China chat log leak shows scope of surveillance

AFP
Chinese law requires internet cafes to record the identities and "relevant" online activity of users, and provide them to the public security bureau on request.

A leak of around 364 million online records in a Chinese database, including private messages and ID numbers, has again highlighted the size and scope of Beijing's mass surveillance system.
The files show a wealth of information linked to online accounts, including GPS locations, file transfers, and chat logs, according to the database discovered by Victor Gevers, a security researcher at Dutch non-profit GDI Foundation.
The data collection appears indiscriminate -- some conversations are simply banter between teenagers, like one commenting on someone's weight and clothing size.
"They know exactly who, when, where and what," Gevers told AFP, explaining that thousands of records were piped daily to different databases for local law enforcement to review.
Government procurement documents and database records shared by Gevers show that the database is linked to an "internet cafe management system" developed by HeadBond.com, a tech firm based in eastern Shandong province.
In 2017, the public security bureau in Yancheng city, eastern Jiangsu province -- where at least one internet cafe named in the database is based -- contracted HeadBond for a system that monitors online activity at internet cafes.
On its website, the company calls its internet cafe management system "the best solution" for identifying online users for police on its website.
HeadBond declined to comment, and the Yancheng city government and public security bureau did not respond to AFP's request for comment.

Internet cafe dragnet 
Over the past decade, the Chinese government has cracked down on internet cafes -- especially underground venues that serve minors -- over concerns of game addiction and crime.
Chinese law requires internet cafes to record the identities and "relevant" online activity of users, and provide them to the public security bureau on request -- which has resulted in an entire market of internet cafe monitoring systems like those offered by HeadBond.
"This also explains why data leaks that involve personal information are more prevalent in China," said Lokman Tsui, an expert on internet policy at the Chinese University of Hong Kong.
"Beijing requires most network services to register their users with real names," he told AFP.
"This means that every single mobile phone operator, internet cafe, social media website, and so on, are legally required to have databases filled with personal information, and all these databases are potentially vulnerable to attacks and leaks."
The capture of extensive user data, such as chat logs, also extends well beyond the stated purpose of catching minors surfing the web or playing games.
A government procurement notice posted last month by Liaoyuan city in northeastern Jilin province, for instance, outlines specifications for another "internet cafe management system" for local police, with explicit requirements for features that support querying and analysis of content on QQ, a popular messaging app in China.
"It's shocking the amount of personal data that is being collected on Chinese people," said Bob Diachenko, a security researcher who has reported on exposed databases in the US and Europe for the past few years, and is now looking at cases in China.
In particular, it is surprising to see the amount of additional data that is linked with a user's login data, Diachenko told AFP, such as their IP address, name, and even information about their family members.
"Sometimes it's just big data and it doesn't even make sense to collect that from a user perspective," he said.

GPS tracker 
Last month, Gevers had found another publicly accessible database containing personal information such as ethnicity and GPS tracking data of 2.6 million people in East Turkestan.
Access to the database has since been closed.
The restive northwestern region is home to most of China's Uighur ethnic minority, which has been under heavy police surveillance in recent years after violent inter-ethnic tensions.
"I would argue that good personal data protection is neither in the interest of the companies who gather the data for profit, nor the government who can (ab)use that data for power and surveillance," Tsui wrote in an email.
"It is the people in China and their basic human rights, in this case privacy, who end up drawing the short stick."

China has turned East Turkestan into a zone of repression — and a frightening window into the future

The Washington Post

The Chinese database that Victor Gevers, a Dutch cybersecurity researcher, found online has given a rare glimpse into China’s extensive surveillance of East Turkestan, a remote colony home to an ethnic minority population that is largely Muslim. 

AT A minimum, the minority Muslim Uighur population of East Turkestan colony in China is about 11 million people, and probably significantly higher. 

So consider the scope of surveillance over Uighurs in light of a recent database leak that indicated about 2.5 million people in East Turkestan are being tracked by cameras and other devices, generating more than 6.6 million GPS coordinates in one 24-hour period, much of it tagged with locations such as “mosque” and “hotel.”
Victor Gevers, a security researcher for the GDI Foundation, a nonprofit that seeks to defend Internet freedom, found the database, belonging to SenseNets, a Chinese company that provides facial recognition and other monitoring systems to the police. 

The company had left the database unguarded but closed it off when Mr. Gevers inquired. 

It included records such as identification numbers, gender, nationality, address, birth dates, photographs, employers and which cameras or trackers they had passed. 

Mr. Gevers suggests that more than a quarter of those in the database appear to be ethnic Uighurs, although it also included Han Chinese and others.
The data provides another glimpse into the darkening world of East Turkestan, which China’s authorities have turned into a zone of repression. 

In addition to ubiquitous electronic and physical surveillance, an estimated 1 million Uighurs and other Turkic Muslims have been incarcerated in concentration camps where they are being brainwashed to wipe out their traditional culture and language.
According to Xiao Qiang, director of the Counter-Power Lab at the University of California at Berkeley’s School of Information, East Turkestan is a window on the future of China, a “frontline” test-bed for data-driven surveillance that could then be spread well beyond. 

Mr. Xiao wrote in the Journal of Democracy last month that China under Xi Jinping is attempting to marshal the powers of artificial intelligence to process all kinds of surveillance data, including facial recognition, and systems that can monitor gender, clothing, gait and height of passersby, as well as voice recognition, and creating a DNA database.
After being asked by the New York Times about the use of its technology to build the DNA database, a Massachusetts company, Thermo Fisher, said it would no longer sell its equipment in East Turkestan. 

Congress is considering important legislation that would help expose and pressure others who enable China’s abuses.
China’s goal is to use these technologies to suppress dissent, and to predict and snuff out any challenge to the ruling Communist Party’s grip on power. 

In East Turkestan, surveillance is part of a policy of cultural genocide. 

In addition to the camps and cameras, Mr. Xiao says the government has issued guidelines to collect DNA samples from all East Turkestan residents between ages 12 and 65.
When George Orwell’s “1984” was published seven decades ago, it seemed a dire warning of a future dystopia ruled by thought police and authoritarian control. 

Today, such a world is becoming a reality in East Turkestan. 

We agree with human rights groups who have urged the United Nations Human Rights Council, when it meets starting Monday, to launch an international fact-finding mission to East Turkestan to expose this unsettling experiment in state control of human behavior.