In early 2018, Chinese artist Deng Yufeng purchased and publically displayed the personal information of over 340,000 individuals. Entitled “Secrets,” the exhibit intended to highlight the ease with which personal information could be bought and sold. Two days after opening, the exhibition was shut down by local police, and Deng was placed under investigation.

Deng’s exhibit reveals how China’s illegal data market is flourishing despite increasingly strict regulation. The types of information illicit data brokers can collect is alarming. And, in China, despite the intrinsic value of data, it’s dirt cheap.

Malicious actors can buy mobile phone location and movement data, credit information, academic records, and phone records for as little as $0.01. Numerous high profile, low-cost data theft cases have made headlines in the past year. From Apple employees stealing iPhone user data and restaurant owners siphoning off customer information from food delivery apps to hackers taking advantage of mobile network vulnerabilities, personal data is chronically being targeted.

While reported data breaches in China are less frequent than in other countries, the median number of records involved is over 8000 times higher. In 2017, the average US data breach contained 1,458 records. That number exceeded 11 million in China.  Furthermore, data leaks affected over 80% of netizens in 2017, according to the Internet Society of China.

The number of data theft cases come as no surprise. China is home to the world’s largest population of internet users. Over 770 million people in the country use the web, more than the entire population of Europe, and twice that of the United States.

“This is a market failure if you ask me. The market is not likely going to solve this,” Lokman Tsui, assistant professor of journalism at the Chinese University of Hong (CUHK), told TechNode.

“Companies collect data because it’s profitable, governments collect it because it gives them power,” he said. Nascent data protection laws are yet to have a significant effect.

Improved cognizance

The ease of access to illegally-obtained information comes with an increase in awareness, in part, due to high profile data breaches and influential figures engaging on the topic. In January 2018, Li Shufu, chairperson of Geely Holdings said that Tencent CEO Pony Ma “is watching us through WeChat every day.” The company quickly denied the accusations, saying it doesn’t keep users’ chat records. However, the Chinese government has demonstrated otherwise. Just one month later, Baidu CEO Robin Li postulated that Chinese internet users don’t care much for privacy. “If they can trade privacy for convenience, for security, for efficiency; in a lot of cases, they are willing to do that,” he said, causing outrage on social media.

Two months earlier, the company had been taken to court by the Jiangsu Consumer Protection Committee for illegally collecting user data. According to the group, two of Baidu’s apps gathered personal information without a user’s consent. Authorities also censured Ant Financial’s Alipay for privacy violations: automatically enrolling users in its Sesame Credit program. The company apologized after being summoned by Chinese regulators.

Despite Robin Li’s comments, Chinese internet users are aware of the value of their data. Sina Finance conducted a poll of over 10,000 Weibo users to gauge whether they value their online data. 86% responded by saying their privacy should not be violated, and over 50% see data breaches as a severe problem. In its 2017 China Social Media Impact report, market research firm Kantar found that 43% of respondents were concerned about their privacy and the integrity of their information online.

Even older generations are more conscious of the value of their data, mainly because of the persistence of telephone marketers. According to a 2017 study, Chinese citizens view phone numbers as the second most important piece of private data after ID numbers. IP addresses, internet records, friendship dynamics, ages, and real names are also included in the list.

“They say people don’t care about privacy. They say, ‘look at all the data they give away,’” said Tsui. “But I don’t think that’s fair. Companies and governments are so inclined to make people give up their data. They have become victims in that sense, I would say.”

As awareness grows, internet users look to big tech companies to protect the integrity of their online personas. But some of these companies are falling short.

Chinese tech giants Baidu and Tencent rank far below their Western counterparts concerning privacy. The companies scored 17% and 23% respectively in a recent study documenting the governance and privacy practices of major telecommunication and internet companies around the world. The survey found that both companies do not make use of adequate encryption, do not disclose how they handle data breaches and are opaque on how they collect from and and provide data to third parties.

In early 2016, The Citizen Lab at the University of Toronto found that desktop and mobile browsers made by both companies transmitted personally identifiable information without encryption, or in a form that is readily decryptable. According to researchers, both QQ Browser and Baidu Browser were easy to exploit. A later investigation found the problems to be partially resolved.

A Baidu spokesperson said the company had recently conducted a security screening process of its entire product line, adding that it equates guarding users’ data to guarding their trust.

Legislative frameworks

On June 1, 2017, the Network Security Law, known more commonly as the Cybersecurity Law, came into effect. The oft-discussed legislation serves as a roadmap for the rules that will govern China’s internet in the years to come.

“Its main focus is on personal information and privacy of citizens in China,” Jared T. Nelson, data protection lawyer at MWE China Law Offices, a Chinese law firm in a strategic alliance with global law firm McDermott Will & Emery, told TechNode.

The law functions as a table of contents, which makes it general, or viewed more negatively, vague enough to cover any nascent technologies, including artificial intelligence.

The law states that companies wishing to collect data must do so inline with a set of general principles. Collection needs to be legal, justified, and necessary.

“Justification and necessity mean that if you are a company that sells eyeglasses and you have a customer relationship management system and rewards program, you can collect personal information about the customers to understand what they need and what they like,” said Nelson. “But you couldn’t, for example, collect how fast they drive their car or other things that are not necessary for the services that are being provided.”

A new set of standards for the handling of personal data came into effect on May 1. The new regulations specify that data collection needs to be minimal, retention needs to be short, and usage needs to be kept to a minimum, but do not require compliance.

Despite this, an under-reported law also aims to protect user privacy. Legislators amended China’s Criminal Law in 2015 to expand privacy protections. It now has a much more profound effect on data protection than its recently-passed counterpart. The bill initially only applied to the collection of data by government entities, but currently concerns anyone buying and selling data illegally.

In a high profile data privacy-related case, corporate investigators Peter Humphrey and his wife Yu Yingzeng were prosecuted under China’s Criminal Law. The couple allegedly obtained 256 pieces of information on Chinese citizens while employed by pharmaceutical giant GSK to scrutinize how someone had managed to film explicit videos of the company’s head of China operations and his Chinese girlfriend.

“That specific law has been enforced more frequently and in a more severe way than any of the other privacy rules that are on the books,” Nelson said.

Theory vs reality

Despite the existence of these protections, Tsui says the law on paper is different to the law in practice. And more importantly, users of online services have no say in what sorts of information are deemed personal.

“You have the fox guarding the chicken coop. You recognize that that is problematic, so you have a law protecting chickens. But the problem is the fox gets to decide which are chickens and which are not,” he said.

Nelson also believes that the classification of personally identifiable information is becoming increasingly more important.

“There is a lot of different information that you would never think that would be able to identify a person. But if you combine it, and especially if you have a computer combine it, the computer can see connections in ways that you or I couldn’t. [The connected data] could become personal information,” he said.

Robin Li highlighted this point just before making his controversial comments about China’s relationship with privacy: “When you are able to join different sets of data, the power becomes much more, it’s exponential growth.” The concept is known as the mosaic theory, and privacy laws in the country are yet to address it fully.

But it’s not only legal frameworks that can improve privacy. Technology and awareness can be enhanced. Tsui believes there should be fewer technological barriers to taking back privacy. “It is possible to have privacy. But it does require you to have enough knowledge. It’s not a reasonable expectation to have of everybody, just to secure something basic as privacy,” he said.

“Privacy is not a luxury item; it’s a human right or a basic right.”