Didi is everywhere in China. In the country’s major cities, you’re unlikely to find someone that hasn’t hailed a ride through its platform. The company’s popularity led the Uber-like taxi app to a much anticipated New York IPO on June 30. Didi raised a whopping $4.4 billion—the largest amount of any Chinese company going public in the US since 2014.

Then, Didi caught the attention of Chinese regulators.

China Voices

In TechNode’s subscriber-only translation column, we bring you discussions about tech on the Chinese internet. TechNode has not independently verified the claims made below.

For the first two days after going public, Didi’s stock performed well, rising more than 17% from its offering price. Then, the ride-hailer’s US debut took a jarring turn: China’s top internet regulator announced a cybersecurity investigation into the company.

Didi’s share plunged more than 20% on the news. Investors say that the move blindsided them. Apart from scrutiny at home, the company now also faces lawsuits from US investors for failing to disclose its regulatory risks. 

According to the government’s official announcement, Didi faces regulatory backlash over data security. The regulator did not provide any further details.

What kinds of data does the company hold that led to regulators souring on the company? This week, we combed Chinese media reports on the investigation into Didi, hoping to provide a clearer picture of what led the company to fall out of favor. All quotes have been edited for clarity.  

Didi’s big data analytics 

On July 2, the third day after Didi’s IPO, China’s internet watchdog launched a “cybersecurity review” of the ride-hailing company, citing national security concerns.

Then two days later, on a Sunday night, the same regulator—the Cyberspace Administration of China (CAC)—ordered app stores in China to remove Didi’s app. The CAC said the app “seriously violated Chinese laws and regulations on personal information collection and usage.”

Of all tech majors in China, Didi collects the most comprehensive data on personal travel. Its ability to do big data analysis on users’ activities and habits can carry security risks, said China’s nationalistic tabloid Global Times on July 4. 

The news of the investigation into Didi began trending on popular microblogging site Weibo over the weekend. The government’s inquiry won cheers from many Chinese internet users, who see the move as a means of protecting China’s national security and the data privacy of its citizens. 

Why China’s ban on Didi’s app is winning applause
Global Times, July 4

Didi Chuxing is a high-tech internet company that has greatly popularized online ride-hailing services in China. But the company undoubtedly collects the most detailed personal travel data out of all the major internet companies. It’s very worrying that, according to the Cyberspace Administration of China’s announcement, Didi may have violated laws in the way it collects and uses personal information. Didi appears to have the ability to perform big data analysis on users’ activities and habits, which could become a potential security risk to people. 

As a matter of principle, we hope that internet giants can minimize collection of users’ data instead of capturing as much information as possible.

Internet behemoths are used to calling the shots in their sectors, but the government cannot allow them to make the rules governing personal information. The government has to control the rules and standards, making sure that internet giants minimize their user data collection. Internet companies shouldn’t be allowed to have a super database of user information that is more detailed than that controlled by the Chinese government, let alone use the database however they please.

The government needs to be vigilant with a firm like Didi, which went public in the US and consists of top foreign stakeholders. This is not only a matter of protecting personal information but also a matter of national security. Regulating Didi doesn’t mean the country is stunting the growth of the company. It serves to eliminate risks so that the users will feel more comfortable, thus giving the company a bigger market. 

Maps and road traffic data

Experts told the Chinese business magazine 21st Century Business Review that Didi’s collection of road traffic data is at odds with China’s national security.

Didi’s investigation gives a stern signal
Cao Yanjun, Yang Song
21st Century Business Review, July 5

Cybersecurity investigations into internet companies will become the norm. 

Di Wei, an assistant professor of economic law at East China University of Political Science and Law, told 21st Century Business Review that Didi holds road traffic data including that which deals with surveying and mapping, traffic flow, and charging stations. This data is vital data, according to the third article in the “Provisions on the Management of Automobile Data Security (Draft for Comment Solicitation)” that was released on May 12. The provision defines vital data (to national security) collected by auto companies.

Data collected by automobile companies is closely connected to individual privacy and national security issues. For example, when a user follows a given route, companies can collect data on home addresses, work addresses, and surrounding geographic data.

“The potential risk lies in exposing personal information, and even data vital to the national interest, which in turn affects military safety,” Di Wei said.

Driving record data

Didi’s record of driving data and driver and passenger security information pose major security risks to China if leaked, according to Classification Evaluating Reviews, a WeChat account that promotes China’s multi-level protection scheme, a tiered system of national cybersecurity levels. 

China launches its first cybersecurity investigation! Didi gets investigated
Classification Evaluating Reviews, July 2

Cybersecurity investigations aren’t administrative interviews but preventative safety precautions. Didi has already become an essential part of China’s internet traffic infrastructure. Didi’s datasets of driving records, and driver and passenger security information pose a massive security risk. 

According to China’s multi-level protection scheme, we can infer that Didi’s network has been classified as vital information infrastructure, thus prompting the cybersecurity investigation.

It might take a few months for Chinese regulators to elaborate on what the Didi data in question includes. In the meantime, Chinese media reports show that Didi’s massive collection of mapping and traffic data, and its ability to provide big data analysis using its data, may have alerted the country’s regulators.

Qin is the managing editor at TechNode. Previously, she was a reporter at the South China Morning Post's Inkstone. Before that, she worked in the United States for five years. She was a senior video producer...

Louis Hinnant is an intern at TechNode. He's currently covering cleantech and mobility.