Qihoo 360 Technology Co. Ltd. (Nasdaq:QIHU), whose free antivirus software has captured more than 80 percent of the market -- estimated at about 1.5 billion people -- is being accused of stealing confidential information from hundreds of millions of users. But the Chinese company rebuts the accusations and says they come from competitors.
Early last month, National Business Daily, a Chinese economic news outlet, published a story titled “The Mystery of 360 Black Box,” accusing Beijing-based Qihoo of inserting illegal software into its antivirus software and Internet browser and stealing users' private information and business secrets to gain more market share and serve its own interests. The report described the conduct as "cancerous cells of the Chinese Internet."
The National Business Daily article cited a third-party programmer who goes by the name "Independent Investigator" as saying that Qihoo 360 used the backdoor of its software in conjunction with its cloud service to steal user information and uninstall competitors' software from users' computers. The article said Qihoo has for years been using its products to gather personal information such as email addresses, medical records, financial information and passwords.
In response to the National Business Daily article, Alex Xu, Qihoo's chief financial officer, said Friday the sources of the story are Qihoo competitors.
"Here's one way the NBD article misleads," Xu said. "We are run a cloud-based security system so you need to have constant communication with the central server so you can provide sufficient, current protection for whatever new threats emerge. This functionality is basic to other mainstream security companies globally. In fact, one of our main global competitors has a much higher refresh rate than we do. The NBD article says we communicate with central servers to steal private, confidential information from our customers and send it to our server. That's not the case. The reason we constantly communicate with the central server is so we can keep up with new types of viruses or malwaare. This is the standard, typical way security software operates."
The discussion and public attention that followed the National Business Daily article saw users abandon Qihoo's antivirus software in droves. In the city of Nanjing, one user even took Qihoo to court, alleging that its 360 Internet browser uploads users' surfing history to the company's server.
The National Business Daily story reflected concerns that date back several years and have in at least one case resulted in a lawsuit. The plaintiff in that suit said consumers' suspicion and anger at Qihoo are well justified.
Concerns about Qihoo increased last fall when Wan Tao, a well-known former hacker who now leads a nonprofit called IDF Lab that monitors Internet threats, investigated Qihoo. Specifically, IDF spent about two weeks studying the 360 security browser's v220.127.116.11 version, and on Nov. 26, 2012, Wan and his team published a report on 360, documenting a hidden backdoor of the software. The IDF report alleged that "through its application, 360 security Internet browser has downloaded DLL files from 360 servers and applied them without user knowledge, providing no clear file application and usage explanation."
Aware of the highly sensitive nature of the overall issue as well as its own investigation, Wan explained some of the precautions IDF took in conducting its research.
"We had the test results quite some time ago, but we took some time, and we made the wording more neutral," said Wan. He said the purpose of the tests was to raise awareness, not to make a profit. Before publishing, IDF contacted Qihoo, asking its tech team to provide answers to some questions. But the only response came from Qihoo's public relations team, consistently denying IDF’s requests for answer, said Wan. In fact, he added, they not only denied requests for information but also suggested IDF was engaging in attempted extortion.
However, Qihoo's Xu responded to questions from the International Business Times about the charges.
"We don't steal private or confidential information," he said. “Further, we are the only internet security product that has been certified by all four major international testing labs that specifically test security software. In China we are the only internet security software company that has been certified by all four major international labs. We follow a very strict standard in developing our products."
Concerns about privacy with Qihoo products led Apple Inc. (Nasdaq:AAPL) earlier this year to remove Qihoo apps from its App Store, including core products such as 360 Mobile Phone Guard and its Internet browser, according to Qihoo critics.
Xu says concerns about data theft had nothing to do with Qihoo's app getting dropped by Apple.
"Apple dropped us from their app store because we were distributing outside their distribution channel," he said. "At the end of last year or early this year we were testing a product and distributing it outside Apple's distribution channel. That's why they removed us from their app store. The accusations that they dropped us because they believed we were stealing private or confidential information 'are just made-up stories.'”
Qihoo's chairman, Zhou Hongyi, has long maintained his company's innocence, saying the criticisms stem from rivals' resentment at his company's competitive successes.