The app is not yet available for iPhone users in Hong Kong. Photo: Dickson Lee

Two billion numbers, including those of Hong Kong officials, leaked by Chinese phone app

Among those affected are security minister Lai Tung-kwok and privacy commissioner Stephen Wong, according to news agency FactWire

A Chinese smartphone application which filters unwanted phone calls has been found to be secretly uploading personal data of users – including those of the city’s officials – to a public directory.

The app, DU Caller, developed by DU Group, a subsidiary of Baidu, was initially for users to blacklist nuisance callers and filter them out.

But a “reverse look-up” function allowed access to two billion phone numbers stored in Baidu’s Beijing server, including that of Secretary for Security Lai Tung-kwok, police chief Stephen Lo Wai-chung and officials from the central government’s liaison office.

The Security Bureau has referred the case to the Office of the Privacy Commissioner for Personal Data for investigation.

Independent news agency FactWire reported on Saturday that once downloaded and installed, the app would automatically gather sensitive information such as the address book and phone numbers even before users agreed to the privacy policy.

The app has been downloaded between one and five million times on the Google Play store. It is not yet available for iPhone users in Hong Kong.

A search function on the app – available three times daily – allowed users to find contacts by simply entering a name or organisation. FactWire also found that more than three searches could be made in a day by reinstalling the app.

One of the numbers leaked belonged to Privacy Commissioner for Personal Data Stephen Wong Kai-yi. Wong confirmed the number was his, although it had been out of use 10 years ago.

In the FactWire report, Wong also said that the developer of DU Caller might have breached the third data protection principle of the Personal Data (Privacy) Ordinance.

However, section 33 of the ordinance, which prohibits the transfer of personal data to a place outside Hong Kong, has not come into force, while cross-border transmissions were exempted altogether.

In December 2013, the privacy watchdog submitted a research report to the Constitutional and Mainland Affairs Bureau calling for legislation of section 33.

The bureau said it was evaluating the business effect of the proposed law, adding that a consultancy report would be ready in the first half of this year.