HONG KONG—China’s top three Web browsers collected and transmitted data in insecure ways, making hundreds of millions of users’ personal information vulnerable to unauthorized access, according to a human-rights research group.
In a report published Tuesday, the University of Toronto’s Citizen Lab said Tencent Holdings Ltd. TCEHY 1.38 % ’s QQ Browser had been transmitting users’ data to its servers either with weak encryption or without encryption—a method of encoding information to protect it. Vulnerabilities in the application’s updating process could have enabled attackers to insert hidden spyware or malicious software known as malware, according to the research group.
There have been no reports of actual cyberattacks.
Tuesday’s report follows two previous reports by Citizen Lab that highlighted similar alleged flaws in Alibaba Group Holding Ltd. BABA 0.82 % ’s UC Browser and Baidu Inc. BIDU 0.17 % ’s Baidu Browser. The reports by Citizen Lab reflect studies on the companies’ Web and mobile browsers.
All three browsers collect users’ search queries, data related to users’ precise locations and device numbers unique to specific smartphones and PCs, Citizen Lab said.
Taken together, these reports raise questions about whether security vulnerabilities in Chinese apps could be used for greater surveillance by governments or other third parties, said the human-rights research group, which is known for its studies of Internet censorship and surveillance.
“Most troubling is the fact that users would generally be unaware of these risks, unaware that such data is being collected and transmitted and potentially unaware that a properly crafted malicious software update attack could lead to malicious code being installed on their devices,” Citizen Lab said in Tuesday’s report on Tencent’s QQ Browser.
While Tencent has fixed some of the problems, some data is still being transmitted with weak or no encryption, said Citizen Lab.
QQ Browser is one of the many apps developed by Tencent, which is best known for its larger messaging platforms like QQ and WeChat.
In reports released last month and May 2015, Citizen Lab said Baidu’s browser and Alibaba’s UC Browser were transmitting data with weak or no encryption.
Alibaba said on Monday that it takes user privacy seriously and there was no evidence that data was compromised. In response to last month’s Citizen Lab report, Baidu said it would work to strengthen information security.
UC Browser, QQ Browser and Baidu Browser are the three most popular mobile browsers in China, with penetration rates of 70%, 48% and 29%, respectively, in the third quarter 2015, according to research firm Big Data Research. The browsers are also common on desktop computers.
China’s government requires Internet companies to assist in censorship and the tracking of political dissidents, but the browsers’ vulnerabilities could be exploited by nongovernmental hackers, Citizen Lab said.
According to a document leaked last year by former U.S. contractor Edward Snowden, Western intelligence agencies had identified UC Browser’s security vulnerabilities as a spying opportunity.
In the U.S., personal-data privacy and governments’ right to access information collected by companies have been hotly debated recently due to the clash between Apple Inc. AAPL -0.45 % and the Federal Bureau of Investigation over the government’s request to Apple to unlock an iPhone seized in the investigation of the San Bernardino, Calif., shootings in December.
In China, where such clashes are unlikely because the country tightly controls Internet activities, there are questions about whether technology firms’ access to user data could help the government monitor human-rights activists and others who oppose Beijing’s policies.
“These findings also raise bigger questions about why so much data is being collected and transmitted in the first place…this is bad practice especially in China, where the government can access such data,” Ronald Deibert, director of Citizen Lab, said in an interview.
China’s Ministry of Industry and Information Technology didn’t immediately respond to a request for comment.
To be sure, many Internet businesses that rely on advertising revenue collect personal information. Access to data makes it possible for ads to target specific types of users.
Even so, Chinese browsers tend to collect more information than the top browsers outside China, said a spokesman for security firm FireEye. FEYE -1.57 % “This information typically makes it easier to link activity to a specific individual,” he said.
Google’s Chrome browser, for example, allows users to control the information they share as part of their personal settings.
At the start of 2016, China adopted a new counterterrorism law that explicitly requires technology firms to help authorities decrypt data in terrorism cases. Aside from the law, Chinese authorities have wide-ranging powers to demand data from companies.
‘I want companies to tell me what kinds of data they collect, and why they collect.’
China has different data-privacy rules for different industries. In telecommunications and Internet services, companies are required to notify users of their data-collection policies and obtain their consent, said Manuel Maisog, chief China representative for law firm Hunton & Williams and an expert in data-privacy issues.
Tencent said users of QQ Browser can review the policy terms and conditions when they agree to install the app.
Di Jiang, who works in the aviation sector in Guangzhou and regularly uses more than 20 apps on his two smartphones, said he is concerned about Chinese apps collecting more data than they need.
“I want companies to tell me what kinds of data they collect, and why they collect,” said Mr. Di.
—Lilian Lin in Beijing contributed to this article.