Scan headlines from the last few months and you’d be forgiven for thinking that China’s Big Brother project is almost complete: cameras everywhere, facial recognition databases, and a punitive social credit system. Not only is reality far from this depiction, but China suffers from an even more insidious problem common throughout the world: idiots with a database.
For years, cybersecurity experts have been warning of unsecured devices connected to the internet (printers, cameras, and pretty much any smart device in your home). That problem hasn’t even been solved effectively and, starting from last year, we’ve seeing more and more databases in China left completely open to those who know how to find them. And if “white hats” are making their discoveries public, who knows what the “black hats” have been getting up to.
Bottom line: China is getting serious about data privacy, but that won’t stop incompetent sysadmins. Since the Cybersecurity Law came into effect in 2017, enforcement agencies have become stricter in their monitoring and enforcement over data privacy. Take a look at our headlines over the last week or so and you’ll quickly see this trend. However, Chinese law, and its historically patchy enforcement, isn’t enough to prevent undertrained and overworked IT professionals from overlooking basic security procedures. As with so many areas—business plans, working conditions, or externalized costs—it’s time for Chinese companies to grow up and slow down a little, trading off some of China’s speed for a little safety.
A brief timeline
- June 1, 2017: China’s Cybersecurity Law comes into effect. It includes requirements that companies take technical measures to prevent data leaks and theft.
- June 9, 2017: Police in Zhejiang Province arrest 22 people with access to Apple user databases for selling user data. According to police estimates, the thieves made up to RMB 50 million (about $7.3 million).
- April 23, 2018: The Beijing News publishes the results of an investigation into data theft from delivery platforms. The data was being sold to telemarketers and included information such as users’ names, phone numbers, and addresses. Most of the data was scraped from unsecured databases, but a surprising amount came directly from merchants and delivery drivers themselves.
- May 2018: The Personal Information Security Specificationcomes into effect. Designed to better define what information can be collected and how, it also defines a data protection framework for third-parties connecting to platforms.
- Jan 2019: Beijing police disclose the theft of up to 5 million people’s personal information from China’s official train ticketing platform, 12306.
- May 28, 2019: Cyberspace Administration of China releases a draft of Measures for Data Security Management. It also stipulates data protection measures, including setting out who should be responsible for data management.
- July 2019: Two disgruntled former employees of recruitment platform Zhaopin assist in the theft and sale of up to 160,000 resumes.
Note: The data theft and leak cases above are only a small portion of reported cases.
If you have an entire world map with red pins in it, and every red pin is an indication that something is wrong, then the most we see are in China.
—Victor Gevers, founder of GDI Foundation, a non-profit organization that addresses security issues through responsible disclosure.
The law heard around the world: Much ink has been spilled about China’s Cybersecurity Law. It came into force in 2017, but, as we can see above, there are still loopholes and ambiguities the government is trying to address with new laws and regulations. Cogent arguments have been made as to why the CSL is intrusive and, from a Western perspective, goes too far. However, it is also trying to solve a real problem: making companies responsible for protecting user data. Like many areas of public interest, companies won’t make significant changes unless someone makes it more expensive not to.
Unsecured databases: Over the last year or so, security researchers and white hats (hackers for good, if you will) have been reporting discoveries of more and more unsecured databases, especially in China. According to Victor Gevers, founder of the GDI Foundation, in 2018, they saw a huge uptick in the number of unsecured databases in China.
Popular for its ease-of-use and scalability, MongoDB, a document-based database system, has become the de facto standard across tech industries. However, it wasn’t until version 2.6, released in April 2014, that MongoDB came with default authentication and security features. Even now, we’re still seeing attacks that are only possible when systems administrators don’t enable basic security protocols. With search engines like ZoomEye, Shodan, BinaryEdge.io, and Censys.io, anyone with a bit of technical ability can identify and exploit user data at will.
The danger: In China, the potential damage an unsecured database can cause goes far beyond the financial and social harm of a ransomed or leaked database. So far in 2019, there have been two at least two documented cases of unsecured government databases exposing more than 90 million people’s personal information, including name, gender, location coordinates, ID number, birthday, address, ethnicity and employer. Imagine how easy it would be to “human flesh search” (人肉搜索, China’s version of doxing) someone or steal their identity with this information and ruin their lives.
The problem with open source: Limits on customizing MongoDB will encourage companies to fork, making it likely that they will fail to implement regular security updates.
In October 2018, in an effort to curb abuse of open source licenses by cloud service providers like Tencent, Alibaba, and Yandex, MongoDB introduced a new license (Server Side Public License) for anyone using the community (i.e., free) version of the software. Section 13 of the SSPL stipulates that if a provider uses the community version of MongoDB source code to provide service, then they must make available the source code and modifications and the source code of applications used to run the service. If Alibaba or Tencent is using MongoDB, then must make available any changes they’ve made to the source code as well asthe source code of any applications they are running with MongoDB.
It’s hard for me to imagine any tech company in China’s cutthroat market making potentially proprietary software available to the open-source community and therefore to their competitors. If Chinese service providers continue to use MongoDB, and not making their application source code available, then they are either using it in contravention of the SSPL or they’ve forked MongoDB. If they’ve forked it (i.e., made a copy and modified it), they would need to re-fork it every time MongoDB releases a new version to stay up to date, spending more time and money.
Putting the brakes on China speed: In the 996 world, it’s easy to forget the basics whether that’s equitable and fair HR policies, translation and localization of documents and products for overseas markets, or just security basics. Without effective enforcement, of which I’m not optimistic, it’s up to the companies and government agencies themselves to take basic security precautions seriously. Until that time, we can only hope that white hats continue to expose, and publicly report, issues before the black hats do.
With contributions from Chris Udemans and Wang Boyuan