China produces huge amounts of online data — and little of it is protected. That has led to a thriving market for stolen personal information, from national identification numbers to home addresses.

Some of it is used for state surveillance, while much of it is used for private extortion and fraud.

But increasing public concerns about privacy and surveillance have spurred a nascent movement to secure people's data. Lone advocates are pushing to hold people accountable for selling stolen personal info. Hackers and bloggers have been posting DIY fixes online to teach others how to encrypt communications or evade surveillance.

"We trade our data privacy for convenience," says Wu Dong, once a hotel reviewer who has become a campaigner for harsher penalties for personal data thieves.

Wu's crusade began last year, when he hid a camera in his hotel room to expose substandard cleaning practices. His video went viral.

In retaliation, hotel staff leaked his information — personal details that Chinese hotels collect for the Public Security Ministry.

"Every place you stay they recognize you. You check into a hotel and when you leave, everyone comes over to circle you and say, 'Oh we know who you are,' " Wu says. He was out of work as a reviewer after the incident.

Wu spent tens of thousands of dollars trying to track down who put his documents online. A hotel employee was eventually fined 500 yuan, or about $80, for passing on the leak. But beyond that, the trail went cold. Wu never found out who initially doxed him.

Now, Wu advocates for more clearly defined legal channels for reporting data theft and seeking compensation for damages.

Wide web of surveillance

China collects more data than ever on its citizens. Cities across the country are wired with 20 million surveillance cameras, some outfitted for facial recognition, amassing vast amounts biometric information daily. In the western region of Xinjiang, residents are forced to install surveillance software on their cellphones that scans their pictures and texts. The popularity of online shopping and mobile payments has also created a trove of consumer information is easily hacked.

That has led to an uptick of data leaks. In the past year, cybersecurity researchers have unearthed unprotected databases operated by Chinese public security departments containing biometric data on thousands of people in China or millions of private chat logs scraped from shared Wi-Fi networks.

"Data leakage is sunk into every corner of your life," Wu says.

The country released guidelines last July demanding greater oversight of personal information collected by tech companies, but legal enforcement is weak. There's a high burden of proof on the victim in order to seek compensation for damages. That has led to the proliferation of an illicit marketplace of personal information. Chinese authorities estimate there are about 1.5 million people illegally reselling personal data in China, often at cut-rate prices — so low that artist Deng Yufeng was able to afford staging an art exhibition in 2018 comprised of nearly 350,000 pieces of personal information he had bought from a data broker.

Privacy becomes a commodity

"If the Internet develops further as it is today, privacy eventually will be the most expensive commodity in a society," says Yang Geng, an entrepreneur working to prevent such leaks. He was once Amazon China's chief security officer but left to start Entropage, a company that provides encryption tools users can add to email and messaging apps.

The Chinese government has contradictory stances on digital privacy. On one hand, it wants porous technology so it can monitor communications between activists, for example, and control access to information. In the last two years, it has arrested or shut down scores of virtual private network providers, the software commonly used to jump China's great firewall.

In January 2019, the state cyberspace regulator announced a stronger stance on data collection. Mobile apps "have played an irreplaceable role in promoting economic and social development and serving people's livelihood," it said, but the excessive collection of personal information was "abundant" and "very prominent."

Because Beijing recognizes that data theft and weak consumer protections are threats to social stability, it has given space to startups like Entropage. "They usually take the approach of: Let something happen and don't make the judgement too early and see how it goes," explains Yang.

Opposition to facial recognition

And there is rising demand for data privacy amid growing awareness of state surveillance. A recent study by a research center affiliated with a prominent Chinese newspaper said 74% of respondents opposed the use of facial recognition identity verification methods, largely because they feared the biometric data collected would not be sufficiently protected.

More enterprising Chinese netizens have also launched a do-it-yourself culture on the far corners of the Web. On Pincong.rocks, a burgeoning Chinese-language Internet forum that often hosts politically sensitive discussions, users frequently share technical solutions for scaling China censorship controls.

One popular tip is to carry two cellphones, one for Chinese apps and another for international ones. Another recommendation is to register a U.S. Apple store account, since the company said it would begin storing encrypted personal information from Chinese accounts within the country in 2017.

"What the people are most afraid of is the endless demands of the state power for personal information of citizens, and the use of this information to combat and control all acts of resistance," one of the founders of Pincong, who declined to give their name because of the political sensitivity of their work, tells NPR. "Only absolute security can guarantee free speech."

But Entropage's Yang admits commercializing data privacy will be a challenge, because the issue has not gone fully mainstream yet in the country. He says he is quickly running out of funding as wary venture capitalists turn to safer, more lucrative investments.

There's a red line he says he would not cross, even for the sake of privacy. He says he would voluntarily stop his work if there were evidence his tools were being used for terrorism: "I certainly value living in a peaceful environment more than [I value] privacy and data rights."

Amy Cheng contributed reporting from Beijing.

Copyright 2020 NPR. To see more, visit https://www.npr.org.

300x250 Ad

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate