It's happened again - China's unconstrained approach to automating dystopia has been exposed by the lack of basic data security. TechCrunch reported on Friday that a security researcher had "found a smart city database accessible from a web browser without a password, [the details of which he passed] to TechCrunch in an effort to get the data secured." The data, which included "facial recognition scans on hundreds of people over several months," was hosted by Alibaba, a major player in China's tech sector and a backer of several of the AI unicorns behind the most sophisticated surveillance state capabilities.
The issue for China is that this latest set of exposed data, discovered by John Wethington, "uses facial recognition to detect ethnicities and labels them — such as '汉族' for Han Chinese, the main ethnic group of China — and also '维族' — or Uyghur Muslims." These systems have been honed in Xinjiang, an unconstrained high-tech surveillance laboratory where the industrial-scale oppression of the Muslim Uighur population has created a belated wave of international condemnation in recent months. In remote Xinjiang, the strained and dismissed defense has been one of terrorism and security. Harder to make that stick in the capital.
The technologies developed by China (oppressively) in Xinjiang and (more sensitively) in cities like Beijing are now being relentlessly exported under a state-subsidized push towards a dominant position in the security sector. It is a program that has fueled the development of advanced surveillance technology by existing players and new entrants with no reins applied.
On Wednesday, Human Rights Watch (HRW) exposed details of a smartphone app that is used by the police in Xinjiang that packaged multiple data sources on monitored citizens. The system "tracked the movement of people by monitoring the 'trajectory' and location data of their phones, ID cards, and vehicles; it also monitoring the use of electricity and gas stations of everybody in the region. This is consistent with Xinjiang local government statements that emphasize officials must collect data for the IJOP system in a 'comprehensive manner' from 'everyone in every household'."
Two days later, and the system in this latest exposed data breach "monitors the residents around at least two small housing communities in eastern Beijing, the largest of which is Liangmaqiao, known as the city’s embassy district. The system is made up of several data collection points, including cameras designed to collect facial recognition data. The exposed data contains enough information to pinpoint where people went, when and for how long, allowing anyone with access to the data — including police — to build up a picture of a person’s day-to-day life."
This level of sophistication first came to light with the SenseNets data breach earlier this year, which exposed more than 2.5 million records relating to the near real-time movement of Xinjiang Muslims. A database which ethical hacker Victor Gevers of the GDI Foundation explained at the time "contains over 2.565.724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, pass photo, employer and which locations with trackers they have passed in the last 24 hours which is about 6.680.348 records."
What SenseNets illustrated perfectly is that if no impediments are applied by technologists, customers, investors or regulators, then we are collectively responsible for what is unleashed. "Under President Xi Jinping," the New York Times said last week, "the Chinese government has vastly expanded domestic surveillance, fueling a new generation of companies that make sophisticated technology at ever lower prices. A global infrastructure initiative is spreading that technology even further."
According to TechCrunch, this latest set of exposed data "was hosted by Chinese tech giant Alibaba; the customer, which Alibaba did not name, tapped into the tech giant’s artificial intelligence-powered cloud platform, known as City Brain," a smart city platform now being exported under China's national security strategy.
An Alibaba Cloud spokesperson told me that the system did not, in fact, access the City Brain's AI platform. "This is a database created by a customer and hosted on Alibaba Cloud," the spokesperson told me. "Alibaba Cloud is not involved with the customer on any City Brain related project and does not provide any AI-related technologies for this customer. For customers who host their database on our cloud platform, they are always advised to protect their data by setting a secure password. We have already informed the customer about this incident, so they can immediately address the issue. As a public cloud provider, we do not have the right to access the content in the customer database.”
China's surveillance machine is an interwoven mix of networking equipment manufacturers, video surveillance technology companies, smartphone app developers and glitzy AI 'unicorns' that have been part-funded by the West. Alibaba is a major backer of SenseTime. SenseTime owned a major stake in SenseNets before selling out. Alibaba is also a major backer of Megvii, the facial recognition technology in the smartphone app exposed by HRW. You get the point.
Techcrunch also reported that they "found that the customer’s system also pulls in data from the police and uses that information to detect people of interest or criminal suspects, suggesting it may be a government customer." Unconstrained facial recognition tracking. Ethnic detection. Multiple data source links. All driven by tech players part-funded by the west, engaging with universities in the U.S. and Europe, collaborating with major U.S. and European tech giants. It might be time for a rethink.
According to Gevers, China is second only to the U.S. in the number of open databases of this kind that can be found by trawling online. And, judging by what we have seen so far this year, the data being harvested confirms the dystopian fears about the state's thirst for data- and surveillance-driven population control.
How this might further impact on the broader debate raging between the U.S. and Beijing about China's technology sector and any prohibitions on export sales, remains to be seen. As I wrote last week, even as the world debates Huawei's 5G security credentials, they are actively exporting smart city surveillance systems - similar to this - to countries around the world. Huawei, Alibaba, China Electronics Technology Group Corp and its HikVision subsidiary. The approach is the same.
There is a cultural and political divide that is now being regularly exposed. The question is whether the world will wean itself off cheap Chinese electronics or carry on regardless. Meanwhile, the Chinese are not helping themselves at all in the PR stakes. One might think that if you were going to track your population through facial recognition then you might focus on the security of such information. But apparently not.
[Updated later on 4 May with Alibaba Cloud's statement.]
--
Disclosure: I am the CEO of Digital Barriers, which operates in the security and defense sectors and which sometimes competes against Chinese state-sponsored security and surveillance equipment manufacturers. One of the technologies provided by Digital Barriers is facial recognition, although this is not sold in China.
