Following recent announcements from the Ministry of State Security and the service suspension of ArcGIS Pro basemaps, many users have suggested switching to QGIS. However, does using QGIS truly ensure security and compliance? After several days of research, this article attempts to explore this issue and welcomes further discussion.

About QGIS

QGIS (Quantum GIS) is one of the world's most renowned open-source GIS software. With the advantages of being free, open-source, and feature-rich, it is increasingly favored by enterprises, institutions, universities, research organizations, and individual developers. QGIS uses the GPL 2.0 license, allowing users to freely download, use, modify, and redistribute the software, provided that derivative software continues to adhere to the GPL protocol. From the perspective of software intellectual property rights, using QGIS in the China region is legal.

Since QGIS is open-source, we downloaded its source code for a preliminary analysis. The source code address is:

https://github.com/qgis/QGIS

After cloning the code locally, a simple global search was conducted. It was found that QGIS automatically connects to the internet upon startup to download a news feed, which is commonly seen in this interface.

This is located at line 101 in the source code file src/app/qgswelcomepage.cpp.

From our analysis, this request fetches a news list from a subscription feed and does not upload any sensitive information. This can be verified through packet capture, with results as follows:

Additionally, there are two other interface calls: one to version.qgis.org, which checks for QGIS version updates.

Capture results are as follows:

Another interface call is to plugin.qgis.org, which is used to acquire plugins and plugin updates.

These three external server interfaces are called when the software is launched. Domain resolution shows the destination is in Germany, indicating overseas service addresses. In simple terms, based on source code analysis and network capture, QGIS does call overseas servers upon startup but only to retrieve software updates; it does not upload user-sensitive data (based on personal testing). Moreover, since QGIS is open-source, any behavior such as uploading user-sensitive information would likely have been exposed. From this perspective, using QGIS itself is relatively safe.

PS: The author is not highly proficient in QT and relied on basic code search and network capture for testing purposes. For professional use, please seek professional code auditing.

Exploring QGIS Compliance

Regarding compliance, it is necessary to refer to the earlier article "ArcGIS Pro Basemap Service Access Issues in China and Solutions - MalaGIS". As mentioned, the basemap services of the international version of software like ArcGIS Pro have issues with the depiction of the China region's boundaries. Consequently, the basemap for the China region was later replaced with Tianditu.

Above: Screenshot of the international version of ArcGIS Pro basemap service.

As for QGIS, it does not provide basemap services itself. These can be added via plugins, one of the most popular being the QuickMapService basemap plugin introduced previously. This plugin offers a vast number of basemaps, but most are non-compliant.

Above: Opening a Bing basemap at random shows incorrect marking of China's boundaries.

Testing revealed that the QuickMapService plugin offers nearly a hundred basemap services, with very few being compliant. Therefore, if you need to use compliant basemaps in QGIS, please follow the method introduced in the earlier article "「GIS Tutorial」Adding Domestic Basemap Sources (Tianditu, Gaode) to QGIS" to use domestic map sources.

Exploring QGIS Legality

Regarding legality, we return to the Ministry of State Security's announcement on September 14, which emphasized that "geographic information data security might be overlooked, but it is truly important." Based on the previous source code analysis and packet capture, no behavior related to uploading user processed data was found in QGIS itself (based on personal testing, not professional auditing). However, the safety of QGIS itself does not guarantee overall security. QGIS's success lies in its open-source nature and ecosystem, but it is precisely this vast ecosystem that makes its data security more uncontrollable. For example, there are currently 2,689 plugins officially published by QGIS, not including those not registered in the official repository but available for download and use.

Even if QGIS itself does not upload user data, users cannot guarantee that the plugins they install do not. For instance, the plugins introduced in earlier articles "QGIS Map Georeferencing Tutorial (With AI Georeferencing)" and "Using AI to Automatically Vectorize in QGIS: A Practical Guide" require uploading user data to the plugin's server and returning results. If the processed data involves state secrets... Hence, it has been emphasized in articles not to use such plugins for processing sensitive data. Remember our motto: No sensitive data online, no online processing of sensitive data.

Suggestions for Legal and Compliant Use of QGIS

After all this, it should be clear that geographic information data security is necessarily a systematic project, involving standards and implementation specifications. Relying entirely on a single software for geographic information data security is unreliable—neither ArcGIS nor QGIS can guarantee it (Can domestic GIS software?). For secure and compliant use of QGIS, here are some suggestions:

  1. Block/Disable External Network Access: Prohibit QGIS from directly accessing the external network at the organizational network boundary (using whitelists or proxies), forcing it to go through a company-controlled proxy.
  2. Build an Offline Resource Library: Mirror commonly used basemaps, plugins, and dictionaries internally and configure QGIS to use internal addresses (mirror plugin repositories, mirror qgisdata).
  3. Disable Automatic Updates/Plugin Repository Access: Disable automatic update checks and the plugin store in deployment packages. Plugins should be distributed only after review by operations staff.
  4. Configure Authentication and Auditing: Enable QGIS authentication configuration (master password, auth configs) and restrict the output of sensitive information in logs.
  5. Code/Dependency Auditing: Perform static code auditing on third-party plugins and custom scripts, prohibiting calls to external networks or dynamic execution of downloaded code within plugins.
  6. Build a Hosted Version/Repackage: Package QGIS as internal software (remove unnecessary providers, disable network modules, or set default "offline" configurations) and include the build products in software asset management and compliance registration.

If there are other measures, everyone is welcome to contribute.

Summary

As seen from comments on previous articles, the user base of QGIS in the China region is gradually growing. On Google Trends, the search volume for the keyword "QGIS" has surpassed that of "ArcGIS". Its open-source, free, easy installation, good ecosystem, and fast update speed are advantages. However, amidst rapid software popularization, corresponding legal and regulatory risks also deserve vigilance from GIS practitioners. The author maintains the view that: GIS data security and compliance rely not only on regulators but also in our hands.

Finally, whenever such incidents occur, there are always voices calling for completely banning xxxx or forcibly shutting down xxx companies. Regarding this, the author believes that, much like Tesla's role in China's new energy vehicle industry or Apple's role in China's mobile phone industry, an industry needs such a "catfish," and even relevant practitioners need the existence of such a "catfish." Since the state has not issued强制 policies, it implies its own considerations. Until then, everyone should use it compliantly and legally. After all, anyone involved in complex system construction knows the cost and workload involved in system architecture-level migration.

To prevent arguments, we certainly need to consider Plan B, just as Cesium users can consider maptalks. Also, can some so-called domestic replacements strive to improve, paying attention to their website security? For example, the website of a certain leading domestic enterprise was found hosting some inappropriate content, which was even cached by Baidu (the fact that it was caught by Baidu's lazy spider indicates it was hosted for not a short time!). For example: "Domestic Top GIS Vendor Suspected of Security Issues?" and this "Well-known GIS Company Website Suspected of Being Infected with Spyware". And also this: "This Wuhan State-owned GIS Enterprise's Website Lifts the Veil on the GIS Industry's Shame".