Report Reveals Prevalence of Data Black Markets

In a recent article for SupChina, China Media Project’s David Bandurski translated and commented on an investigative exposé in which two Chinese journalists demonstrated the ease with which personal data can be purchased on the black market. With permission from their colleagues, Southern Metropolis Daily reporters Rao Lidong (饶丽冬) and Li Ling (李玲) visited data procurement services and provided false pretenses for requiring access to these colleagues’ data:

For a modest fee of 700 yuan, or about 100 dollars, the reporters were able to obtain an astonishing array of information based on one colleague’s personal ID number, including a full history of hotel rooms checked into, airline flights taken, internet cafes visited, border entries and exits, apartment rentals, real estate holdings — even deposit records from the country’s four major banks.

But that wasn’t all. The reporters were also able to purchase live location data on another colleague’s mobile phone, pinpointing their position with disturbing accuracy.

Hundreds of tracking services are advertised on internet-based platforms in China, offering clients the power to unlock, with as little as a phone number or ID, the personal data of just about any Chinese citizen. You can find them on Tencent’s WeChat and QQ services, on the Taobao online marketplace and on Weibo. And while some of these services are unreliable or outright fraudulent, others are able to deliver accurate information from what must be national police and government databases, as well as from banks and mobile carriers.

[…] Obtaining permission and an ID number from a second colleague, the reporters purchased the so-called “ID super-tracking service,” a comprehensive search across information categories, negotiating the price down to 700 yuan. Twenty-four hours later, they received two Excel files that included ID super-tracking of this colleague across nine categories  —  including hotel stays, visits to internet bars, places of both permanent and temporary residence, bank accounts, driving records (including infractions), motor vehicle registration, airline flights and train journeys. […] [Source]

The Washington Post’s Simon Denyer cited the data-purchasing services as further evidence that “living in China feels like dystopia has already arrived,” pointing to the new social credit system as an additional indication of how little privacy technology users in China have.

Although both Bandurski and Denyer present the Chinese data market issue as a sign that privacy is undervalued in China, the Southern Metropolis Daily followed up their investigative report by interviewing the head of a Chinese firm, reflecting the paper’s interest in informing citizens of risks to their personal data. In the December 24 article “Anheng CEO Fan Yuan: Leaked Personal Data Channels and Espionage Are Comparable to Hackers,” Fan stressed that “insider” (nèi guǐ 内鬼) theft of personal data poses just as severe a risk as hacking. He emphasized that these “insiders” are not merely limited to those working within an organization, but can also include third-party software and maintenance or security staff. While Fan identified recent Chinese data protection regulations and the new national cybersecurity law as steps in a positive direction, his outlook on overall data security in China remains wary at best:

Statistics show that for every hundred people, no fewer than 50% experience data leaks.

[…T]here are still many systems that have issues, and the situation is indeed not an optimistic one. Protection of personal information still has a long way to go.

[…] Construction of a big data center is a future trend. But from a hacker’s perspective, that would make the objective even more clear-cut. “Where there is data, there is a target.” Therefore when designing platforms one needs to consider strengthening protection of security. [Chinese]