China chat log leak shows scope of surveillance

AFP
Chinese law requires internet cafes to record the identities and "relevant" online activity of users, and provide them to the public security bureau on request.

A leak of around 364 million online records in a Chinese database, including private messages and ID numbers, has again highlighted the size and scope of Beijing's mass surveillance system.
The files show a wealth of information linked to online accounts, including GPS locations, file transfers, and chat logs, according to the database discovered by Victor Gevers, a security researcher at Dutch non-profit GDI Foundation.
The data collection appears indiscriminate -- some conversations are simply banter between teenagers, like one commenting on someone's weight and clothing size.
"They know exactly who, when, where and what," Gevers told AFP, explaining that thousands of records were piped daily to different databases for local law enforcement to review.
Government procurement documents and database records shared by Gevers show that the database is linked to an "internet cafe management system" developed by HeadBond.com, a tech firm based in eastern Shandong province.
In 2017, the public security bureau in Yancheng city, eastern Jiangsu province -- where at least one internet cafe named in the database is based -- contracted HeadBond for a system that monitors online activity at internet cafes.
On its website, the company calls its internet cafe management system "the best solution" for identifying online users for police on its website.
HeadBond declined to comment, and the Yancheng city government and public security bureau did not respond to AFP's request for comment.

Internet cafe dragnet 
Over the past decade, the Chinese government has cracked down on internet cafes -- especially underground venues that serve minors -- over concerns of game addiction and crime.
Chinese law requires internet cafes to record the identities and "relevant" online activity of users, and provide them to the public security bureau on request -- which has resulted in an entire market of internet cafe monitoring systems like those offered by HeadBond.
"This also explains why data leaks that involve personal information are more prevalent in China," said Lokman Tsui, an expert on internet policy at the Chinese University of Hong Kong.
"Beijing requires most network services to register their users with real names," he told AFP.
"This means that every single mobile phone operator, internet cafe, social media website, and so on, are legally required to have databases filled with personal information, and all these databases are potentially vulnerable to attacks and leaks."
The capture of extensive user data, such as chat logs, also extends well beyond the stated purpose of catching minors surfing the web or playing games.
A government procurement notice posted last month by Liaoyuan city in northeastern Jilin province, for instance, outlines specifications for another "internet cafe management system" for local police, with explicit requirements for features that support querying and analysis of content on QQ, a popular messaging app in China.
"It's shocking the amount of personal data that is being collected on Chinese people," said Bob Diachenko, a security researcher who has reported on exposed databases in the US and Europe for the past few years, and is now looking at cases in China.
In particular, it is surprising to see the amount of additional data that is linked with a user's login data, Diachenko told AFP, such as their IP address, name, and even information about their family members.
"Sometimes it's just big data and it doesn't even make sense to collect that from a user perspective," he said.

GPS tracker 
Last month, Gevers had found another publicly accessible database containing personal information such as ethnicity and GPS tracking data of 2.6 million people in East Turkestan.
Access to the database has since been closed.
The restive northwestern region is home to most of China's Uighur ethnic minority, which has been under heavy police surveillance in recent years after violent inter-ethnic tensions.
"I would argue that good personal data protection is neither in the interest of the companies who gather the data for profit, nor the government who can (ab)use that data for power and surveillance," Tsui wrote in an email.
"It is the people in China and their basic human rights, in this case privacy, who end up drawing the short stick."

Rogue Nation

Exposed database on East Turkestan using facial recognition tech shows depth of China's surveillance state
AP

Residents pass by a security checkpoint and surveillance cameras mounted on a street in Kashgar in western China's East Turkestan colony in 2017. The Chinese database Victor Gevers found online was not just a collection of old personal details. The discovery by Gevers, a Dutch cybersecurity researcher who revealed it on Twitter last week, has given a rare glimpse into China's extensive surveillance of East Turkestan. 

