from are-you-sure-you-want-to-spy-on-everyone? department
A few weeks ago, Techdirt wrote about how an anonymous user had put up for sale the data of around one billion Chinese citizens, possibly obtained from Shanghai police. It was unclear at the time exactly what happened, not least because Chinese authorities were shutting down any discussion of the massive and embarrassing leak. The Wall Street Journal wrote a follow-up article on the incident which clarifies the situation and puts things into a larger context (paywall alert):
The Wall Street Journal has since found dozens of other Chinese databases offered for sale, and sometimes free, in online cybercrime forums and Telegram communities with thousands of subscribers. According to a Journal review, four of the stolen caches likely contained data from government sources, while several others were advertised as containing government data.
Tens of thousands more databases in China remain exposed on the internet without any security, totaling more than 700 terabytes of data, the largest volume of any country, according to LeakIX, a service that tracks such databases.
An attached graph shows that the volume of data exposed in China is not only greater than that of the United States, but far beyond the levels of leaks in other countries around the world. The Wall Street Journal’s Karen Hao found several people claiming to offer the dataset containing information on one billion Chinese citizens – one wanted around $200,000, another was willing to sell for $100,000. And the publicity surrounding the hack seems to have encouraged others to join us:
a user claiming to be a policeman from central China’s Henan province, inspired by the Shanghai robbery, offered the personal information of 90 million people for one bitcoin, or about $20,000.
A third post promoted nine million alleged records from the Chinese Center for Disease Control for $2,000. A few days later, a fourth popped up selling 40,000 records of Chinese citizens’ names, phone numbers, addresses and ID numbers for $500.
Hao points to a key factor behind this flourishing trade in large-scale highly personal data: state employees in China are poorly paid and therefore easy to corrupt. But another is the fact that the more data a database contains for surveillance purposes, the harder it is to control it and the easier it is to exfiltrate huge amounts in a single hack, which can be sold for large sums on black. market. It’s probably no coincidence that the big leak a few weeks ago came from Shanghai, which has had one of the most comprehensive surveillance systems in the world for some time:
Shanghai was among the first cities to unveil a fully integrated data platform with AI capabilities in 2019. The platform pulls data from various government functions such as public security, public health and transportation, as well as private companies offering express and food delivery, according to a state media interview with a director of the Shanghai Police Department.
This means that there was more and richer data in Shanghai than in other places. All it took was one misconfigured database or one dishonest policeman to wipe out the privacy of a billion Chinese citizens, probably forever.
This is terrible news for those affected, but it means that the larger and more inclusive a surveillance system becomes, the more vulnerable it will be to the precise type of leaks that now seem to be commonplace in China. In addition to harming those whose lives are revealed in this way, it also undermines the power of central and local government by exposing large amounts of sensitive data to anyone willing to pay, including foreign intelligence agencies.
It is unlikely that ethics or international law will constrain governments that spy on their own citizens. But the fact that too much surveillance can threaten the political future of those who order it could constitute a brake on its constant expansion.
Filed Under: bribes, China, corruption, leak, privacy, shanghai, surveillance