A Dutch cybersecurity analyst claimed on Monday to have discovered a database created by Chinese police that contains private information about 364 million social media users, revealing a government surveillance network of breathtaking scale and uncertain purpose.
Victor Gevers of the GDI Foundation described the Chinese surveillance program as a “jerry-rigged PRISM clone of the NSA,” referring to the U.S. National Security Agency system exposed by Edward Snowden in 2013.
“Around 364 million online profiles, and their chats and file transfers, get processed daily,” he elaborated.
“Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name,” he explained.
Gevers clarified to the Verge that he could not determine what, if anything, Chinese law enforcement agencies are actually doing with all this data after the main system farms it out to 17 regional servers.
“There is no evidence that law enforcement is doing something active with this spoon-fed data. But the infrastructure and well-planned data distribution are there,” he said.
The Verge pointed out that a large number of the database records could be traced back to Internet cafes frequented by Chinese computer game enthusiasts, who have frequently been targeted with surveillance and censorship. The information contained in the database Gevers uncovered resembles the expected output of the monitoring software Chinese officials have asked Internet cafes to install.
“There were chats from teenagers. Direct messages that were supposed to be private,” Gevers said of the information he found.
Gevers was disturbed not only by the vast size of the Chinese surveillance database, and the amount of personal information it contained, but by how poorly protected it was. He was able to discover and penetrate it thanks to an apparent error in configuration on a single firewall, which was corrected after he helpfully reported it to a Chinese internet provider.
“There is no security. It looks like they have NO CLUE what they are doing,” he told Bleeping Computer.
The lack of adequate security on the immense surveillance database not only exposes Chinese users to identity theft and blackmail, but it could cause problems for the entire world, as Gevers warned the system could be infected with malware that would quickly spread from those 364 million Chinese to users in other countries.
Conversely, the authoritarian Chinese regime has presumably collected a great deal of information about foreign users who communicate with the Chinese citizens it is monitoring. Those foreign users could be vulnerable to mischief from hackers who penetrate the surveillance network… or hackers who are provided with the data by Chinese agents.
This is not the first time cybersecurity researchers, including Gevers himself, have caught China irresponsibly collecting vast amounts of surveillance data and leaving it exposed online.
In February, Gevers discovered a Chinese company called SenseNets accumulated a database of 2.5 million people using its facial recognition software and left it wide open to intruders, without even rudimentary password protection. The database included ID card numbers, home addresses, birthdates, and the precise location of the individual ever time a SenseNets camera noticed them.
Gevers spent a day quietly monitoring the database and watched 6.8 million location hits pile up, fed into the system by cameras at police stations, hotels, public parks, Internet cafes, and mosques. Most of this surveillance data came from Xinjiang province, where China is oppressively controlling the Uighur Muslims.
“Knowing when someone is not in the office or at home can be useful for simple burglar crimes, but also social engineering attacks to get into buildings,” he noted.
Within a few days of finding the exposed facial recognition system, Gevers discovered another wide-open database filled with tracking information on millions of vehicles and pedestrians, accumulated by a vast network of cameras installed at intersections.
The system was sensitive enough to automatically snap photos and catch people who were jaywalking. It was also sophisticated enough to plug into social media databases and automatically identify the people and vehicles captured in the photos.