BEIJING - The Chinese database Victor Gevers found online was not just a collection of old personal details.
It was a compilation of real-time data on more than 2.5 million people in western China, updated constantly with GPS coordinates of their precise whereabouts. 

Alongside their names, birth dates and places of employment, there were notes on the places that they had most recently visited — mosque, hotel, restaurant.
The discovery by Gevers, a Dutch cybersecurity researcher who revealed it on Twitter last week, has given a rare glimpse into China’s extensive surveillance of East Turkestan, a remote region home to an ethnic minority population that is largely Muslim. 

The area has been blanketed with police checkpoints and security cameras that are doing more than just recording what happens.
The database Gevers found appears to have been recording people’s movements tracked by facial recognition technology, logging more than 6.7 million coordinates in a span of 24 hours.
It illustrates how far China has taken facial recognition — in ways that would raise alarms about privacy concerns in many other countries — and serves as a reminder of how easily technology companies can leave supposedly private records exposed to global snoopers.
Gevers found that SenseNets, a Chinese facial recognition company, had left the database unprotected for months, exposing people’s addresses, government ID numbers and more. 

After Gevers informed SenseNets of the leak, he said, the database became inaccessible.
“This system was open to the entire world, and anyone had full access to the data,” said Gevers, noting that a system designed to maintain control over individuals could have been “corrupted by a 12-year-old.”
He said it included the coordinates of places where the individuals had recently been spotted by “trackers” — likely to be surveillance cameras. 

The stream indicated that the data is constantly being updated with information on people’s whereabouts, he said in an interview over a messaging app.
Gevers posted a graph online showing that 54.9 percent of the individuals in the database were identified as Han Chinese, the country’s ethnic majority, while 28.3 percent were Uighur and 8.3 percent were Kazakh, both Muslim ethnic minority groups.
A person who answered the phone at SenseNets declined a request for comment. 

The East Turkestan regional government did not respond to faxed questions.
East Turkestan, which borders Central Asia in China’s far west, has been subject to severe security measures in recent years.
The U.S. and other countries have condemned the crackdown, in which 1 million Uighurs, Kazakhs and other Muslim minorities have been detained in Chinese concentration camps.
Gulzia, an ethnic Kazakh woman who didn’t want her last name used out of fear of retribution, said that cameras were being installed everywhere, even in cemeteries, in late 2017. 

Now living across the border in Kazakhstan, she told The Associated Press by phone on Monday that she had been confined to house arrest in China and taken to a police station, where they photographed her face and eyes and collected samples of her voice and fingerprints.
“This can be used instead of your ID card to identify you in the future,” she said they told her. 

“Even if you get into an accident abroad, we’ll recognize you.”
The security clampdown is far heavier in East Turkestan than in most parts of China, though outside analysts and human rights activists have expressed concern that East Turkestan may be a testing ground for techniques that may be creeping into other parts of the country.
Joseph Atick, a pioneer in facial recognition technology, said that facial recognition products can use algorithms to recognize and track people in a crowd, but that privacy regulations in Europe, for example, make it much harder to launch a wide-scale application such as that of SenseNets.
“The technology around the world is becoming uniform and it is just the political climate that is different and leads to different applications,” he said.
According to a company registry, SenseNets was founded in the southern China city of Shenzhen in 2015 and is majority-owned by Beijing-based NetPosa, a technology company specializing in video surveillance. 

SenseNets’ website showcases partnerships with police forces in Jiangsu and Sichuan provinces and the city of Shanghai.
A promotional video boasts about SenseNets’ capacity to use facial and body recognition to track individuals’ precise movements and identify them even in a crowded or chaotic setting. 

Another video on its website shows surveillance cameras zeroing in on the path of a runaway prisoner who ends up in an ailing relative’s hospital room.
NetPosa’s website says it has offices in Boston and Santa Clara, California. 

The website of NetPosa’s U.S. subsidiary touts its products’ use in urban "anti-terrorism".
In recent years, NetPosa has been buying stakes in American surveillance startups such as Knightscope, a security robot maker. 

