Why The Massive China Police Database Hack Is Bad News For Surveillance States Everywhere

from the are-you-sure-you-want-to-spy-on-everyone? dept

A couple of weeks ago, Techdirt wrote about how an anonymous user had put up for sale the data of an estimated one billion Chinese citizens, probably obtained from the Shanghai police.  Back then, what exactly had happened was a little unclear — not least because the Chinese authorities were shutting down any discussion of the massive and embarrassing leak.  The Wall Street Journal has written a follow-up piece on the incident that clarifies the situation and puts things in a wider context (paywall alert):

The Wall Street Journal has since found dozens more Chinese databases offered for sale, and occasionally free, in online cybercrime forums and Telegram communities with thousands of subscribers. Four of the stolen caches contained data likely taken from government sources, according to a Journal review, while several others were advertised as containing government data.

Tens of thousands more databases in China remain exposed on the internet with no security, totaling over 700 terabytes of data, the largest volume of any country, according to LeakIX, a service which tracks such databases.

An accompanying graphic shows that the volume of data exposed in China is not just greater than that in the US, but well beyond the levels of leaks in other countries around the world.  The Wall Street Journal’s Karen Hao found several people claiming to offer the dataset holding information on a billion Chinese citizens — one wanted around $200,000, another was prepared to sell for $100,000.  And the publicity surrounding the hack seems to have encouraged others to join in:

a user claiming to be a police officer from central China’s Henan province inspired by the Shanghai theft, offered the personal information of 90 million people for one bitcoin, or roughly $20,000.

A third post promoted an alleged nine million records from China’s Center for Disease Control for $2,000. A few days later, a fourth popped up selling 40,000 records of Chinese citizens’ names, phone numbers, addresses, and government ID numbers for $500.

Hao points to a key factor that is driving this flourishing trade in highly personal data on a vast scale: state employees in China are poorly paid and thus easy to bribe.  But another is the fact that the more data that is held on a database for surveillance purposes, the harder it is to control, and the easier it is to exfiltrate huge quantities in a single hack, which can be sold for large sums on the black market. It is probably no coincidence that the big leak of a couple of weeks ago came from Shanghai, which has had one of the most complete surveillance systems in the world up and running for a while:

Shanghai was among the first cities to unveil a fully integrated data platform with AI capabilities in 2019. The platform pulls in data from various government functions such as public security, public healthcare and transportation, as well as from private companies offering express and food delivery, according to a state-media interview with a Shanghai police department director.

That means there was more and richer data in Shanghai than in other locations.  All it took was one misconfigured database, or one dishonest police officer, for the privacy of a billion Chinese citizens to disappear, probably forever.

That’s terrible news for the people affected, but it does mean that the bigger and more inclusive a surveillance system becomes, the more vulnerable it will be to precisely the kind of leaks that now seem commonplace in China.  As well as harming the people whose lives are revealed in this way, it also undermines the power of central and local government by exposing large stores of sensitive data to anyone willing to pay, including foreign intelligence agencies.

Ethics or international laws are unlikely to constrain governments that spy on their own citizens.  But the fact that too much surveillance might threaten the political future of the very people who order it could act as a brake on its constant expansion.

Follow me @glynmoody on Twitter or Mastodon.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why The Massive China Police Database Hack Is Bad News For Surveillance States Everywhere”

Subscribe: RSS Leave a comment
17 Comments
Naughty Autie says:

As bad as this is for the people whose details are in the wind, it is good for encouraging the Chinese government to not only secure its data better, but maybe also step down its surveillance and pay its employees better. Hell, if they stop paying individuals like DBA Phillip Cross to spread shit on sites like this, that would likely free up thousands of yuan that would be better invested in the pay packets of more valuable employees.

Anonymous Coward says:

Re: First, they have to care...

it is good for encouraging the Chinese government to not only secure its data better, but maybe also step down its surveillance and pay its employees better.

Assumes…
1) they don’t believe in security through obscurity: they’re only a comparative handful, among a billion people. “We’ll catch them before they get to us.”
2) they don’t believe the leopards will eat their faces: “you mess with us, we bring the state down on your ass. You wouldn’t like that, now would you?
3) they’re not collecting the information specifically so they can sell it. (insert Steve Miller band, Take The Money and Run)

Anonymous Coward says:

Re: Re:

Assumes…
1) they don’t believe in security through obscurity: they’re only a comparative handful, among a billion people. “We’ll catch them before they get to us.”

Really? I didn’t read that. Everyone knows that security through obscurity is non-existent, which is why the unpatched holes in Apple’s security are common knowledge.

Anonymous Coward says:

Pay state employees better, but it only takes one bad or greedy employee to sell a database, this dara is probably being bought by various
foreign intelligence agency’s, but it includes the personal data of police and military personnel and even local Politicans which could be usec for blackmail or other purposes in the future
This should be a warning to country’s like India which are building giant databases using camera surveillance with face recognition the more data you collect the more likely it will be hacked or released on forums in the future to be bought by anyone
And of course if you are going to build databases online at least try and make them more secure

That One Guy (profile) says:

Yeah, the problem with thinking leaks like this will cause authoritarian governments to scale back on data collection is that assumes they care that the public is having their data sold to the highest bidder.

Sure it’s a pain if one of theirs has their data scooped up but between ‘grab everything to maintain power, face occasional black eye’ and ‘don’t grab everything just in case, seriously curb their ability to spy on the public’ they’re likely to choose the former every time.

Anonymous Coward says:

Re:

Also consider that the public is getting trained to accept that none of their information is going to be private anyway, what with the national social score system to be rolled out.

Well-off individuals appreciate being able to directly sift through networks of potential spouses with similar educational qualifications and family background – while folks unfortunate enough to speak out against the system by investigating corruption find they can’t even leave town because the system has decided they can’t be trusted to get on a train. All this against a backdrop of a government and society who fervently believe in a philosophy that if something good or shitty happens to you, you must have deserved it, so why believe otherwise? Only filthy, uncultured, individualistic Westerners would dare to worry about personal privacy and liberty anyway.

Any ordinary citizenry would cry foul about a police database hack. The problem is that the Chinese government knows this, and is molding its citizenry to be the perfect obedient, unquestioning tools.

Anonymous Coward says:

Re: Re:

Bit late for that.

They swallowed the tripe about Hong Kong being a red-headed stepchild who needed to be spanked back into the fold.

Like the 73 million who continually vote for Trump and the Republicans regardless of what they’ve done, they WON’T listen to anyone.

ANd we don’t have any more time left for the right way to work.

Arijirija says:

Seriously

I would’ve thought the PRC government would’ve been more intelligent and worked harder to secure the data.

Just consider the likeliehood of breaching the perimeter of national defence, and the cost of doing it successfully. How many ordinary Chinese are now potential targets for subversion by foreign powers of whatever location? I thought they would’ve taken the lessons of the Opium Wars more to heart. Instead, it’s security theater.

And security theater’s generally nothing thicker than greasepaint or the people who think it up. Though of course, the people who think up security theater can indeed be very, very thick.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »