During the epidemic, every residential community, grocery store, and office building across the country has become a data collector, ordered to track the information of every person that entered or left to allow for swift ‘close-contact’ tracing, a key measure to contain the spread of COVID-19. With the epidemic appearing to be in its closing stage, questions are being asked: What will become of this data? Who will be responsible if a citizen’s personal information is leaked due to lax data privacy practices? Some citizens are already feeling the implications as phone scams are one on the rise again.

TechNode’s weekly translation column brings members a look at the conversation about tech in Chinese. This week, Dev Lewis looks at concerns about data privacy as the state collects information about people’s movements to control the virus. TechNode has not independently verified the claims in this article.

Store or delete? Who will be responsible for the aftermath of wide-spread data collection during the pandemic?

Journalist: Jianglin

Southern Metropolis Daily, March 20

‘If I had a mind to, I could leak everyone’s ID numbers’

Yingying (pseudonym) recently was the victim of attempted credit card fraud during which the scammer used her name and ID to identify her.

She reckons information she submitted during the epidemic has been leaked.

Yingying left Beijing for her hometown of Suizhou in Hubei before Chinese New Year, and she has been there the whole time since the outbreak. On March 8, she was added into a WeChat group of 100 “Workers unable to return to Beijing,” set up by her Beijing neighborhood committee to facilitate their eventual return.  On joining the group, everyone was asked to change their group alias to include their “name + phone + community name,” as well as regularly monitor and update their body temperature. A few days later, they were asked to submit detailed personal information, including ID numbers, addresses in Beijing, the names of others staying in the current address, and their relationship. “They say they were instructed by their superiors, but didn’t specify who exactly,” she says.

Individuals messages with this information were sent directly within the group visible to all other members. “If I had a mind to, I could leak the names, ID numbers, mobile phone numbers, and family members of everyone in the group,” she said.

Qingdao netizen Xiaofei (pseudonym) experienced even more bewildering demands for information. To return home, he had to fill out a form issued by his property management company, asking for ethnicity, party member status, education, height, blood type, marital status, WeChat ID, and a lot more. “How is the size of your house, your height, your blood type, your marriage, WeChat, etc. related to epidemic prevention?” asks a very puzzled Xiaofei.

What if they never delete the data?

Assume a simple daily itinerary like this: one leaves one’s apartment complex, takes the bus, enters an office building, goes to the supermarket to buy food, and then a pharmacy to buy medicine.  A person may need to register their personal information five times a day to different collectors—with how the data is treated up to each collector. Due to the real-name registration system that continues to be implemented, supermarkets, and pharmacies have also joined the ranks of “big fish” collecting personal information—and thus become potential sources for major data leaks.

Compared with paper registrations, the alternative is QR code-based registration, which is more convenient and makes it easier to secure data. If a government department is backed this system, it is naturally easier for it to gain trust. However, because the data processing rules are not transparent enough, even the Health Code (Jiankang Ma) launched by the National Government Service Platform, which asks for similar information to provide health verification to resume work, has been questioned by netizens.

What will happen to such sensitive personal information after the epidemic?

Southern Metropolis reporters sifted through the publicly available information and found that only Yunnan Province gave a clear answer.

As early as Feb. 12, Liu Yuewen, the leader of the Big Data Expert Group of the Yunnan Provincial Public Security Department, publicly stated that the information collected during the epidemic was to be used only for epidemic prevention and control, adding that at the end of the epidemic the data will be destroyed and not used for any other purpose.

The staff of a restaurant that Xiao Wei often visits, which uses a paper personal information registry, told this journalist that its data is only used for close contract tracing will not be given to any government department, and it may only be stored for a period of time after the epidemic. Staff in the community where Yingying is located said all the collected data will be archived in the computer of the local committee and submitted to the Municipal Prevention and Control Headquarters. There is a possibility it may not be deleted after the epidemic.

In fact, many people do not know who they are really giving their information to and how it will be processed after the epidemic. Several netizens have questioned the need for maximum data collection, the lack of clarity on data processing, as well as the measures in place to ensure personal information is not leaked.

These concerns are not groundless.

In late January, Southern Metropolis reported that the information of more than 7,000 Hubei returnees was circulated among various relatives, friends, and colleagues by Wechat. People received harassing phone calls and text messages as a result. In a case recently cracked by the Changxing police in Huzhou, Zhejiang, the manager of a fast-food chain restaurant took advantage of his position to collect the ID photos of 61 applicants and employees and deceive a pharmacy’s ID card identification system to purchase 30 rationed masks.

The privacy principles are there—but the key lies in implementation

On Feb. 9, the Central Cyberspace Office issued the “Notice on doing a good job in protecting personal information and using big data to support joint prevention and control” (the “Notice”), ordering that any agency or individual, other than agencies authorized by the State Council’s health departments, shall not use the grounds of epidemic prevention and control or disease prevention to collect and use personal information without the consent of the person whose data is being collected; they shall not use data for other purposes.

However, based on information in the public sphere, Southern Metropolis reporters find that almost no document clearly states how data will be processed after the epidemic.

According to a previous survey initiated by Southern Metropolis, 75.8% of netizens say their personal information was collected during the epidemic. Of them, 70% said they knew the purpose of collecting the information, and just 20% knew how their data would be processed after the outbreak.

Some believe that personal information could be turned to commercial ends by merchants, tied to the sale of financial, insurance or medical supplies, or even fraud. This is exactly what the public is worried about.

“The Notice has actually stated general requirements. All the information collection agencies need to do is implement what the document requires,” says Zuo Xiaodong, deputy director of the China Academy of Information Security, argues that local Prevention and Control Command Departments should mandate comprehensive personal information protection protocols when requesting the collection of information. “Data collection is not a trivial matter”

He said that the problem lies in the fact that many Prevention and Control Departments do not have any awareness about protecting personal information. He believes that in addition to biographic information, data through which a person’s location can be determined should in principle be destroyed. In the event of a leak, the local Prevention and Control Command should share responsibility with the collecting agency.

Fu Weigang, Executive Dean of the Shanghai Institute of Finance and Law, also argues that the most secure way to protect personal information privacy during the epidemic is to destroy it, but says that whether it can be done is another issue. “Logically, whoever requests collection is responsible for the processing.” He suggested that notices should be issued to collection agency requesting them to properly store or destroy the data.

In addition, the relevant departments that oversee personal information protection also have regulatory authority. For example, Zuo Xiaodong said that the market supervision department can supervise merchants: if it is collected through apps, it can be handled by the Internet Information Office and the Ministry of Industry and Information Technology; once a crime is suspected, the public security department will definitely strike.

Zuo said that in epidemic prevention and control, personal information collection lacks established protocols and past experience to follow, which inevitably leads to chaos. In the future, a top-level design should be planned in advance for any major public safety incidents and a coordination mechanism should be established, as well as unified command.

Dev Lewis

Dev is a Fellow and Program Lead at Digital Asia Hub, as well as a Yenching Scholar at Peking University. His interests lie at the intersection of technology, politics, and policy, especially in Asia, and...