In a collaboration with the state news agency Xinhua, the R&D team at the ride-hailing platform Didi published a review in 2015 of bookings made by people working for different departments of China’s central government in Beijing.
The research revealed that staff at the Ministry of Land and Resources were working some of the longest hours, with more than 100 Didi pick-ups after midnight. The Ministry of Public Security was the busiest branch of government, with 1,327 rides booked in and out of its offices in a single day, and the National Development Reform Commission (NDRC) was getting the most drop-offs between 6-8am, suggesting early starters at the office. Conversely, employees at the Ministry of Science and Technology were going home closest to the contracted hours of the working day, the report also noted.
The findings were passed around social media and viewed at the time as a bit of fun. Yet the report was being recirculated this week as onlookers looked afresh at Didi’s Big Data capabilities. Was it a good idea to be sharing information on this kind of activity, some asked. What if the platform was in a position to warn an insider group of stock market moguls about a surge in midnight traffic at the central bank’s offices on a Sunday night, for instance?
And what if the conversations of Didi passengers were recorded and used for purposes other than protecting their personal safety?
Questions like these have taken on a more tangible quality this week after China’s cyberspace watchdog shocked investors by ordering app stores to drop Didi’s smartphone app on concerns over data security.
Coming just days after the firm’s high-profile listing in New York, it was a hammer blow for Didi’s shares, which plunged violently.
But analysts are also scrambling to decipher what the move might signal more broadly for China’s data privacy regime; while investors are wondering whether it will stem the flow of Chinese firms going public on US bourses, curtailing the financial prospects of some of the best-known internet and tech unicorns.
What actually happened?
Didi raised about $4 billion at the end of last month in the largest IPO on the New York Stock Exchange (NYSE) since Chinese e-commerce giant Alibaba went public in 2014.
It started out reasonably well. After initially climbing as much as 29% on their trading debut on June 30, Didi’s shares closed nearly flat from their $14 offer price, although that still gave the nine year-old firm a market value of about $68 billion (compared with Uber’s $95 billion as of this week).
But for co-founders Cheng Wei and Jean Liu – as well as several dozen private equity investors that had pumped at least $20 billion into the unicorn since 2012 – there was little time to celebrate.
On July 2, or less than 48 hours after Didi’s trading debut, news came through that the Cyberspace Administration of China (CAC) had started an investigation into Didi on data security concerns.
It was also announced that Didi would be prevented from registering new users on its app, pending the results of the review, which would take “at least 45 days” according to state media.
The CAC’s statement (released only in Chinese) was a brief one. But it was not difficult to read between the lines as to the severity of the situation. The ‘risk’ referred to – a potential leak of sensitive data that might harm China’s national interests – was not a future threat at Didi but a current one, made all the more glaring by its decision to IPO in New York at a time of heightened Sino-American tensions.
The watchdog’s statement made plain it was working on ways to contain this potentially dangerous data leakage. However, discussion on Chinese social media quickly linked the crackdown with rumours that the Chinese internet firm could be required to hand over user data to the US government as a consequence of its New York listing plan.
A senior Didi executive denied this, clarifying on WeChat that the company’s data is stored in domestic servers and there was “no possibility to hand them to the US side” and adding that Didi would take legal action against rumour-mongers. But by then the CAC had already notified app stores that they should remove Didi’s ride-hailing service, as its initial review had found “serious violations of laws and regulations regarding the collection and use of personal information”.
As a result of this fresh announcement Didi’s shares plunged nearly 20% on Tuesday, and they were trading at $11.21 yesterday. Chastened by the impact of the crackdown, investors have already started class action lawsuits accusing Didi of failing to disclose the full range of policy risks.
In the meantime, the CAC was said it was broadening its focus, announcing similar reviews “to prevent national data security risks” at job recruiting platform Boss Zhipin and a pair of truck-booking apps under Full Truck Alliance. Coincidentally (or more likely not), Kanzhun, which operates services Boss Zhipin, and Full Truck listed their shares in the United States – like Didi – last month (see WiC545).
Is Didi’s data sensitive?
When we reported in WiC540 that Didi was racing to become the first ride-hailing app from China to go public, we pointed out that the company’s most prized asset was the huge pool of data it generates from the billions of trips booked on its platform. In a bid to bolster passenger safety after the murders in 2018 of two passengers that had booked trips with the app (see WiC422), Didi has also created new functions that stream video and audio data from user smartphones back to its servers while the ride is en route (other road safety uses of the tech guard against drivers nodding off at the wheel, for example).
