Japan’s National Information Security Center (NISC) and Ministry of Education, Culture, Sports, Science and Technology (MEXT) have issued statements warning government employees and the general public against using a free Input Method Editor (IME) provided by Baidu Japan, Inc., the Japanese office of Baidu, Inc., which is China’s largest search engine.
The program is reportedly used by 4 million people, and it assists in the typing of Japanese characters (hiragana, katakana) and converting hiragana into Kanji, based on context and usage frequency. In doing so, according to the NISC, the software automatically transmits all characters entered while the program is running (including, apparently, passwords) to Baidu’s cloud servers in Japan for processing. According to NetAgent Co., a Tokyo-based security firm, all characters entered via the program continued to be sent to Baidu’s cloud servers even when cloud communication is disabled in the settings. After the warning was issued by NISC, Baidu Japan, Inc. issued a new version of the program that they claim disables the cloud transmission and conversion.
Windows includes an IME for Japanese input that's enabled by default when Windows is installed with the Japanese locale. The Windows IME can also be enabled on installations of Windows in other languages with, depending on the version, a free download from Microsoft or activating it in the Control Panel. Many users disable the bundled Windows IME in favor of other IME software that's easier to use, leading to the popularity of third-party IME software such as Baidu IME.
Android affected by spying
The warning issued by NISC extends to the “Simeji” software available for Android, which is also owned by Baidu Japan, Inc. Simeji was developed in San Francisco, CA, and purchased by Baidu Japan, Inc. in December 2011. Adam Rocker, the original lead developer of the software, remains an employee of Baidu Japan, Inc. in Yokohama, Japan. Before the acquisition, Simeji had been downloaded over one million times on Google Play. NetAgent Co. also indicated that Simeji was transmitting all characters typed with the program to Baidu’s cloud servers, even when cloud communication is disabled in program settings.
The software that literally begs you not to uninstall it
The uninstall screen of Baidu IME for Windows features a “cat girl (nekomimi) maid” that begs the user to not uninstall the software and starts crying if the user progresses through the uninstall process. The uninstaller guides the user through a fairly standard information-gathering process to ascertain why the user wishes to uninstall, the questions for which are not altogether dissimilar to the uninstall survey on Google Chrome. The primary difference is that the selectable answers are written in a manner that personifies the software in a moderately creepy way, such as (translated) “Thanks to you, my computer slowed down!” Other available options in this form include “You installed without my knowledge,” which may often be true -- like browser toolbars or anti-virus programs, the Baidu IME can be distributed in the installer of another program.
The uninstaller also highlights features of the program in a similarly disconcerting way, stating “You can enter all kinds of creepy (キモイ) emoticons and smiles with me.”
With the ongoing disclosures about government-sponsored spying, an increased awareness of the myriad of programs installed on personal computers, the information they collect, and to whom that information is being transmitted is an increasing concern for many users. That concern had led, inevitably, to the probing of other software once thought innocuous. Baidu IME may not be as obviously detrimental as Bonzi Buddy of yesteryear, but it does appear to be a problem.
Have you downloaded software you later found to be insecure, or do you have other thoughts on IME software as potential keyloggers? Let us know in the comments section below.