Chinese artists have staged performances to highlight the ubiquity of surveillance cameras. Privacy activists have filed lawsuits against the collection of facial recognition data. Ordinary citizens and established intellectuals alike have opposed the misuse of Covid tracking apps by authorities to stem protests. Internet users have shared tips for avoiding digital monitoring.
While China are huge surveillance and security equipment, it encounters growing social unease about the lack of safeguards to prevent the theft or misuse of personal data. The ruling Communist Party is well aware of the cost to its credibility of major security concerns: last week it systematically suppressed news about what is likely the largest known breach of a computer system of the Chinese government, involving the personal information of as many as one billion citizens.
The breach dealt a blow to Beijing, raising the risks of its extensive efforts to suck up vast amounts of digital and biological information about its people’s daily activities and social connections from social media posts, biometrics, phone records, and surveillance videos. The government says these efforts are necessary for public safety: for example, to limit the spread of Covid or to catch criminals. But the failure to protect the data exposes citizens to problems such as fraud and extortion, and threatens to erode people’s willingness to monitor.
“You never know who is going to sell or leak your information,” said Jewel Liao, a Shanghai resident whose data was one of those released in the leak.
“It’s just a little unusual to see even the police being vulnerable,” Ms Liao said.
China, striving to implement one of the world’s strictest data privacy regimes, often berates companies for mishandling data† But authorities rarely point the finger at the country’s other top collector of personal information: the government itself.
Security researchers say: the leaked database, apparently used by the police in Shanghai, had been online and unsecured for months. It was revealed after an anonymous user posted on an online forum selling the massive amount of data for 10 Bitcoin, or about $200,000. The New York Times confirmed parts of a sample of the database released by the anonymous user, who posted under the name ChinaDan.
In addition to basic information such as names, addresses and ID numbers, the sample also contained details that appeared to come from outside databases, such as instructions for couriers on where to deliver deliveries, raising questions about how much information private companies share with authorities. And, of particular interest to many, it also contained highly personal information, such as police reports listing the names of people accused of rape and domestic violence, as well as private information about political dissidents.
The government has tried to wipe out almost all discussions about the leak. At a cabinet meeting chaired last week by Chinese Prime Minister Li Keqiang, officials only casually referred to the issue of privacy, emphasizing the need to “defend information security” so that the public and businesses “can operate with peace of mind,” , the official Xinhua News Agency said.
Last year, Chinese authorities passed two new data security and privacy laws, modeled on the European Union’s General Data Protection Regulation. The laws focused mainly on tackling the collection of private information by companies – and the widespread internet fraud and theft of personal information that has emerged as a result.
However, the government’s efforts to put safeguards in place have lagged behind its own push to gather information. In recent years, The Times has published other leaked databases used by police in China who were left online with little to no protection; some contain facial recognition records and ID scans of people in a Muslim-ethnic minority region.
Now there are signs that people are also becoming wary of the government and public institutions as they see their own data being used against them. Last month there was a nationwide outcry over the apparent misuse of Covid-19 tracking technology by local authorities.
The latest on China: important things to know
protesters fighting to get their savings back of four rural banks in the central Chinese city of Zhengzhou found that the mobile apps used to identify and isolate people that could spread Covid-19 had changed from green – meaning safe – to red, a designation that would prevent them from moving freely.
“There is no privacy in China,” said Silvia Si, 30, a protester whose health code had turned red. Pressured to account for the event, Zhengzhou authorities later punished five officials for changing the codes of more than 1,300 customers.
Even when the Covid-19 tracking technologies are used for the stated purpose, more people seem willing to ask if the monitoring is excessive. On Wednesday, a blogger in Beijing posted on Weibo that he refused to wear an electronic bracelet to track his movements while isolated, saying the device was an “electronic brace” and an invasion of his privacy. The post was liked about 60,000 times and users flooded his post with comments. Many said it reminded them of the treatment of criminals; others called it a trick to covertly collect personal information. The post was later removed by censors, the blogger said.
In recent years, individuals have attempted to draw attention to privacy issues. In 2019, a law professor in Hangzhou, a leading technology center in eastern China, sued a local zoo for forcing it to submit facial recognition data to participate, the first lawsuit in China. He won the case.
As of late 2020, several Chinese cities have started banning neighborhood committees to force residents to undergo biometric monitoring to enter their compound. Around the same time, facial-recognition toilet paper dispensers were removed from public bathrooms in the southern Chinese city of Dongguan after public outcry.
On online forums such as Zhihu, a Quora-like platform, Chinese users exchange advice on how to evade surveillance (tips include wearing hats and masks and pointing flashlights at security cameras). More than 60 percent of Chinese say facial recognition technology has been misused, according to a survey of more than 20,000 Chinese conducted jointly at the end of 2020 by a Chinese think tank and a government task force. More than 80 percent expressed concern about whether and how facial recognition data would be stored.
“The rise of public awareness of data privacy is an inevitable trend,” said Dragon Zheng, an artist from the southern Guangxi province whose practice explores the interaction between technology and governance.
In 2016, Mr. Zheng security cameras in a large exhibition hall, which streamed live images to a surveillance room in the center of the hall. Visitors were invited to enter the room, where they could manipulate the cameras and experience what Mr. Zheng called the feeling of “monitoring and being controlled, checking and being controlled”.
Still, he stressed that the risks and benefits of technology are not unique to China.
“Technology is like Pandora’s box,” said Mr. Zheng. “Once it’s open, its use will depend on whose hands it falls.”
Few Chinese citizens have publicly questioned the government about collecting personal data. Some of that could be a result of the in-depth government censorship and threats to personal safety from government criticism. But many residents also see the transfer of data as a necessary trade-off for security and convenience.
“There has always been a split identity when it comes to privacy awareness in China,” said Samm Sacks, a researcher on technology policy at Yale Law School and New America. “People in general are much more confident in the way government agencies handle their personal information and are much more suspicious of business.”
Legal analysts said it was unlikely that disciplinary action over the breach of the Shanghai police database would be made public. There are few mechanisms to hold Chinese government agencies accountable for their own data breaches. This lack of redress has led to a feeling of resignation among many citizens.
Every once in a while, though, they pick up small wins, like Xu Peilin did when she took on her local neighborhood committee last year. She had returned to her apartment building in Beijing one day to find that the compound wanted residents to submit to a facial recognition scanner to enter.
“It was insane,” said Ms. Xu, 37, a project manager at a startup company. She said it reminded her of one of her favorite television shows, the British science fiction series Black Mirror.
Ms. Xu teased her neighborhood committee over phone and text until she gave in. For now, Ms. Xu said, she can still enter her premises with her key card, although she thought it was only a matter of time before facial recognition devices would become mandatory again.
“All I can do now,” she said, “is to continue to resist on a small scale.”
Zixu Wang reporting contributed.