State media has been sounding the alarm at the hidden power of China’s largest tech and internet firms for a while, with inadequate data protections joining the list of complaints. “The standards must be in the hands of the state to ensure that the internet giants exercise caution in collecting personal information,” the Global Times argued last weekend, adding that the government “must never let any internet giant become a super database of Chinese people’s personal information that contains even more details than the state, let alone giving them the right to use those data at will.”
Didi’s application of Big Data is not only about predicting traffic patterns and generating actionable insights from customer behaviour. As part of the push to expand into predictive algorithms and driverless cars, Didi also won approvals in 2017 to engage in high-precision mapping. The idea is that a combination of real-time footage from in-car cameras utilised by the app alongside satellite data from China’s positioning system Beidou (see WiC502) will deliver the new levels of detail needed for the safe navigation of the autonomous vehicles of the future.
Yet the same plan has opened up Didi to allegations that its database of journey details is a potential target for overseas intelligence agencies wanting a fuller view of urban life in China, as well as some of the country’s more sensitive locations. The fact that Didi has the largest of its Didi Labs (the term it uses for its artificial intelligence research centres) in the Californian city of Mountain View has done little to alleviate the national security concerns. The mood is even suspicious enough for Chinese netizens to be speculating about the role of Adrian Perica, Apple’s VP of corporate development, on Didi’s board too. The West Point graduate and former US army officer has been an independent director at Didi since 2016, when Apple invested $1 billion in the company. But in today’s more fractious environment Perica’s miltary background has been coming in for wider comment from hawkish observers in China, who have been questioning the influence of his former career.
National feeling is running strong?
The simmering tensions of the trade and tech wars between Beijing and Washington are adding a wider dimension to the political pressures on Didi. As the Global Times has noted, the CAC’s directive seems to have won widespread public support. Didi controls at least 80% of China’s ride-hailing market but its leading shareholders Softbank (also the largest single shareholder of Alibaba) and Uber own a combined 30% stake of the Chinese firm. “For companies like Didi, which have been listed in the US market and whose largest and second-largest shareholders are foreign, China should more strictly supervise their information security to protect personal data and national security,” the newspaper urged in an editorial.
Nationalist critics of Didi have even thrown dirt in the direction of co-founder Jean Liu because of her family background. Her father Liu Chuanzhi is the founder of Lenovo. Once arguably the nation’s most iconic tech brand, it was castigated as “China’s tech Judas” a few years ago after allegations emerged that its role in influencing future 5G standards had been detrimental to national champion Huawei (see WiC410; Lenovo has staunchly denied the allegations). Similar Judas-style labels were being deployed about Jean Liu this week on social media, comparing Didi’s listing in the US with Lenovo’s acquisition of IBM’s personal computer business back in 2005 (a deal blamed for many things, including the derailing of the development of a Chinese computer OS). Indeed, both Didi’s and Lenovo’s forays into the US market – though 16 years apart – have been cast as betraying broader Chinese interests.
Was Didi in a rush to go public?
Much of the online criticism looks far-fetched, especially as we await more detail from the CAC on Didi’s potential transgressions in data security terms. Yet for its cheerleaders – whose ranks have included management theorists and business school professors – Didi’s defenestration so soon after its IPO will seem especially galling, after it emerged as the main winner in a bitter battle of the Chinese car-hailing apps in 2015.
That brutal period saw Didi come out on top after it first merged with domestic archrival Kuaidi and later took over Uber’s China operation. Didi management won out in this high risk Darwinian situation through a combination of steely nerves, workaholic customer service and superior strategic thinking.
However, one of the longer term results of this corporate victory was a fragmented shareholding structure that has created a few problems of its own. For instance, both Alibaba and Tencent own large stakes in Didi and both have representatives on its board. That’s an odd situation for two tech giants at competitive loggerheads in a range of sectors. Both have separate and rival ambitions to Didi in autonomous driving too in what they term ‘mobility solutions’ (i.e. Didi’s core business).
Meanwhile some of Didi’s private equity investors have long been keen to divest, and this was the main pacesetter in the timetable for driving one of the world’s oldest unicorns to go public. Indeed, after filing its prospectus with the US Securities and Exchange Commission on June 11, Didi wrapped up an accelerated roadshow over a few days.