In 2017, NetPosa tried to buy the now-bankrupt California surveillance camera maker Arecont, but later backed out, court records show.
In 2010 U.S. chip maker Intel announced a strategic partnership with NetPosa and an Intel subsidiary bought a stake in the company, but NetPosa said in 2015 that Intel had notified the Chinese company of its intent to divest its 4.4 percent stake by 2016.
Gevers said his discovery of the database presented an ethical dilemma. 

He is the co-founder of GDI Foundation, a Netherlands-based nonprofit that finds and informs entities of online security issues. 

He has become well-known in recent years for helping to uncover similarly exposed information on databases built with the open source MongoDB database program and left unsecured by their administrators.
GDI generally reports such discoveries to the entity that holds the information. 

Part of its mission is to remain neutral and not engage in political controversies.
Hours after he revealed his findings on Twitter, Gevers said, he learned that the system is used to surveil East Turkestan’s Muslim minority groups.
He said that made him “very angry.”
“I could have destroyed that database with one command,” he said. 

“But I choose not to play judge and executioner because it is not my place to do so.”

Rogue Country, Rogue Company

Huawei's access to 5G expands China's surveillance state

By Joseph Marks

A surveillance camera is seen next to a Huawei sign outside a shopping mall in Beijing on Jan. 29. 

The United States’ top cyber diplomat just offered an unusually blunt warning to other nations: Allowing Huawei and other Chinese companies into their next-generation telecommunications networks would allow Beijing to expand its surveillance state around much of the globe.
The argument from Rob Strayer, the State Department’s top cyber official, was the most elaborate public case a U.S. official has made against Huawei’s inclusion in 5G networks.
It follows a months-long pressure campaign by U.S. officials to ban the Chinese telecom giant from 5G in Canada, Britain, Europe and elsewhere.
“A country that uses data in the way China has — to surveil its citizens, to set up credit scores and to imprison more than 1 million people for their ethnic and religious background — should give us pause about the way that country might use data in the future,” Strayer said Wednesday at the Center for Strategic and International Studies think tank.
“It would be naive to think that country, [given] the influence it has over its companies, would act in ways that would treat our citizens better than it treats its own citizens.”
The Trump administration is considering an executive order that would effectively allow it to ban Huawei and other Chinese companies from U.S. telecom systems, but even that wouldn't fully protect U.S. information because data moves so easily across national borders.
Even sensitive U.S. government information would remain vulnerable if officials were communicating with allies who allowed Huawei on their 5G networks, Strayer said.
“There’s so much data flowing around the world, it’s impossible to just isolate one country’s networks and think: ‘That’s okay, I’m fine,' " he said.
The transition to 5G, which is in its earliest stages, will mark a massive development in mobile technology.
It will offer far faster download speeds and the ability to run billions more devices on mobile networks, including smart devices such as autonomous vehicles and powerful artificial intelligence systems.
While it will be five or more years before the sytem is fully operational, a lot of the contracts to create its basic building blocks will be negotiated this year.
That exponential increase in connectivity, however, will also “dramatically increase the networks’ threat vectors and attack surfaces,” Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, told me — especially if a U.S. adversary controls large portions of it.
China could leverage Huawei’s position in 5G networks to steal trillions of dollars of intellectual property and to implant malware on adversaries’ networks. 
It could even shut down parts of those networks amid geopolitical conflicts. 
Strayer’s concerns would apply to any Chinese company, though Huawei is, by far, the most prominent example.
The move against Huawei isn’t limited to 5G developments.
Congress banned the company from U.S. government networks last year amid fears it would be used as a Chinese government spying tool and the Federal Communications Commission has proposed a rule that would allow it to ban the company from smaller networks that accept federal grants, where the company has its strongest foothold.
The Justice Department also indicted Huawei’s chief financial officer and two affiliates in January, alleging a host of crimes, including stealing robotics technology from T-Mobile and violating sanctions against Iran.
But the United States’ international lobbying campaign against Huawei goes a step further, seeking to restrict China from playing a key role in an entire generation of digital development.
Its success or failure could determine the fate of Internet security for years, Strayer said.
“We’re talking to partners around the world about this as they upgrade to 5G. We’re raising it at the highest diplomatic levels,” Strayer said.
“The generational nature of 5G, the transformational nature of it means there will be a whole generation of lock-in.”

U.S. Tech Executioners

How U.S. tech powers China's surveillance state

By Erica Pandey

American companies eager to enter China’s massive market brace themselves for potential intellectual property theft or forced technology transfers. 

But there’s another threat at play: their technology is being used for surveillance.
The big picture: China has sophisticated systems of state surveillance, and these systems have long been powered by technologies developed by American companies. 

Beijing has used U.S. tech to surveil its citizens, violate human rights and modernize its military.

The entanglement
Companies doing business in China often get caught in a web: Beijing uses its economic leverage to draw them in and then uses their technology for police-state tactics. 

As a result, "American companies are enabling and complicit in major human rights abuses," says Elsa Kania, a technology and national security expert at the Center for a New American Security.
Another concern is American universities and research institutions partnering with Chinese companies that work with state security, she says.
Thermo Fisher Scientific, a Massachusetts company, has supplied the Chinese government with DNA sequencers that it is now using to collect the DNA of ethnic minorities in East Turkestan, Human Rights Watch reports. 

At a Thursday hearing, Sen. Marco Rubio called Thermo Fisher's operations in East Turkestan "sick."
iFlyTek is a Chinese company that recently launched a 5-year partnership with the Massachusetts Institute of Technology. 

Beijing has used iFlytek’s voice recognition technology "to develop a pilot surveillance system that can automatically identify targeted voices in phone conversations," according to Human Rights Watch.
Cisco, in 2011, participated in a Chinese public safety project that set up 500,000 cameras in Chongqing, according to the Wall Street Journal.
Yahoo, in 2005, gave the personal information of a Chinese journalist to China's government. 

That information was used to put the man in jail.
Tech giants, like Facebook, Apple and LinkedIn, have faced scrutiny in the past for censoring or offering to censor content in China.
"Not all of these companies realize the extent to which their activities could be exploited," Kania says.
Companies often take on projects for the Chinese government in the name of curbing "crime", according to Scott Kennedy of the Center for Strategic and International Studies, but "the boundary between promoting public safety and protecting the state is increasingly blurred with these types of technologies."

The other side: Axios reached out to all of the companies listed above. 

The responses we received by deadline:
Thermo Fisher Scientific: "We work with governments to contribute to good global policy."
Cisco said it "has never custom-tailored our products for any market, and the products that we sell in China are the same products we sell everywhere else."
Oath, which now owns Yahoo: “We’re deeply committed to protecting and advocating for the rights to free expression and privacy of our users around the world."
LinkedIn: "In order to create value for our members in China and around the world, we need to implement the Chinese government’s restrictions on content, when and to the extent required."

The stakes
"A lot of people wanted very much to believe that once China had exposure to the outside world, political liberalization would come with economic liberalization," Sophie Richardson, China director at Human Rights Watch, tells Axios. 

"They're getting a lot richer and a lot more powerful and no more politically liberal."

What's next:
Some companies have pulled out of China of their own accord in the past. 

Google refused to censor its search engine in China in 2010, leading to its ouster from the country. Other companies may follow suit if they realize their technology is being misused, says Kania.
If companies cannot be held accountable by internal ethics guidelines, shareholders or users, the government may need to step in through export controls or limits on funding to researchers that collaborate with China, she says.
Worth noting: There's already a U.S. law that prohibits the export of crime-control products to China, but the sale of cameras and other dual use technologies that could be used for surveillance are not banned, reports the Wall Street Journal.