On May 27, 2026, Taiwan's Ministry of Digital Affairs (MODA), through its Administration for Cyber Security (ACS), published the results of security testing on four China-developed apps — the navigation app Amap, video platforms bilibili and iQIYI, and the messaging app BIMOBIMO. The ACS press release reports that the apps were assessed against 15 indicators grouped into four categories — reading user behavior, reading data from other apps, reading device information, and collecting and sharing user data. Amap drew the most scrutiny, with 11 flagged behaviors on Android and eight on iOS, including continuous location collection, contacts access, microphone permissions, and — most strikingly — data transmission that continued even when the app was closed.
The legal core of MODA's concern is not that these apps are buggy, but that they answer to Beijing. The release explicitly invokes China's Cybersecurity Law and National Intelligence Law, under which firms can be compelled to hand user data to security and intelligence agencies. That is a real, structural risk, not a hypothetical one. A Taiwanese commuter's daily movement patterns, residence and workplace are exactly the kind of data an adversarial state values — and Taiwan faces a more acute version of this threat than any other democracy.
The strongest case for going further
It is worth steelmanning the hawkish position before arguing against it. Taiwan is the target of sustained cognitive and cyber operations from the People's Republic of China; the threat model is not paranoia. If an app structurally cannot refuse a lawful Chinese data demand, then user 'consent' to its permissions is partly fictional, because the user cannot consent on behalf of a government that can override the vendor. On that logic, a ban — not a warning — is the cleaner protection, and waiting for measurable harm before acting can mean acting too late. Taiwan's own National Security Bureau and interior officials have floated exactly that escalation for Amap.
And Taiwan has shown it will pull the trigger. In December 2025 it invoked Article 42 of its anti-fraud law to impose DNS blocking on the Chinese platform Xiaohongshu, citing fraud losses exceeding NT$132.9 million against a Taiwanese user base of roughly three million, as documented in an I-CONnect analysis of the case. So the May advisory is notable precisely for what it did not do.
Why the advisory is the better instrument
MODA's choice splits the difference correctly. Government agencies are barred from installing the apps under the Cyber Security Management Act — a defensible, narrowly scoped rule for public-sector devices that handle state data. But for the public, MODA issued guidance, not prohibition: check whether permissions are reasonable, and use cybersecurity tools. That is the proportionate move, for three reasons.
First, it respects the citizen as a decision-maker. Disclosure treats adults as capable of weighing a navigation app's convenience against its permission footprint — the same judgment they should apply to any app, Chinese or otherwise. MODA's own advice that these precautions apply to all apps is the tell: the underlying problem is over-permissioned software and weak platform accountability, not nationality alone.
Second, bans are leaky and set bad precedents. The Xiaohongshu block was promptly circumvented by VPNs, underscoring that 'technical walls cannot solve political problems.' A government that normalizes DNS-level blocking of disfavored apps builds infrastructure that a future, less scrupulous administration can repurpose against domestic speech. Taiwan, with its authoritarian past, knows this instinctively — which is why its 2022 Digital Intermediary Services Act, a DSA-style content-control bill, collapsed under civil-society backlash before it ever reached a vote.
Third, transparency scales where prohibition does not. There are thousands of apps with questionable data practices; MODA cannot ban its way through all of them, but it can publish rigorous, indicator-based test results and let market pressure and user choice do the rest. A published 11-of-15 risk profile is a more durable deterrent than a block that invites a censorship fight.
The real test is restraint
The pro-innovation case is not that Taiwan should ignore Chinese data risk — it plainly should not. It is that the form of the response matters. Taiwan already has a working model for proportionate platform regulation: the Fraud Crime Hazard Prevention Act, enacted in 2024, imposes obligations on major advertising platforms to remove demonstrably fraudulent content within a notified period, with per-ad fines — including a reported NT$1 million penalty on Meta in 2025. That is regulation tied to a specific, verifiable harm (fraud), aimed at conduct rather than origin, and applied to global and Chinese platforms alike. It is a far better template than nationality-based bans.
The danger now is escalation by reflex. If officials convert the Amap advisory into a consumer ban without a concrete, evidenced trigger and judicial oversight, Taiwan will have traded a defensible disclosure regime for the very speech-control machinery its civil society rejected in 2022. The May 27 advisory was the right instinct. Whether Taiwan holds that line — informing users rather than deciding for them — is the policy question that actually matters.