More than 300 million private chat logs and profiles of Chinese social-media users were left exposed online, and gathered by a government surveillance network, according to a Dutch security researcher.
Victor Gevers, a security researcher at the cyber-security non-profit GDI Foundation, wrote on Twitter on March 2 that he found a database containing information generated by Chinese social-media accounts, including private messages, names, identity card numbers, photos, and GPS location data.
The information was accessible to anyone who searched for the database’s IP address, Gevers told The Financial Times. He added that the database has since been made secure after he notified the internet service provider.
The database also fed the data to 17 other remote servers, which, according to Gevers, belong to local police stations around China.
“Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name,” Gevers wrote in his tweet.
The researcher wrote that police review thousands of chat logs every day.
“With these “operator databases” the local law enforcement investigate 2,600 to 2,900 messages and profiles. The name new table per day to keep track of the progress. So they manually review the social media communication (public/private messages),” Gevers posted in another tweet.
The records in the database were tagged to six labels referring to messaging apps, according to Gevers, who sought help from Twitter users to identify the messaging services. Two of those were identified by users as QQ and WeChat, both operated by Chinese internet giant Tencent.
Other Twitter users suggested that one service represented the messaging service run by Chinese live-streaming social network platform YY.com. Another may be a communications software that allows buyers to communicate with sellers on Taobao, an e-commerce platform run by Chinese tech giant Alibaba.
Beijing monitors internet discussion as part of its sprawling online censorship apparatus, collectively known as the “Great Firewall.” The regime enforces tight censorship over its cyberspace to snuff out facts, ideas, and opinions that contradict the Chinese Communist Party’s rule and propaganda.
Chinese social media companies are not only required by the regime to censor users’ content, but have also been under scrutiny because of the security of the data it collects from its users.
In March 2018, PEN America, a New York-based non-profit advocating for free expression for artists and writers, issued a report warning that the regime was ramping up efforts to censor information and online speech on Chinese social media.
An unidentified Chinese netizen told Radio Free Asia that images of Gevers’ tweets he posted on Chinese social media have attracted the attention of Chinese authorities. The netizen said he has since removed his posts out of fear of being caught.
This isn’t the only unsecured Chinese database that Gevers has uncovered.
Last month, Gevers found a massive database containing location data for more than 2.5 million people in China’s Xinjiang province. The database was operated by private Chinese company SenseNet, a facial-recognition company based in the southern city of Shenzhen.
During one 24-hour span, SenseNet collected about 6.7 million individual GPS coordinates. These location data points were linked to names, identification card numbers, birth dates, addresses, photos, and employers.
In recent years, the communist regime has drastically ramped up surveillance in Xinjiang, a region home to more than 12 million Uyghur and other Muslim minorities, under the narrative of combating “extremist threats.”
Also last month, Gevers revealed in a tweet an open database that tracks the movement of millions of cars and pedestrians, at an unknown location in China. Cameras would be activated to take a photo when violations occurred, such as jaywalking or going through a red light.
On Feb. 22, China’s National Computer Network Emergency Response Technical Team, a non-profit cybersecurity technical center, reported on its website that of the roughly 25,000 MongoDB databases, a type of database management system, in China, 468 had been exposed to the public. The exposed databases originated from 28 different provinces, including Beijing and Shanghai.