A man plays a computer game at an internet café in Beijing. Picture: REUTERS/KIM KYUNG-HOON
A man plays a computer game at an internet café in Beijing. Picture: REUTERS/KIM KYUNG-HOON

Beijing — A leak of about 364-million online records in a Chinese database, including private messages and identity numbers, has again highlighted the size and scope of Beijing’s mass surveillance system.

The files show a wealth of information linked to online accounts, including GPS locations, file transfers, and chat logs, according to the database discovered by Victor Gevers, a security researcher at Dutch non-profit GDI Foundation.

The data collection appears indiscriminate — some conversations are simply banter between teenagers, like one commenting on someone’s weight and clothing size. “They know exactly who, when, what and where,” Gevers said, explaining that thousands of records were piped daily to different databases for local law enforcement to review.

Government procurement documents and database records shared by Gevers show that the database is linked to an “internet café management system”, developed by HeadBond.com, a tech firm based in eastern Shandong province.

In 2017, the public security bureau in Yancheng city, eastern Jiangsu province — where at least one internet café named in the database is based — contracted HeadBond for a system that monitors online activity at internet cafés. On its website, the company calls its internet café management system “the best solution” for identifying online users for police on its website.

HeadBond declined to comment, and the Yancheng city government and public security bureau did not respond to AFP’s request for comment.

Internet café drag net

Over the past decade, the Chinese government has cracked down on internet cafés — especially underground venues that serve minors — over concerns of game addiction and crime.

The capture of extensive user data, such as chat logs, also extends well beyond the stated purpose of catching minors surfing the web or playing games

Chinese law requires internet cafés to record the identities and “relevant” online activity of users, and provide them to the public security bureau on request — which has resulted in an entire market of internet café monitoring systems such as those offered by HeadBond.

“This also explains why data leaks that involve personal information are more prevalent in China,” said Lokman Tsui, an expert on internet policy at the Chinese University of Hong Kong. “Beijing requires most network services to register their users with real names. This means that every single mobile phone operator, internet café, social media website, and so on, are legally required to have databases filled with personal information, and all these databases are potentially vulnerable to attacks and leaks.”

The capture of extensive user data, such as chat logs, also extends well beyond the stated purpose of catching minors surfing the web or playing games.

A government procurement notice posted last month by Liaoyuan city in north-eastern Jilin province, for instance, outlines specifications for another internet café management system for local police, with explicit requirements for features that support querying and analysis of content on QQ, a popular messaging app in China.

“It’s shocking the amount of personal data that is being collected on Chinese people,” said Bob Diachenko, a security researcher who has reported on exposed databases in the US and Europe for the past few years, and is now looking at cases in China.

In particular, it is surprising to see the amount of additional data that is linked with a user’s login data, Diachenko told AFP, such as their IP address, name, and even information about their family members. “Sometimes it’s just big data and it doesn’t even make sense to collect that from a user perspective.”

GPS tracker

Last month, Gevers found another publicly accessible database containing personal information, such as ethnicity and GPS tracking data, of 2.6-million people in Xinjiang. Access to the database has since been closed.

The restive north-western region is home to most of China’s Uighur ethnic minority, which has been under heavy police surveillance in recent years after violent inter-ethnic tensions.

“I would argue that good personal data protection is neither in the interest of the companies who gather the data for profit, nor the government who can (ab)use that data for power and surveillance,” Tsui wrote in an e-mail. “It is the people in China and their basic human rights and, in this case, privacy, who end up drawing the short stick.”

AFP