In a new article series, “Cashless Society, Cached Data,” researchers from the Citizen Lab have provided comprehensive overviews of security, privacy, and regulatory issues that have arisen with Alibaba’s payment application Alipay, and with the new social credit scoring system that Alibaba subsidiary Ant Financial manages through the company Sesame Credit. In the first article, Shazeda Ahmed and Adrian Fong present a case study of major Chinese mobile payment application Alipay, tracing the recent history of its previously identified data breaches and security vulnerabilities as well as sources of regulatory tussle with the Chinese government:
In January 2014, the company apologized for an incident in which a former Alipay employee downloaded 20 GB of user data including Alipay usernames, contact information, and purchases, which he and accomplices then sold to competitors. Also in 2014, the industry journal China Information Security [中国信息安全] carried an article explaining in detail the process through which a hacking group made a successful spoofing attempt that inserted malware into what looked like a genuine Alipay security update. This spoofing enabled them to “invade websites and engage in two types of mobile phone phishing to obtain users’ real names, ID numbers, Alipay account passwords, other information, and finally their money.”
[…] In March 2014, the People’s Bank of China (PBoC), China’s central bank, ordered Tencent and Alibaba to suspend the use of QR codes and virtual credit cards for payment due to concerns over their security vulnerabilities and the state’s inability to regulate them. Risks cited included the ease with which virtual credit cards can be duplicated, prior cases of identity and financial theft made through the use of QR code payments, and the ability to link barcodes with phishing websites. At the time the government also expressed the fear that the use of virtual credit cards could undermine the shift toward nationwide real-name registration. [Source]
Bloomberg has noted that the recently-published annual report from the China Internet Network Information Center (CNNIC) ranks Alipay as one of the five most popular mobile phone applications in China, where the estimated number of internet users rose to 731 million in 2016.
The second article in the Citizen Lab series raises concerns about potential security and civil liberties violations that could result from the adoption of a social credit system, which are currently in pilot-testing phases in select regions as local governments deliberate how to regulate such systems. The data inputs that determine an individual’s social credit scores are murky at best, with company representatives offering more concrete, if unverifiable, claims about social factors that can affect one’s score:
[…] The Paper posits that “if your address changes often, your creditworthiness will correspondingly drop. Additionally, your friends’ credit records will also influence your Sesame Points.” The room for misrepresentation as well as discrimination based on such factors is broad, and the behavior-changing incentives that underlie them are also concerning. Ant Financial’s chief credit data scientist Yu Wujie has said that “If you regularly donate to charity, your credit score will be higher, but it won’t tell you how many payments you need to make every month… but [development] in this direction [is undertaken with] the hope that everyone will donate.” Moreover, Ant Financial’s technology director, Li Yingyun, has stated that “Someone who plays video games for 10 hours a day, for example, would be considered an idle person, and someone who frequently buys diapers would be considered as probably a parent, who on balance is more likely to have a sense of responsibility.”
Aside from the data gathered through users’ activity within the Alipay app, Sesame Credit computes individual scores with data collected from Alibaba’s e-commerce websites, ride-sharing apps, and restaurants connected to Alipay, and from government bureaus involving the law, education, and commerce. One of the most clear-cut examples of such a data exchange is Sesame Credit’s tie to the Supreme People’s Court, which has been reported to have shared its blacklist of debtors and others who have violated court verdicts with the company in order to block these people from making so-called luxury purchases in Taobao and Tmall. [Source]