Whose fault is a major data leak from Beijing’s “health code” digital quarantine system? Is it leaky digital platforms, or crazy fans? Commentators have blamed both.

With COVID-19 measures driving the collection of even more personal data, privacy leaks seem to become more frequent and worrying. Multiple leaks of coronavirus patients’ names, home addresses, jobs, phone numbers, and other personal information happened throughout 2020, triggering heated debate on Chinese internet.

In late December, Hongxing News, a digital subsidiary of Chengdu Economic Daily, reported that celebrities’ photos for Beijing’s health code, called Jiankangbao—usually casually-snapped selfies used for facial verification—and the methods to access the photos were being massively traded in WeChat groups. According to the article (in Chinese) and attached screenshots, the price of a bundle including more than 70 celebrities’ headshots is  RMB 2 ($0.30). TechNode has not been able to independently verify the screenshots.

Celebrities’ photos were traded at extremely low prices. (Image credit: Hongxing News)

The photos were reportedly obtained through a technical loophole in the health code system. Beijing health code includes a feature called “Check other’s health code,” intended to help those without smartphones, like children and the elderly, move easily in and out of public places. It only required a person’s name and ID number to access their health codes, nucleic acid test results, and registered face photos. Inevitably, people took advantage of the system, with photos uploaded by celebrities to the Health Code system winding up in online marketplaces.

The ID numbers of celebrities are not difficult to acquire: In the same WeChat group, a package of more than 1,000 celebrities’ ID numbers is sold for RMB 1 ($0.15).

On Dec. 29, Beijing authorities (in Chinese) said that the issue had been resolved. The app now requires a face scan of the person being checked to display health code information.

Hongxing Review blamed poorly designed systems for failing to secure user data:

Photos from celebrities’ health code leaked, but it’s not only them who are in danger

Hongxing Review
Dec. 29, 2020

Programs such as health code are designed to control the epidemic. Citizens cooperate with government measures and turn in personal information out of social responsibility and trust. This trust should be treated with kindness. Before every large scale collection of citizens’ personal information, a question should be seriously answered: Can we protect this information?

Doing a good job of adequate protection should be a prerequisite for data collection. In fact, it is not technically difficult—the problem can be solved by just adding a verification step when checking others’ codes. The key is to have this awareness.

On an online poll of 45,000 readers on Hongxing News’ Weibo, around 21,000 said it was the platforms’ responsibility to protect users, while 11,000 blamed the people who took the photos. Only 1,108 picked fan culture as the chief culprit.

Superfans gone wild

However, some WeChat comments argued that the leaks are not the platform’s fault, but that of those who exploited the loopholes:

The original thought behind the design of the software is to care for people, in this case it is normal not to take into account malicious users. We should not excessively blame the government and developer companies. We already have a cybersecurity law, and I hope that its judicial interpretations will be expanded, so that companies and individuals who use other people’s information for illegal purposes can be held accountable.

The leaked photos wound up in groups where celebrities’ photos and ID numbers are traded. They are called daipai—literally, “helping take photos for others.” The health code leak is only the tip of the iceberg.

According to Shenran, a business news outlet, daipai groups trade vast swathes of personal information; ID numbers, passport files, phone numbers, household registration information known as hukou, as well as various social media and gaming accounts. 

Reports also claim that some people use ID numbers to find celebrities’ flight itineraries, which they then sell on to fans eager to meet and take photos of their idols at the airport.

ID numbers are the source of enormous privacy leaks. Once you have this number, it is easy to check someone else’s health code information, flight and train schedules, or even their exam results, according to Shenran.

Fans with a keen interest in their idols’ personal information are called sasaeng fans (or sisheng fan in Chinese), a culture from South Korea, meaning obsessive fans who stalk, or engage in other behaviors constituting invasions of the privacy of celebrities. 

In the Shenran piece, a psychological counselor gave an academic explanation on sasaeng fan phenomenon and voiced his own opinion:

Our undercover investigation reveals the industry behind the sale of celebrities’ health code photos

Jan. 3, 2021

Psychological counselor Zhu Xiaohui told Shenran that being a fan is a kind of psychological phenomenon called “para-social interaction.” “For the public, although being a fan is not really a social interaction, it can be a similar experience. However, for some fans, in order to really feel like a social  experience, extreme behaviors have developed.”

Today, when the cost of human connection is high and the pace of life is fast, he admits that “para-social interaction” gives fans some powerful support and comfort. “These fans are not all bad people, but once the boundaries are broken, their desires are endless. After their behavior crosses the line. It is like an addiction, people fall deeper and deeper into it.”

To this day, they haven’t grasped the price of their curiosity.

A legal analysis

Who, if anyone, broke the law? Yang Wenzhan, a partner of Beijing Zhongdun Law Firm told the 21st Century Business Herald that photo-brokers were most likely to be prosecuted, while ordinary fans have probably not broken any laws:

More than 50 celebrities’ Jiankangbao photos leaked—here comes an official response

21st Century Business Herald
Dec. 29, 2020

If an individual legally obtains the ID number and name of another person but does not have permission to check the health status on the other’s behalf, the individual is already suspected of infringing on the other’s privacy, but this does not constitute a crime. Generally speaking, there is no impact and this case will not be investigated. However, if they circulate or even package and resell the information without permission, they will be held accountable for privacy infringements, or even the crime of infringing on citizens’ personal information, which means criminal charges.

Yang Wenzhan said that the government is obliged to urge related companies to improve their systems and resolve potential safety hazards in response to the leaked health code photos. If someone’s rights are infringed upon, possibly leading to harm, due to a system’s problems, according to the letter of the law, in addition to the infringing party, the system developer may also be held accountable.

Jason Xue is a student in Journalism at The University of Hong Kong focusing on technology and financial coverage. He has had internship experiences at Reuters and Caixin.