Why The Massive China Police Database Hack Is Bad News For Surveillance States Everywhere
A couple of weeks ago, Techdirt wrote about how an anonymous user had put up for sale the data of an estimated one billion Chinese citizens, probably obtained from the Shanghai police. Back then, what exactly had happened was a little unclear - not least because the Chinese authorities were shutting down any discussion of the massive and embarrassing leak. The Wall Street Journal has written a follow-up piece on the incident that clarifies the situation and puts things in a wider context (paywall alert):
The Wall Street Journal has since found dozens more Chinese databases offered for sale, and occasionally free, in online cybercrime forums and Telegram communities with thousands of subscribers. Four of the stolen caches contained data likely taken from government sources, according to a Journal review, while several others were advertised as containing government data.
Tens of thousands more databases in China remain exposed on the internet with no security, totaling over 700 terabytes of data, the largest volume of any country, according to LeakIX, a service which tracks such databases.
An accompanying graphic shows that the volume of data exposed in China is not just greater than that in the US, but well beyond the levels of leaks in other countries around the world. The Wall Street Journal's Karen Hao found several people claiming to offer the dataset holding information on a billion Chinese citizens - one wanted around $200,000, another was prepared to sell for $100,000. And the publicity surrounding the hack seems to have encouraged others to join in:
a user claiming to be a police officer from central China's Henan province inspired by the Shanghai theft, offered the personal information of 90 million people for one bitcoin, or roughly $20,000.
A third post promoted an alleged nine million records from China's Center for Disease Control for $2,000. A few days later, a fourth popped up selling 40,000 records of Chinese citizens' names, phone numbers, addresses, and government ID numbers for $500.
Hao points to a key factor that is driving this flourishing trade in highly personal data on a vast scale: state employees in China are poorly paid and thus easy to bribe. But another is the fact that the more data that is held on a database for surveillance purposes, the harder it is to control, and the easier it is to exfiltrate huge quantities in a single hack, which can be sold for large sums on the black market. It is probably no coincidence that the big leak of a couple of weeks ago came from Shanghai, which has had one of the most complete surveillance systems in the world up and running for a while:
Shanghai was among the first cities to unveil a fully integrated data platform with AI capabilities in 2019. The platform pulls in data from various government functions such as public security, public healthcare and transportation, as well as from private companies offering express and food delivery, according to a state-media interview with a Shanghai police department director.
That means there was more and richer data in Shanghai than in other locations. All it took was one misconfigured database, or one dishonest police officer, for the privacy of a billion Chinese citizens to disappear, probably forever.
That's terrible news for the people affected, but it does mean that the bigger and more inclusive a surveillance system becomes, the more vulnerable it will be to precisely the kind of leaks that now seem commonplace in China. As well as harming the people whose lives are revealed in this way, it also undermines the power of central and local government by exposing large stores of sensitive data to anyone willing to pay, including foreign intelligence agencies.
Ethics or international laws are unlikely to constrain governments that spy on their own citizens. But the fact that too much surveillance might threaten the political future of the very people who order it could act as a brake on its constant expansion.