China’s Leaky Surveillance State

In mid-February, Victor Gevers, a Dutch security researcher who co-founded the GDI Foundation, broke the news on Twitter that Chinese surveillance company SenseNets had inadvertently left its records freely accessible online. The data, Gevers revealed, included not only the identifying personal information of over 2.5 million people – “ID card number… sex, nation[ality], address, birthday, employer” – but also the frequently updated GPS location of those individuals, according to facial recognition trackers in public spaces.

It won’t surprise Diplomat readers that this mountain of data was being collected in China’s far western Xinjiang region. In recent years, a number of media reports have noted the transformation of the Xinjiang Uyghur Autonomous Region into a police state, deploying both old-fashioned security tools like frequent checkpoints and guard posts and cutting-edge technology, such as ubiquitous facial recognition cameras and mandatory surveillance apps on smartphones.

The intensive level of government surveillance goes hand-in-hand with a vast detention program. Members of the largely Muslim Uyghur minority group (along with other ethnic minorities) have been forced into re-education centers indefinitely for perceived offenses such as being overly religious or seeking contact with friends or family members abroad.

Criticism of China’s surveillance state has generally centered on the human rights violations these actions entail – and rightfully so. Even setting aside the detention centers, which the Chinese government insists are “vocational training” centers, the widespread use of video surveillance and facial recognition technology means that, in theory, any person in China can have their location tracked and logged constantly by the state (in practice, such cameras are not deployed so widely in other regions in China). This is occurring in an environment where the average citizen has virtually no channel to influence government policy, and the government has no oversight from civil society or the domestic media to check abuses (whether those oversteps are codified into policy or the result of lone unscrupulous officials).

Yet underneath this important discussion on China’s widespread use of surveillance technology, there’s another issue that Gevers’ bombshell brought to light. Many of the companies handling this surveillance are relatively new start-ups, without a proven track record. Just how careful are they being with the massive amounts of personal data now being placed into their hands?

Gevers’ research suggests shocking carelessness, at least in this instance. After his initial tweets outlining the database he had discovered, Gever later tweeted out a takedown of SenseNets’ online security:

Dear operators of SenseNets. It's a good thing you starting [sic] update that crappy Windows Server 2012 (which is pirated btw). But you switched off the firewall exposing your MongoDB and MySQL server AGAIN.

If Gevers’ charge is accurate, SenseNets would not be alone among Chinese firms in using pirated – and vulnerable – software to run its programs. A study by software trade association BSA estimated that 66 percent of software installed in China was unlicensed in 2017. Remarkably, that actually represents progress – in 2011, according to the same report, 77 percent of Chinese software was pirated.

As Gevers’ tweet hinted, pirated software is far more vulnerable to cyberattacks and hacking attempts. Users of licensed software have access to regular updates from the developer, patching known weaknesses that could be used for unauthorized access. Users of pirated software don’t get those regular updates, and in some cases the new updates might not even be compatible with the pirated version.

In 2017, a global ransomware attack – dubbed WannaCry – caused major damage in China, largely because systems running pirated software had not had access to a longstanding update that fixed the vulnerability exploited in the attack. As the New York Times reported at the time, “Prestigious research institutions like Tsinghua University were affected, as were major companies like China Telecom and Hainan Airlines… Over all, according to the official state television broadcaster, about 40,000 institutions were hit.” Worldwide, WannaCry was estimated to have cost businesses over $4 billion.

China is well aware of the risks of lax cybersecurity; indeed, the government often repeats that the country is a victim of cyberattacks (rhetoric usually trotted out as a defense against accusations that China has hacked someone else). The 2016 Cybersecurity Law was designed to bolster China’s cyber defenses as well as increasing government control over internet management. For the first time, Chinese technology companies were required to keep user data confidential and had the responsibility to perform technical oversight to prevent, report, and respond to cybersecurity breaches. (A more controversial provision, given the Chinese Communist Party’s track record of punishing online dissent, required all companies to store data related to Chinese users on servers within China.)

Still, the government didn’t lay out specific standards for protecting users’ personal data until 2018, with the Personal Information Security Specification. This nonbinding standard should be considered another interim step, with further legislation expected over the next two years as the government learns from its ongoing experiences.

At the same time, the Chinese government continues to be conflicted over how far to regulate the use of data, versus allowing companies a free hand as they experiment in national priority areas like artificial intelligence and big data. Some Chinese thinkers see the country’s vast online population – and the resulting mound of data – as a national resource that should be tapped without limitations. More privacy-minded advocates demand that China take stronger steps to protect personal data.

Robin Li, the chief executive of Chinese internet giant Baidu, claimed last year that “in a lot of cases” Chinese internet users were willing to “trade privacy for convenience, for safety, for efficiency.” His comments caused immediate blowback in China – not least because Baidu is seen as one of the worst offenders in terms of gathering and using data without user consent.

According to the Financial Times, a 2018 survey from the China Consumers Association revealed that a whopping 85 percent of Chinese people had suffered the direct effects of a data leak. When personal data is being gathered involuntarily by the state as part of its surveillance efforts, the potential for a disastrous leak is magnified. Yet China’s legal efforts to address the problem leave a gaping loophole: There are no restrictions on what data the government can collect in the name of national security and how that data can be used.

“China’s concept of privacy is more like Europe, trusting the government to protect people and manage society, but mistrusting companies that only care about profit,” Martin Chorzempa, a fellow at the Peterson Institute for International Economics, told Financial Times. “The government can manage this distinction so long as the impact of surveillance does not become too onerous or intrusive.”

Or so long as government-backed surveillance data doesn’t wind up openly accessible to anyone with a computer and internet connection.