Chinese artists have staged performances to highlight the ubiquity of surveillance cameras. Privacy activists have filed lawsuits against the collection of facial recognition data. Both ordinary citizens and established intellectuals have rejected the abuse of Covid-tracking apps by authorities to curb protests. Internet users have shared tips on how to evade digital monitoring.
As China builds its vast surveillance and security apparatus, it faces growing public anger over the lack of safeguards to prevent the theft or misuse of personal data. The ruling Communist Party is well aware of the cost to its credibility of any major security flaw: Last week, it moved systematically to silence news of what was probably the largest known breach of a Chinese government computer system, which it involved the personal information of as many as one billion citizens.
The leak dealt a blow to Beijing, exposing the risks of its expansive efforts to suck up vast amounts of digital and biological information about the daily activities and social connections of its people from social media posts, biometric data, phone records and videos. of vigilance. The government says these efforts are necessary for public safety: to limit the spread of Covid, for example, or to catch criminals. But its lack of data protection exposes citizens to problems like fraud and extortion, and threatens to erode people’s willingness to comply with surveillance.
“You never know who is going to sell or leak your information,” said Jewel Liao, a Shanghai resident whose details were among those released in the leak.
“It is a bit unusual to see that even the police are also vulnerable,” Ms. Liao said.
China, which has been racing to implement one of the world’s strictest data privacy regimes, frequently criticizes companies for mishandling data. But authorities rarely point fingers at the country’s other main collector of personal information: the government itself.
Security researchers say the leaked database, apparently used by police in Shanghai, had been online and unsecured for months. It was exposed after an anonymous user posted on an online forum offering to sell the large amount of data for 10 Bitcoin, or around $200,000. The New York Times confirmed parts of a database sample posted by the anonymous user, who posted under the name ChinaDan.
In addition to basic information such as names, addresses and identification numbers, the sample also included details that appeared to be pulled from external databases, such as instructions for couriers on where to leave deliveries, raising questions about how much information private companies share with The authorities. . And, of particular concern to many, it also contained intensely personal information, such as police reports that included the names of people accused of rape and domestic violence, as well as private information about political dissidents.
The government has tried to erase almost all discussion of the leak. At a cabinet meeting chaired by Chinese Premier Li Keqiang last week, officials made only a brief reference to the privacy issue, emphasizing the need to “uphold information security” so that the public and companies can “operate with peace of mind,” according to the official Xinhua news agency.
Last year, Chinese authorities passed two new laws on data security and privacy, modeled after the European Union’s General Data Protection Regulation. The laws were primarily intended to address the collection of private data by companies, and the widespread Internet fraud and theft of personal information that has arisen as a result.
The government’s efforts to institute safeguards, however, have lagged behind its own effort to collect information. In recent years, The Times has reviewed other leaked databases used by police in China that went online with little or no protection; some contained facial recognition records and ID scans of people in a Muslim ethnic minority region.
Now, there are signs that people are also distrusting the government and public institutions as they see their own data being used against them. Last month, a nationwide protest erupted over the apparent abuse of Covid-19 tracking technology by local authorities.
The Latest on China: Key Things You Need to Know
Protesters fighting to retrieve their savings from four rural banks in the central Chinese city of Zhengzhou found that mobile apps used to identify and isolate people who might be spreading covid-19 had turned green ( meaning safe) to red, a designation that prevents them from moving freely.
“There is no privacy in China,” said Silvia Si, 30, a protester whose health code turned red. Zhengzhou authorities, pressured to account for the episode, later punished five officials for changing the codes of more than 1,300 customers.
Even when Covid-19 tracking technologies are used for their stated purpose, more people seem willing to ask if the surveillance is excessive. On Thursday, a blogger in Beijing posted on Weibo that he refused to wear an electronic bracelet to track his movements while he was in isolation, saying the device was an “electronic shackle” and a violation of his privacy. The post was liked around 60,000 times, and users flooded his post with replies. Many said it reminded them of the treatment of criminals; others called it a ploy to surreptitiously collect personal information. The post was later removed by censors, the blogger said.
In recent years, people have tried to draw attention to privacy concerns. In 2019, a law professor in Hangzhou, a prominent tech hub in eastern China, sued a local zoo for forcing him to submit facial recognition data to enter, the first such lawsuit in China. He won the case.
Starting in late 2020, several Chinese cities began banning neighborhood committees from forcing residents to undergo biometric screening to enter their compounds. Around the same time, toilet paper dispensers using facial recognition were removed from public toilets in the southern Chinese city of Dongguan following public outrage.
On online forums like Zhihu, a platform similar to Quora, Chinese users exchange tips on how to evade surveillance (tips include wearing hats and masks and pointing flashlights at security cameras). More than 60 percent of Chinese say facial recognition technology has been abused, according to a study of more than 20,000 Chinese conducted jointly in late 2020 by a Chinese think tank and a government task force. More than 80 percent expressed concern about whether and how facial recognition data would be stored.
“Increasing public awareness of data privacy is an inevitable trend,” said Dragon Zheng, an artist based in the southern province of Guangxi whose practice explores the interplay of technology and governance.
In 2016, Mr. Zheng installed security cameras inside a large exhibition hall, which transmitted live images to a monitoring room installed in the center of the hall. Visitors were invited into the room, where they could manipulate the cameras and experience what Mr. Zheng called the feeling of “supervising and being supervised, controlling and being controlled.”
Still, he stressed that the risks and benefits of the technology are not unique to China.
“Technology is like Pandora’s box,” Zheng said. “Once it’s open, how it’s used depends on the hands it falls into.”
Few Chinese citizens have publicly questioned the government about its collection of personal data. Some of that could be the result of outright government censorship and personal safety threats from criticizing the government. But many residents also see data delivery as a necessary trade-off for security and convenience.
“There’s always been this split identity when it comes to privacy awareness in China,” said Samm Sacks, a technology policy researcher at Yale Law School and New America. “People are much more trusting in general of how government entities handle their personal information and much more suspicious of the corporate sector.”
Legal analysts said disciplinary measures resulting from the Shanghai police database breach were unlikely to be made public. Few mechanisms exist to hold Chinese government agencies accountable for their own data breaches. For many citizens, that lack of resources has contributed to a sense of resignation.
From time to time, however, they achieve small victories, as Xu Peilin did when he took on his local neighborhood committee last year. She had returned to her apartment building in Beijing one day to find that the complex wanted residents to submit to a facial recognition scanner to enter.
“It was crazy,” said Ms. Xu, 37, a project manager at a start-up company. She said that she reminded her of one of her favorite television shows, the British sci-fi series Black Mirror.
Ms. Xu harassed her neighborhood committee by phone and text messages until they relented. For now, Ms. Xu said, she can still enter her compound using her access card, though she believed it was only a matter of time until facial recognition devices became mandatory again.
“All I can do for now,” he said, “is continue to resist on a small scale.”
Zixu Wang contributed report.