How to delete "Baidu IME" which sent the input character string to the server without permission

China's largest search site "Baidu (Baidu)"Free Japanese input software provided by"Baidu IMEIt was discovered that almost all information of input contents was being sent to the external server without user's permission. The procedure to uninstall Baidu IME which may cause confidential information leakage etc. is as follows.

Japanese input software made in China Sending input information without permission NHK News

Since Baidu IME secretly sticks when downloading and installing other software such as free software, we recommend that you check whether anyone you do not remember is installed first. The way to check / uninstall Baidu IME on Windows 7 is as follows.

Click "Windows Button" → "Control Panel" → "Programs" → "Programs and Features". If "Baidu IME [version number]" (publisher Baidu Japan Inc.) is displayed, Baidu IME is installed.

I will delete it immediately. Double click "Baidu IME [version number]".

Ignore the appeal of Moe kyara and click "uninstall".

Click "Yes".

Do not be fooled by tears. Please click "uninstall" to heart.

Click "No".

Click "Finish". I have uninstalled it.

After uninstallation, the web browser launched automatically and a questionnaire form appears, but here we gently decided to close the browser.

According to Baidu Japan's official blog, when I adopted the pretty girl on the uninstall screen, I heard that the surprising result that the user keeps using Baidu IME has occurred.

2013 June 03 | Baidu Japan Blog

2013/12/26 13:20 Addendum
Free Japanese input application for Android OS provided by Baidu "SimejiWe are also sending information. The method of uninstalling Simeji is as follows.

First, search "simeji" on Google Play and display "Simeji" application. Simeji is not installed when "Install" is displayed on the application screen (left). If "Open" "Uninstall" is displayed, it is already installed.

Tap "Uninstall"

Tap "OK".

Through the "Uninstalling ..." screen ... ...

Uninstallation is completed if "Install" is displayed.

2013/12/26 14:56 Addendum
From officially "Our view of some reports", the following press release has come.

Baidu (Baidu) News - News on

For unauthorized transmission, the following explanations are made.

In principle, information entered by users is handled according to the "privacy policy" in "Baidu Service Terms of Service". When sending user's input information to our server, we have obtained permission in advance to send log information, and we do not obtain log information for users who can not obtain permission. Also, credit information such as credit card number and password, or personal information such as address and telephone number, is not collected as log information. In addition, server equipment and data related to both products are managed only in Japan.

In addition, we have improved the difficulty of finding the Baidu IME prelicensing setting screen from today.

Also,"About Simeji I confirmed the fact that some log data was transmitted even when the log session was OFFSo, from the version 5.6 released in March this year, we discovered the fact that we were sending data regardless of whether or not it was set up, and said that the latest version that was improved today is scheduled to be released urgently.

In addition, analyzed the communication contents of Baidu IME "NetAgent Official Blog: IME that sends input information"In case of only half-width input such as password, it is not transmitted, it will not be sent unless we convert credit number and phone number" "In Baidu IME, Simeji, information is transmitted only in case of double-byte input It is said.

2013/12/27 18:00 postscript

A press release with the following content was newly issued.

Our view on a series of press coverage - Baidu (Baidu) News - News on

Recently, some media reported that they called on Baidu's Japanese input system and not using the Japanese input system provided by Google ™ and Microsoft®.

Although it is unknown just about which media is coverage, it seems that IIJ has issued the following releases before the news of the other day, which is actually about this case , Despite the fact that it already had attention as of December 17 already, Baidu side had not taken any measures till December 26 where the problem was found to be extensive as it seems now It will be.

IIJ Security Diary: On the attention of using IME's online function

Recommendations for attention / countermeasure such as the following are done around the end of the above URL.

As mentioned above, when the cloud conversion function is effective, even if you edit the sentence file, table, or presentation placed on the local terminal, the input data is transmitted to the outside. Unlike keyword input to search engines etc., it is difficult for a user who does not understand the mechanism to realize that data is transmitted to the outside by conversion by IME.

In many IMEs, cloud related functions must be explicitly activated themselves. There is no problem if you recognize that input data is transmitted and enable it yourself.

However, some free IMEs are automatically activated with the recommended settings during installation. Sometimes this IME is bundled with free software etc. and installed. If you do not understand the options presented at the time of installation and proceed with pressing the OK button as it is, the IME will also be installed and the cloud conversion function will be enabled. Also, it may be included in pre-installed software of PC made by manufacturer. Since it is already installed, it may already be activated depending on the factory setting. In either case the user does not intend, so if you use it as is, information will be sent without knowing it.

Especially when it is judged that an organization such as a company should keep the information handled by the IME within the organization, in compare with the use and management policy of the software in the organization

Ensure not to use the function by setting the user environment
Prohibit communication of the function with a firewall or the like installed at the organization boundary

We recommend you consider measures such as.

