How an exposed Chinese database gave a glimpse of real-time monitoring in Xinjiang
- Dutch cybersecurity researcher says facial recognition company was clueless about network security
The Chinese database Victor Gevers found online was not just a collection of old personal details.
It was a compilation of real-time data on more than 2.5 million people in western China, updated constantly with GPS coordinates of their precise whereabouts. Alongside their names, birth dates and places of employment, there were notes on the places that they had most recently visited – mosque, hotel, restaurant.
The discovery by Gevers, a Dutch cybersecurity researcher who revealed it on Twitter last week, has given a rare glimpse into China’s extensive surveillance of Xinjiang, a remote region home to an ethnic minority population that is largely Muslim. The area has been blanketed with police checkpoints and security cameras that apparently are doing more than just recording what happens.
The database Gevers found appeared to have been recording people’s movements tracked by facial recognition technology, he said, logging more than 6.7 million coordinates in 24 hours.
It illustrates how far China has taken facial recognition – in ways that would raise alarm about privacy concerns in many other countries – and serves as a reminder of how easily technology companies can leave supposedly private records exposed to global snoopers.
China data leak exposes vast hi-tech surveillance operation in Xinjiang
Gevers found that SenseNets, a Chinese facial recognition company, had left the database unprotected for months, exposing people’s addresses, government ID numbers and more. After Gevers informed SenseNets of the leak, the database became inaccessible, he said.
“This system was open to the entire world, and anyone had full access to the data,” said Gevers, noting that a system designed to maintain control over individuals could have been “corrupted by a 12-year-old”.
He said it included the coordinates of places where the individuals had recently been spotted by “trackers” – likely to be surveillance cameras. The stream indicated that the data was constantly being updated with information on people’s whereabouts, he said.
Gevers posted a graph online showing that 54.9 per cent of the individuals in the database were identified as Han Chinese, the country’s ethnic majority, while 28.3 per cent were Uygur and 8.3 per cent were Kazakh, both Muslim ethnic minority groups.
Within a 24-hour period, more than 6 million locations were saved by SenseNets’ tracking devices, according to Gevers.
“You can clearly see they have absolutely no clue about network security,” he said, describing SenseNets’ IT skills as belonging “to the early 90s”.
“Who in their right mind runs a database which is completely open and gives any visitors full administrative rights so then those database records can be manipulated by anyone with an internet connection?” he said. “It simply does not compute.”
EU team visits China’s Xinjiang region to gather evidence on re-education camps
The database had been exposed since last July but was closed last Thursday, after Gevers reported the leak to SenseNets, he said.
A person who answered the phone at SenseNets declined a request for comment. The Xinjiang regional government did not respond to faxed questions.
Xinjiang, which borders central Asia in China’s far west, has been subject to severe security measures in recent years as part of what the government says has been a successful programme to quash extremist and separatist movements.
The United States and other countries have condemned the crackdown, in which an estimated 1 million Uygurs, Kazakhs and people from other Muslim minorities have been detained in internment camps that the government says are vocational training centres designed to rid the region of latent extremism.
Gulzia, an ethnic Kazakh woman, said cameras were being installed everywhere, even in cemeteries, in late 2017. Now living across the border in Kazakhstan, she said she had been confined to house arrest in China and taken to a police station, where they photographed her face and eyes and collected samples of her voice and fingerprints.
“This can be used instead of your ID card to identify you in the future,” she said they told her. “Even if you get into an accident abroad, we’ll recognise you.”
The security clampdown is far heavier in Xinjiang than in most parts of China, though outside analysts and human rights activists have expressed concern that Xinjiang may be a testing ground for techniques that may be creeping into other parts of the country.
Is nowhere private? Chinese subway users upset by plans to install facial recognition systems
Joseph Atick, a pioneer in facial recognition technology, said facial recognition products could use algorithms to recognise and track people in a crowd, but that privacy regulations in Europe, for example, made it much harder to launch a wide-scale application such as that of SenseNets.
“The technology around the world is becoming uniform and it is just the political climate that is different and leads to different applications,” he said.
According to a company registry, SenseNets was founded in the southern Chinese city of Shenzhen in 2015 and is majority-owned by Beijing-based NetPosa, a technology company specialising in video surveillance. Its website showcases partnerships with police forces in Jiangsu and Sichuan provinces and the city of Shanghai.
A promotional video boasts about SenseNets’ capacity to use facial and body recognition to track individuals’ precise movements and identify them even in a crowded or chaotic setting. Another video on its website shows surveillance cameras zeroing in on the path of a runaway prisoner who ends up in an ailing relative’s hospital room.
NetPosa’s website says it has offices in Boston and Santa Clara, California. The website of NetPosa’s US subsidiary touts its products’ use in urban anti-terrorism.
In recent years, NetPosa has been buying stakes in American surveillance start-ups such as Knightscope, a security robot maker. In 2017, NetPosa tried to buy the now-bankrupt California surveillance camera maker Arecont, but later backed out, court records show.
In 2010 US chip maker Intel announced a strategic partnership with NetPosa and an Intel subsidiary bought a stake in the company, but NetPosa said in 2015 that Intel had notified the Chinese company of its intent to divest its 4.4 per cent stake by 2016.
Gevers said his discovery of the database presented an ethical dilemma. He is the co-founder of GDI Foundation, a Netherlands-based non-profit that finds and tells entities of online security issues. He has become well-known in recent years for helping to uncover similarly exposed information on databases built with the open source MongoDB database programme and left unsecured by their administrators.
GDI generally reports such discoveries to the entity that holds the information. Part of its mission is to remain neutral and not engage in political controversies.
Hours after he revealed his findings on Twitter, Gevers said, he learned that the system might be used to surveil Xinjiang’s Muslim minority groups.
He said that made him “very angry”.
“I could have destroyed that database with one command,” he said. “But I choose not to play judge and executioner because it is not my place to do so.”
Additional reporting by Agence France-Presse
