Chinese authorities are obtaining personal data from the phones of tourists entering China’s far western region of Xinjiang, using a secretly installed mobile app, according to a joint investigation by Western media outlets.
At the border crossing from Kyrgyzstan to the Xinjiang region, tourists are asked to unlock and hand over their phones and computers to border agents, who then take the devices into a separate room to scan them, according to the investigation by The Guardian, the German newspaper Süddeutsche Zeitung, the German-based radio network NDR, The New York Times, and Motherboard (part of Vice).
A traveler who entered Xinjiang this year with an Android device told The Guardian that he waited for an hour before getting his phone back. The police, he said, didn’t tell him what they had done to his phone, although he had been warned by the travel agent that the police would do something to it. He thought the app was a GPS tracker.
“If they were doing it in my home country, I would be aghast, but when you are traveling to China, you know it might be like this,” the traveler said, The Guardian reported.
China saw more than 150 million visitors in the Xinjiang region in 2018, according to state-run news agency Xinhua.
According to The Guardian, the surveillance app, called BXAQ or Feng Cai (meaning bees gathering honey), both extracts personal information from the device and scans it for suspicious files. The app is supposed to be deleted by border officials before the phone is returned to its owner, the outlet reported.
Through reverse engineering, the outlets found that the app could extract an extensive amount of information, including emails, text messages, social media accounts, and the unique identifiers of the devices. It would then compile the collected information into a report and send it to the border office’s local server.
A technical report commissioned by the media outlets found that the app scans the phone for more than 73,000 different files. Among these are Quran verses, photos or writings of the Dalai Lama, Ramadan fasting, and music of a Japanese heavy metal band.
The app’s source code, according to The New York Times, suggests that it was developed by Nanjing FiberHome StarrySky Communication Development Company, a unit of partially state-owned telecom equipment maker FiberHome.
A number of anti-virus software providers, including Avast, McAfee, and CheckPoint, have flagged the software BXAQ as malware, according to Vice, citing results from VirusTotal, a malware scanner owned by Google.
Edin Omanovic, director of the state surveillance program at advocacy group Privacy International, told The Guardian that the revelation of the app was “another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive and draconian in the world.”
Maya Wang, China senior researcher at Human Rights Watch, told The Guardian: “We already know that Xinjiang residents—particularly Turkic Muslims—are subjected to round-the-clock and multidimensional surveillance in the region.
“What you have found goes beyond that. It suggests that even foreigners are subjected to such mass and unlawful surveillance.”
The app forms but a small part of a vast surveillance system targeting the 11 million Uyghurs and other Muslim minorities living in the region.
Xinjiang residents are monitored by a dense network of surveillance cameras, many equipped with facial-recognition and night-vision technology, as well as through frequent security checkpoints. Chinese authorities have also collected DNA, including fingerprints and blood samples, from residents for storage in state databases, Uyghurs and rights groups say.
In 2017, authorities forced residents to download a surveillance app called Jingwang Weishi, which means “defender of a clean internet” in Chinese. Researchers from the Open Technology Fund, a U.S. government-funded program, found that the app transfers all files on the smartphone for government monitoring.
The U.S. State Department and experts estimate that more than 1 million Uyghurs and other Muslim minorities are currently detained in internment camps in the region, where they are subject to political indoctrination and forced to renounce their faith.
According to a May report by Human Rights Watch, police in Xinjiang use another surveillance app to collect personal information from Uyghur Muslims and other Muslim minorities, then file reports on activities they find suspicious, and carry out investigations on people the system flags as problematic.
The police app, the report said, is linked to a massive database that aggregates information harvested by the region’s CCTV cameras, checkpoints, and “Wi-Fi sniffers,” which collect unique identifying addresses of computers and smartphones.
Omanovic said the surveillance app targeting visitors to Xinjiang was an alarming development.
“Modern extraction systems take advantage of this to build a detailed but flawed picture into people’s lives. Modern apps, platforms, and devices generate huge amounts of data which people likely aren’t even aware of or believe they have deleted, but which can still be found on the device,” he told The Guardian.
“This is highly alarming in a country where downloading the wrong app or news article could land you in a detention camp.”