REDNote, also known as Xiaohongshu (Little Red Book), is a Chinese social media platform. It was launched in 2013. It has hundreds of millions of users. REDNote is a bit like Instagram and focuses on lifestyle topics such as travel, fashion, and beauty. Well used and well liked by young women in China, apparently.
When the US looked like it was about to ban TikTok, American users signed up for REDNote in huge numbers. Interestingly, for a brief moment before TikTok was reinstated in the US, there were some cross-cultural revelations as many Americans interacted and encountered people from China online, perhaps for the first time. Indeed, given that unlike TikTok, REDNote prioritizes content tailored to user interests over follower-based algorithms, it has fostered those cultural exchanges as Chinese users welcome American newcomers, helping them adapt to the platform.
I was curious about the app’s safety credentials and asked a security expert friend of the blog, Adam Stewart, whether I should sign up for REDNote and see what all the fuss is about and he simply said “Avoid!”
Now, despite my usual eagerness to try any new social media outlet, I was on Plurk even before Twittr [sic], I have taken Adam’s advice and not downloaded the REDNote app and not signed up for an account; the T&Cs are in Mandarin so that was something of a barrier anyway as my Mandarin is not as good as my Cantonese, and that’s non-existent. Meanwhile. Adam, being a security expert did install the app, but on a burner phone, and ran some network and security test to see exactly what this app is doing.
“REDnote connects out to various China servers,” Adam told me.” Also, some streams are not encrypted and some don’t do proper certification checks.”
This sounds worrying, to say the least. All those new American users perhaps unwittingly sharing data from their phones with servers unknown in China. Given the political landscape of that country, I’d also want to know whether the Chinese government or other agents have hooks in those third-party servers. Indeed, given that all technology there is potentially monitored and subject to governmental oversight under China’s cybersecurity laws, it is reasonable to assume that the government could indeed have access to any of your harvested data via those third-party servers if it needed to get hold of it. At the very least, there is the potential for any data on any app in China to be accessible to the government.
Perhaps the warning signs were already there. In December 2022, the government of Taiwan banned public sector employees from using Xiaohongshu on official devices due to national security concerns. But, REDNote is yet to face the same scrutiny as TikTok from privacy advocates and security experts. It has to be said that its data policies and transparency may not align with what those e outside China would consider acceptable. If you must use the app, I’d advise reviewing all the permissions and avoid sharing sensitive information on the platform.
Of course, it’s worth adding that TikTok and REDNote are not particularly special in collecting data, hundreds of the apps we all use every day collect data, sometimes without us really knowing. Moreover, if that data is not end-to-end encrypted and you’re based in a rogue state or even the land of the free, governments can easily compel companies to hand over their users’ data. Your privacy could be compromised in an instant by almost any app.
You might think that using a Virtual Private Network on your phone would offer some protection. VPNs are useful in many contexts such as connecting to public Wi-Fi hotspots. But, as Adam points out, apps like REDNote and others tend to link to your phone number and use it for registration so having a VPN won’t help with where that data ends up and how it is linked to you individually.
If you feel you can’t live without REDNote at least consider the following security advice when installing:
Review the permissions it requests – Block or disable any with which you’re not comfortable, such as microphone, contacts, location.
Use a burner phone – Because the app hooks into your phone number, perhaps use a secondary non-mission-critical phone or a secondary SIM.
Use a disposable or non-critical email account – Don’t link the app to your other social media or main email account(s), especially not mission-critical ones or work accounts.
Consider carefully the things you share on the app – If you don’t want it on the internet, don’t put it on the internet. Something us ancient net users have been saying for decades, long before the web, social media, and apps.
Stay up to date with developments – Keep up with the tech news and especially any stories about data breaches or hacks, it might be too late once an app is breached or there is an issue, but you might be able to salvage some privacy or security, if you’re aware of what’s happening.
Oh, and one more thing. People often ask “why are you worried about privacy, if you’ve got nothing to hide?” A good response is to ask them why they have frosted glass for their bathroom windows!
This article is intended for informational purposes only and does not constitute legal nor formal cybersecurity advice. Readers are encouraged to consult with experts for specific guidance.