Beijing’s swift move to censor news about one of the largest known data breaches shows keen awareness of how major security lapses can harm its credibility.
Chinese artists have staged performances to highlight the ubiquity of surveillance cameras. Privacy activists have filed lawsuits against the collection of facial recognition data. Ordinary citizens and establishment intellectuals alike have pushed back against the abuse of Covid tracking apps by the authorities to curb protests. Internet users have shared tips on how to evade digital monitoring.
As China builds up its vast surveillance and security apparatus, it is running up against growing public unease about the lack of safeguards to prevent the theft or misuse of personal data. The ruling Communist Party is keenly aware of the cost to its credibility of any major security lapses: Last week, it moved systematically to squelch news about what was probably the largest known breach of a Chinese government computer system, involving the personal information of as many as one billion citizens.
The breach dealt a blow to Beijing, exposing the risks of its expansive efforts to vacuum up enormous amounts of digital and biological information on the daily activities and social connections of its people from social media posts, biometric data, phone records and surveillance videos. The government says these efforts are necessary for public safety: to limit the spread of Covid, for instance, or to catch criminals. But its failure to protect the data exposes citizens to problems like fraud and extortion, and threatens to erode people’s willingness to comply with surveillance.
“You never know who is going to sell or leak your information,” said Jewel Liao, a Shanghai resident whose details were among those released in the leak.
“It’s just a bit unusual to see that even the police are vulnerable too,” Ms. Liao said.
China, which has been racing to implement one of the world’s toughest data privacy regimes, frequently excoriates companies for mishandling data. But the authorities rarely point fingers at the country’s other top collector of personal information: the government itself.
Security researchers say the leaked database, apparently used by the police in Shanghai, had been left online and unsecured for months. It was exposed after an anonymous user posted in an online forum offering to sell the vast trove of data for 10 Bitcoin, or about $200,000. The New York Times confirmed parts of a sample of the database released by the anonymous user, who posted under the name ChinaDan.
In addition to basic information like names, addresses and ID numbers, the sample also featured details that appeared to be drawn from external databases, like instructions for couriers on where to drop off deliveries, raising questions about how much information private companies share with the authorities. And, of particular concern for many, it also contained intensely personal information, such as police reports that included the names of people accused of rape and domestic violence, as well as private information about political dissidents.
The government has sought to erase nearly all discussion of the leak. At a Cabinet meeting chaired by China’s premier, Li Keqiang, last week, officials made only a passing reference to the question of privacy, emphasizing the need to “defend information security” so that the public and businesses could “operate with peace of mind,” according to the official Xinhua News Agency.
Last year, the Chinese authorities passed two new laws on data security and privacy, modeled after the European Union’s General Data Protection Regulation. The laws were aimed mostly at addressing the collection of private data by companies — and the widespread internet fraud and personal information theft that has emerged as a result.
The government’s efforts to institute safeguards, however, have lagged its own push to collect information. In recent years, The Times has reviewed other leaked databases used by the police in China that were left online with little to no protection; some contained facial recognition records and ID scans of people in a Muslim ethnic minority region.
Now, there are signs that people are growing wary of the government and public institutions, too, as they see how their own data is being used against them. Last month, a nationwide outcry erupted over the apparent abuse of Covid-19 tracking technology by local authorities.
The Latest on China: Key Things to Know
A growing confrontation. After NATO put forward a new mission statement declaring China a systemic “challenge” striving to subvert the international order, Beijing accused the alliance of using Cold War strategies to contain the country and vowed to respond with “firm and strong” measures.
Protesters fighting to recover their savings from four rural banks in the central Chinese city of Zhengzhou found that the mobile apps used to identify and isolate people who might be spreading Covid-19 had turned from green — meaning safe — to red, a designation that would prevent them from moving freely.
“There is no privacy in China,” said Silvia Si, 30, a protester whose health code had turned red. The authorities in Zhengzhou, under pressure to account for the episode, later punished five officials for changing the codes of more than 1,300 customers.
Even when the Covid-19 tracking technologies are used for their stated purpose, more people seem willing to ask if the surveillance is excessive. On Thursday, a blogger in Beijing posted on Weibo that he was refusing to wear an electronic bracelet to track his movements while in isolation, saying that the device was an “electronic shackle” and an infringement on his privacy. The post was liked around 60,000 times, and users flooded his post with responses. Many said it reminded them of the treatment of criminals; others called it a ploy to surreptitiously collect personal information. The post was later taken down by censors, the blogger said.
In recent years, individuals have sought to draw attention to privacy concerns. In 2019, a law professor in Hangzhou, a prominent tech hub in eastern China, sued a local zoo for forcing him to submit facial recognition data to enter, the first such lawsuit in China. He won the case.
Starting in late 2020, several Chinese cities began banning neighborhood committees from forcing residents to undergo biometric monitoring to enter their compounds. Around the same time, toilet paper dispensers using facial recognition were removed from public bathrooms in the southern Chinese city of Dongguan following public outrage.
In online forums like Zhihu, a Quora-like platform, Chinese users trade advice on how to evade surveillance (tips include wearing hats and masks, and pointing flashlights at security cameras). Over 60 percent of Chinese people say facial recognition technology has been abused, according to a study of more than 20,000 Chinese jointly conducted in late 2020 by a Chinese think tank and a government task force. More than 80 percent expressed concern about whether and how facial recognition data would be stored.
“The rise of the public’s awareness of data privacy is an inevitable trend,” said Dragon Zheng, an artist based in the southern province of Guangxi whose practice explores the interaction of technology and governance.
In 2016, Mr. Zheng installed security cameras inside a large exhibition hall, which streamed live footage to a monitoring room set up in the center of the hall. Visitors were invited to enter the room, where they could manipulate the cameras and experience what Mr. Zheng called the feeling of “monitoring and being monitored, controlling and being controlled.”
Still, he emphasized that the risks and advantages of technology were not unique to China.
“Technology is like Pandora’s box,” Mr. Zheng said. “Once it’s open, how it is used depends on whose hands it falls into.”
Few Chinese citizens have publicly questioned the government about its collection of personal data. Part of that could be a result of the government’s thorough censorship and the threats to personal safety of criticizing the government. But many residents also see the handover of data as a necessary trade-off for security and convenience.
“There’s always been this split identity when it comes to privacy awareness in China,” said Samm Sacks, a researcher on technology policy at Yale Law School and New America. “People are far more trusting overall in how government entities handle their personal information and far more suspicious about the corporate sector.”
Legal analysts said any disciplinary actions resulting from the Shanghai police database breach were unlikely to be publicized. There are few mechanisms in place to hold Chinese government agencies responsible for their own data leaks. For many citizens, that lack of recourse has contributed to a sense of resignation.
Occasionally, though, they notch small victories, as Xu Peilin did when she took on her local neighborhood committee last year. She had returned home to her apartment building in Beijing one day to find that the compound wanted residents to submit to a facial recognition scanner to enter.
“It was insane,” said Ms. Xu, 37, a project manager at a start-up company. She said it reminded her of one of her favorite television shows, the British science fiction series Black Mirror.
Ms. Xu badgered her neighborhood committee by telephone and text message until they relented. For now, Ms. Xu said, she can still enter her compound using her key card, though she believed it was only a matter of time until the facial recognition devices became mandatory again.
“All I can do for now,” she said, “is continue to resist on a small scale.”
Zixu Wang contributed reporting.