2013/12/27 18:04 Addendum

In addition, Baidu side further makes the following claims in this release.

1. The Japanese input system "Baidu IME" provides a cloud dictionary that is updated to the user in real time by using cloud input technology that is used globally. Information communicated to the secured server will not be related to personal information through user name etc. There is no possibility or risk that the user's personal information will be leaked. All related servers and data are placed in Japan and managed.

2. Japanese input application for Android ™ OS "Simeji" is a product developed by Japanese software developers, and in December 2011 our company acquired the business. This product is popular among Japanese mobile users by providing the goodness of Internet cloud input along with the goodness of conventional input technology.

3. For this matter, some media have reported a misunderstanding about the following points, so "Our products" Baidu IME "" Simeji "sends user's input information without permission to the Chinese server It is incorrectly recognized that it is "that it is." For this reason, I will explain as follows.

(Erroneous) Send to server without notice
(Positive) For "Baidu IME", you can obtain prior permission from the software terms of use, ON / OFF setting of cloud conversion, and we do not send without permission.
(Erroneous) The entered password is sent to the server
(In the news report, a demonstration that the password is transmitted to the cloud server as it inputs the full-width numeric password is reported and misunderstood.)
(Correct) For credit information such as passwords and cards, we do not send it to the outside even when using cloud conversion.

However, in fact it is known that the following information has been sent, and the explanation about "uid", that is, the necessity to acquire the terminal ID for identifying each individual Windows and Android, is currently Baidu There is no announcement from.

NetAgent Official Blog: IME that sends input information

Py = conversion confirmed character string
Uid = The security identifier SID of the Windows computer.
App = The path name of the application you are using. In the case of Chrome etc. Because it is saved in the user area, Windows user name may be sent in some cases.
Version = Biadu version of IME

In case of Simeji it will be sent even when cloud input OFF, log information transmission is OFF.

Py = conversion confirmed character string
Uid = individual terminal identifier by UUID
Mobile = the name of the device you are using
App = Package name of the application you are using
Version = Simeji version

In addition, although Baidu side explained variously in this release, the actual problem is "I did not specify to transmit the character string on the net", "There seems to be a defect in the program (seems to be)" , It is pointed out as follows.

Baidu Baidu IME conversion character string memo about net transmission - writer Mikami Hiroshi Office

I did not specify to send a character string on the net

· Sending character string "Cloud input" was on by default
· The PC version of Baidu IME did not specify usage guidelines and privacy policy at the time of introduction
· Although there is a notation "collecting data", there is no notation saying to send character string (as of 26th)
· It's a function called "cloud input", so it's natural to send it online. Although some people think that there is, in fact, if you turn on the function "predictive conversion", "cloud input" = net transmission was enabled automatically

There seems to be a defect in the program (it seems)

Mr. Kurobaneko, who has been pointed out for Baidu IME's problem for a long time, has been analyzed in detail.
Baidu IME news on the possibility of hoax and serious countermeasures
Analyze NetAgent's Baidu IME analysis from Simeji's bug
For details please read Kurobaneko's article and write it roughly
· There is a problem with the process of sending the character string to the server
· Even if cloud input is turned "on" from on state, the process of sending the character string does not close
· Even if it is "off" on appearance, it will send a character string (it seems)
· If you reboot it will cure, but it will remain on Android because it rarely restarts
It seems to be said that. Even if it looks "cloud input off = not sending character string", it means that there may be cases in fact being sent.

In other words, Baidu side says, "We have not sent it to the server without notice" "The password you entered will never be sent to the server", but "There is no notation saying to send a character string", "The converted character string is transmitted It is not because we are not judging whether it is a password or not ".

2013/12/27 18:07 Addendum

In addition, Baidu has issued the following statements in China.

Baidu software, information External transmission stop ... changed the default setting: News: Net & Digital: YOMIURI ONLINE (Yomiuri Shimbun)

Chinese Baidu headquarters issued a statement claiming that "there are no dangers, illegal data transmission, information leakage problems," through Twitter 's "China Exposition" on the 26th.

Jiagm's BLOG @ Blogger: How far does Simeji's "Continuous transmission of input content" problem affect?

Postscript 1: Baidu announced an emergency statement in China. I will summarize.

"Because it adopts the cloud input method, it is transmitting after encrypting some input data.It is not included personal information, it is used only for the purpose of quality improvement All is accumulated in Japan There is no possibility of illegal sending and leakage.I show regret to some media's intentional report Currently I am in discussion with the Japanese authorities and I am seeking understanding.What Japanese legal norms etc We are in compliance and are based on common practices, emphasizing voices of users' uneasiness due to intentional media coverage of some media and strengthening the information presentation system with subsequent version upgrades. "

It is inevitable to say that it is the content of a statement which ignored the fact at all.

in Note,   Review,   Software,   Pick Up, Posted by darkhorse_log