The authorities in China may not have shared the enthusiasm for such a speedy sale, it seems. The Wall Street Journal reported this week that in the month before Didi went public on June 30, China’s cybersecurity watchdog had suggested that the ride-hailing app delay its IPO. The Journal says the company was also urged to conduct a fuller review of its network security. “But for Didi, waiting would be problematic. In the absence of an outright order to halt the IPO, it went ahead,” the newspaper noted.
These background issues might also point to why Didi conducted such a major IPO in such a low-key manner. Perhaps it also wasn’t politically expedient to compete for publicity with the celebrations at home for the centenary of the Communist Party of China (see WiC547), an event which took place near simultaneously with its trading debut. No press conference was arranged to celebrate Didi’s achievement and none of its executives turned up to ring the NYSE’s opening bell on debut day. “We did not ring the bell or celebrate [the listing] conspicuously, because the listing is not the end, but the beginning of a new journey,” a letter sent by the company leadership to staff explained on Wednesday.
Didi’s problems point to bigger challenges for Chinese firms wanting to sell shares in the US?
All Chinese firms need to get the China Securities Regulatory Commission’s (CSRC) approval before they can go public overseas. That means that Didi must have received some kind of blessing, although the CSRC decision won’t have been shaped by scrutiny of data security concerns, which are not part of its regulatory jurisdiction.
However, it now seems likely that data security is going to become a bigger factor in a wider range of government approval processes – including for IPOs – following the passing a new Data Security Law last month. The scope of the legislation still needs to be fleshed out before it comes into effect on September 1, although cross-border transfers of data are expected to be a focus, as well as tougher regulations for how companies should collect and store data.
In the meantime the government has already been inspecting some of the country’s most popular apps. The CAC has published two lists naming the probed: in May it warned 138 apps against the collection of information that was inappropriate to their current services.
Ironically Didi was not included in the group, even when the CAC published a set of draft rules in the same month to tighten oversight of data collection in the car industry. Tesla was one of the companies to voice immediate support for the new policy amid reports that its cars had been banned from Chinese military locations. The carmaker was quick to reassure that the data collected from its cars in China is stored entirely on local servers too.
A notice from the central authorities including the State Council on Wednesday also pledged to speed up the revision of regulations on data security for Chinese firms listed overseas (namely in New York). The timing of these moves may seem delicate, given the recent flurry of US listings by Chinese internet platforms, the Global Times noted, but the latest developments are best seen in the context of Beijing’s efforts to tighten oversight of its sprawling internet giants. However, others are wondering if the debacle of Didi’s IPO heralds a more hostile approach from Beijing towards the queue of Chinese firms trying to list on US bourses. Last year Chinese companies raised $12 billion fromNew York IPOs more than triple the amount in 2019, according to data from Refinitiv. The flow has quickened again this year: as many as 36 firms, including Didi, raised $12.6 billion in US markets over the first half of 2021, the most on record, according to Dealogic. There are now nearly 250 Chinese companies listed in New York, with a combined market capitalisation of more than $2 trillion.
All of this has been happening despite warnings from Washington that the companies concerned will soon have to meet US auditing standards or face expulsion. Beijing is adamantly opposed to this new level of scrutiny – which arose during the Trump administration as a means to shutter US capital markets to Chinese firm. However, Beijing’s own response to the Didi IPO seems to signal that it too wants to discourage Chinese tech firms from raising money via Wall Street.
Yesterday medical data specialist LinkDoc called a halt on plans for an IPO in New York that was supposed to price this week. Keep, a popular fitness app backed by SoftBank and Tencent, also held back on its public filing for a listing and its IPO bankers cancelled roadshow meetings with potential investors, the Financial Times reported.
“A freeze of the Chinese IPO pipeline seems to be the current state of play: bankers say any Chinese company that was planning a US-listed IPO in the coming months is likely being shelved for now,” was the Wall Street Journal’s verdict.
© ChinTell Ltd. All rights reserved.
Sponsored by HSBC.
The Week in China website and the weekly magazine publications are owned and maintained by ChinTell Limited, Hong Kong. Neither HSBC nor any member of the HSBC group of companies ("HSBC") endorses the contents and/or is involved in selecting, creating or editing the contents of the Week in China website or the Week in China magazine. The views expressed in these publications are solely the views of ChinTell Limited and do not necessarily reflect the views or investment ideas of HSBC. No responsibility will therefore be assumed by HSBC for the contents of these publications or for the errors or omissions therein.