Third-party data tracking within applications in Myanmar

As a big and powerful neighbour, China has been an unescapable influence on Myanmar. Its presence can be felt in both the political and economic sectors. While China’s infrastructural investments are the most visible aspect of this influence, its increasing involvement in the digital development of the country has received less attention. For example, two of the nation’s largest telecoms, ATOM and Ooredoo, bought hardware primarily from Huawei and ZTE. Huawei’s technology has arguably enabled the development of Myanmar’s now largest mobile wallet application, KBZPay, while the Alibaba Group’s acquisition of Myanmar’s growing online shop Shop.com.mm has facilitated a boost to the nation’s e-commerce.

After the 2021 coup, while Western nations sanctioned the activities of the military regime and its associated businesses, China’s continuing support of the regime has opened opportunities for greater engagement of Chinese businesses in the country. The military regime, among many human rights violations, is severely violating the privacy of its citizens through various means, e.g. by tracking data through KBZPay to find people who made transactions to support the revolution (Frontier, 2022). This kind of third-party data tracking remains an enduring issue in various domains, including web tracking and email tracking, and without a framework like the EU’s General Data Protection Regulation (GPDR), large Chinese and internal corporations have more leeway to collect people’s data and disregard their privacy. But can we see more of the Chinese digital presence in the backend of Myanmar’s most used digital apps? And what can that tell us about third-party data tracking?

In my research, I have investigated the involvement of the Alibaba Group and the military regime in facilitating third-party data tracking within popular mobile applications utilized in Myanmar (van Tongeren, 2023). My goal was to gain insights into the extent and impact of third-party data tracking in this specific context.

To accomplish this, I collected APK files of a number of apps sourced from the Way Way Nay (2023) website, an organization that lists products, companies and applications with military connections, such as those owned by generals' family members. I extracted data by using decompiling tools, and I analyzed them using four machine-learning classifiers, namely decision tree, random forest, k-neighbors, and k-means. I found a perceptible pattern in applications that are potentially related to the military, suggesting a potential connection to third-party data tracking. This pattern indicates similar data-storing methods within the applications. Furthermore, these methods successfully identified data tracking in applications acquired by Alibaba, but they were unable to detect data tracking by Alibaba in applications they have invested in. Based on my findings, it is likely that Alibaba does not track data directly through APK files in the apps it invests in. These results have highlighted some interesting sides of the APK data, which can be explored in future research, alongside a further exploration of the elements in the APK data that are associated with the patterns found by the AI algorithms.

The image above provides a prediction example by the AI classifier regarding the association probability of an application with Alibaba. I used LIME (Ribeiro, Singh, & Guestrin, 2016) for tabular data, similar to these, to help me identify the key elements of the data that are responsible for the associations.

It is important to note that the full capabilities of the methods that I used in this experiment have not been fully demonstrated. The limited sample size of the data used, particularly in the military dataset, led to overfitting by the classifiers. This occurs when the model learns the training data too well, capturing noise and irrelevant patterns that do not generalize to new, unseen data. This leads to reduced performance on unseen examples. Therefore, confirming the presence of third-party data tracking by the military remains inconclusive at this stage. Nevertheless, by refining the methods and expanding the training data, there is potential for compelling future research in this domain.

Link to full research: https://scripties.uba.uva.nl/search?id=record_53369

References

1. European Union. (2016). General Data Protection Regulation. Official Journal of the European Union, L 119/1. Retrieved June 7, 2023, from https://eur-lex.europa.eu/eli/reg/2016/679/oj

2. Frontier. (2022, October 7). Junta weaponises digital banking transition to starve resistance funding. Frontier Myanmar. https://www.frontiermyanmar.net/en/junta-weaponises-digital-banking-transition-to-starve-resistance-funding%ef%bf%bc/

3. van Tongeren, M. (2023). Third-party data tracking within applications in Myanmar. Retrieved from https://scripties.uba.uva.nl/search?id=record_53369.

4. Ribeiro, M. T., Singh, S., & Guestrin, C. (2016). "Why Should I Trust You?": Explaining the Predictions of Any Classifier. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 1135-1144). San Francisco, CA, USA.

5. WayWayNay. (2023). Will you pay for the ammunition? Retrieved from https://waywaynay.com/ (Accessed: June 20, 2023)

Max van Tongeren collaborated with the DIGISILK researchers during his thesis project for the BA in Artificial Intelligence at the University of Amsterdam in Spring 2023. In September, he will begin his Master’s degree in Information Studies, specialising in Data Science, at the same institution. His research focused on employing AI techniques to identify third-party data tracking within the APK files of widely-used mobile applications in Myanmar.