Earlier this month, Dutch cybersecurity researcher Victor Gevers happened upon a trove of Chinese social media records—364 million of them, to be precise.
The data had been siphoned off popular messaging platforms WeChat and QQ, as well as e-commerce giant Taobao’s merchant-customer communications system Wangwang, among others.
The records, which came mainly from internet cafe users from within China, included chat logs, locations, ID numbers, locations, and file transfers. Once collected, the information was sent to multiple servers around the country for processing and investigation by police, according to Gevers. It is unclear whether the databases were set up by law enforcement.
The incident highlights a fundamental weakness in cybersecurity in China and throws light on the relationship between government bodies and tech companies, the nature of which is haphazard and weak and puts the data of Chinese internet users at risk. In the wrong hands, data can be used for a whole host of nefarious activities.
“If you have a lot of people’s data leaked there is an increased probability of there being identity theft, financial fraud, and if it becomes large enough, it could even become a financial stability issue,” explained Martin Chorzempa, a research fellow at the Peterson Institute for International Economics, based in Washington, D.C.
As part of China’s mass surveillance program, the Chinese government outsources supervision of online services and monitoring mechanisms to private companies, many of which pay scant attention to netizens’ data privacy.
Private companies are eagerly selling surveillance tech to the Chinese state, with few qualms about the effect they have on society, Maya Wang, senior research fellow on China at Human Rights Watch, told TechNode in an email.
The result is that, contrary to popular descriptions of China’s highly effective all-seeing state, in some cases, the data-gathering systems are pieced together like a patchwork made up of ill-fitting and poorly matching pieces of cloth. It is a surveillance system that is easily tampered with and in which data is mismanaged.
Gevers refers to the social media surveillance program as a “jerry-rigged PRISM,” referencing the US’s once-clandestine data collection program that former National Security Agency contractor Edward Snowden exposed in 2013.
The discovery by Gevers came a month after the researcher found a database containing the ID and location data of more than 2.5 million people in the northwestern province of Xinjiang. The database belonged to Sensenets Technology, a Shenzhen-based facial recognition company that works with Chinese police in cities around China. The company previously claimed to have a partnership with Microsoft (see cached site here). The US tech giant has subsequently denied the affiliation and Sensenets has removed reference to it on its website. As with the social media trove, Sensenets’ database was left exposed for anyone to access. It has since been secured.
To grasp how the internet cafe leaks happened, it’s important to understand the rules under which the cafes operated. These internet cafes are required to register their customers, while keeping track of their online activities. Regulations demand that internet cafes retain records for at least 60 days. Authorities also compel internet cafes to install monitoring software on computers. Should the police come knocking, businesses are required to provide this data to the government.
“It’s mandatory,” Li Peng, an employee at an internet cafe in northern Shanghai, told TechNode. “If you want to come to an internet cafe, you have to bring your ID or driver’s license.” Unsurprisingly, a number of companies have used these rules to generate profit.
China’s private sector is increasingly seeking to benefit from the country’s domestic security apparatus. And no wonder—it’s an increasingly lucrative business. Government spending in the sector amounted to 6.1% of the country’s total budget in 2017, totaling RMB 1.24 trillion ($185 billion)—more than the RMB 1.02 trillion spent on the military.
Headbond.com is one such company. Headquartered in the eastern Chinese province of Shandong, it provides a management system for internet cafes that handles everything from payments to real-name registration services to monitoring.
The company’s system was one of those that was linked to the open social media database.
Headbond has received at least one contract from the government. In 2017, police in the eastern Chinese city of Yancheng paid it nearly RMB 100,000 to provide its monitoring systems in the city (in Chinese). Headbond did not respond to TechNode’s request for comment.
A slew of other companies also offers similar services. While not involved in the latest breach, Sicent, based in the southwestern city of Chengdu, claims it “frees internet cafe owners from complicated management work,” according to the company’s website. TechNode found dozens of similar applications, though it is unclear how widely some are used.
The Sensenets and social media databases were all of a type called MongoDB, an open-source platform for storing data, which is unsecured by default. Newer versions of the software address this issue, but owners are required to change settings to make them secure.
Yu Xinyu, a Shanghai-based security expert at Huawei, told TechNode that some of the leaks were due to lack of ability among those maintaining the databases and that information security in China is weak overall. He said many companies “do not know the concept of a security baseline.”
“People have no idea what they are doing; it’s incompetence,” Gevers said.
This extends to local governments. For city and provincial authorities, there is a strong incentive to appear technologically advanced and spend enormous amounts on surveillance systems, many of which end up not working, Chorzempa said.
Shortly before Gevers, who works at Dutch cybersecurity nonprofit GDI Foundation, discovered the open social media databases, China’s National Computer Network Emergency Response Technical Team, a cybersecurity center affiliated with the government, highlighted issues with MongoDB databases. The organization said it had found nearly 500 open instances of this sort and was working with authorities to secure them, while also drawing attention to the role that the unsecured default mode played in the database being left open.
It’s unclear what the repercussions will be for the authorities that started the surveillance program and for companies like Sensenets and Headbond. According to Leon Liu, a partner at Shanghai-based MWE China Law Offices, the government requires major data breaches to be reported.
“More than just caring about the data privacy leakage, the Chinese government also cares about the possible damage to national security or social stability,” Liu told TechNode.