than 300 Chinese cities also constantly record video from inside and outside the vehicle, Mr. Ding told attendees.

In Shenzhen, Didi built a big data transportation management platform with the local transportation regulator. The company also helped install hundreds of smart traffic signals in Wuhan, Jinan and other cities to ease congestion by crunching data from its ride-hailing operations, including routes and speeds.

However, the company has resisted sharing certain data with regulators. In 2018, after two incidents of female passengers killed by Didi drivers, a Guangdong province transportation official said the company hadn’t fully complied with regulations that required it to send real-time data on vehicle routes and driver information to a supervising platform run by authorities.

Didi didn’t respond to requests for comment.

This story has been published from a wire agency feed without modifications to the text

Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint. Download our App Now!!

Edit Profile
Get alerts on WhatsApp
My ReadsRedeem a Gift CardLogout