Massive Leak Shows Big Data Is Central to CCP’s Ambitions, but It Does Not Protect Chinese Citizens

The leak of a Shanghai police database containing personal details of a billion people has again highlighted the Chinese Communist Party’s (CCP’s) reckless attitude toward its citizens’ privacy.

The CCP has frequently introduced data security-related laws in recent years, but instead of focusing on protecting the personal information of Chinese citizens, it has used them as a tool to suppress Chinese companies and advance its international ambitions.

In early July, an anonymous hacker or group under the name of “ChinaDan” listed for sale a database of personal information of 1 billion Chinese national residents on Breach Forums, a popular hacker community. The database originated from the Shanghai police.

The dashboard used to manage the data had been set up on the public web and kept open without a password, according to cyber security experts. After being open for more than a year, the database was suddenly wiped clean by the hacker or group in mid-June and replaced with a ransom note, demanding that Shanghai police redeem the database for 10 bitcoins, or roughly $200,000.

The Shanghai police did not hand over the money. One month later, the hacker listed the database for sale for $200,000.

The hacker or group also posted a sample of the more than 23-terabyte database, which they claimed contains records of 250,000 Chinese residents in three separate assets.

The first data set is “personal information,” including name, age, sex, year of birth, place of birth, and ID card number. Some were even labeled with detailed designations, such as “key members of the Ministry of Public Security,” “have not served in the military,” and “primary school education level.”

The second set is “address and mobile phone combined data,” which contains names, addresses, and mobile phone numbers.

The third data set contains case records that appear to have been reported to the police, with information such as the name and phone number of the person who reported the crime, when and why the report was filed, and how it was handled.

The Epoch Times made more than a dozen phone calls using the information in the document. Of the four calls that were successful, three confirmed the authenticity of the information in the files, while the fourth person did not deny when asked to confirm their name.

Shortly after the Shanghai police database was put up for sale, another anonymous user sold a police database in China’s Henan Province on an online forum, claiming to have information on 90 million citizens.

On July 21, 2020, a list of all CCP members in Shanghai was published online, containing the names, phone numbers, provinces, current employers, party branches, ethnic groups, and education levels of 1.95 million party members. The list was obtained by Chinese dissidents from a server in Shanghai and handed over to the Inter-Parliamentary Alliance on China.

There have also been leaks from companies with close ties to the authorities.

In 2019, Victor Gevers, a Dutch security researcher, revealed on Twitter that SenseNet, a Chinese facial recognition company, had a data breach involving 2.56 million people and 6.8 million records, including personal ID card information, facial recognition images, and where they were captured. SenseNet real-time facial recognition allows anyone to view these records and track individuals.

SenseNet’s partners include Lianyungang Municipal Public Security Bureau, Guangdong Provincial Public Security Bureau, Hanyang Public Security Bureau in Wuhan city, and Duyun Public Security Bureau in Guizhou Province. The company emphasizes that its facial recognition technology can help local police analyze, issue warnings, and maintain public order.

In November 2016, the CCP introduced the Cyber Security Law, which it said would establish and improve the cybersecurity guarantee system and improve cybersecurity protection capacity.

On Aug. 20, 2021, the CCP introduced the Personal Information Protection Law, which states that personal information handlers should develop internal management systems and operating procedures, implement classified management of personal information, and take corresponding security technical measures such as encryption, de-labeling, and operation rights control.

On Sept. 1, 2021, the CCP launched the Data Security Law, which states that data processing activities should comply with laws and regulations, respect social morality, abide by business and professional ethics, be honest and trustworthy, and fulfill data security protection obligations.

Yet for over a year, from April 2021 until June 2022, the Shanghai police’s database of a billion people remained open without passwords, allowing anyone to access the information.

So far, the CCP authorities have made no comment on the matter and have not dealt with any of the people involved. Instead, they have blocked reports and discussions on the matter.

Without an explicit order to halt its IPO, Didi went public as planned on June 30. A few days later, the CCP regulator issued a notice saying it would conduct a “cybersecurity review” of Didi, require mobile app stores to remove the app, and ban new users from registering “to prevent national data security risks, safeguard national security, and protect the public interest.”

Didi’s share price plummeted after that. In December 2021, Didi announced plans to delist from the United States. On June 10, Didi’s last trading day on the New York Stock Exchange, its shares fell 84 percent from their IPO price.

Three months later, the CCP formally implemented the Data Security Law, requiring organizations and individuals in China to not provide any data stored in China to any foreign judicial or law enforcement authorities.

In January 2021, the Cyberspace Administration of China (CAC) issued Cybersecurity Review Measures, requiring operators of online platforms with more than 1 million users’ personal information to report for security review before foreign listings. Relevant government departments will assess “the risk that critical information infrastructure, core data, important data, or large amounts of personal information could be influenced, controlled, or maliciously used by foreign governments.”

While data is strictly prohibited from leaving China, the CCP authorities have tried to gain access to foreign data in a variety of ways, including hacking into multinational corporate databases, running “talent plans” at foreign universities and companies, and buying foreign companies.

On June 29, Brendan Carr of the U.S. Federal Communications Commission said that TikTok posed an “unacceptable national security risk due to its extensive data harvesting being combined with Beijing’s apparently unchecked access to that sensitive data.”

“TikTok is not just another video app, That’s the sheep’s clothing,” Carr wrote in a Twitter post. “It harvests swaths of sensitive data that new reports show are being accessed in Beijing.”

TikTok is owned by ByteDance, a Chinese company, whose Chief Executive, Shouzi Chew, acknowledged recently that its employees outside the United States, including in China, have access to TikTok’s U.S. user data.

A recording of TikTok’s internal meeting was leaked in June, showing that employees at Bytedance were continuously accessing non-public, private data of American users.

Jake Sullivan, the U.S. national security adviser, said in 2021 that Beijing “sees big data as a strategic asset.” Matt Pottinger, the former U.S. deputy national security adviser, has also written that big data is central to Beijing’s ambitions.

In June 2021, Ning Xuanfeng, senior partner of King & Wood Mallesons, a law firm in China, coauthored an article saying that countries around the world are experiencing a new round of “digital ownership” around data control and jurisdiction, and that confrontation and defense are becoming increasingly fierce in the field of data competition. The real intention of the Data Security Law is “to enhance the competitive advantage of data sovereignty, to change and reshape the international rules of data,” he wrote.