China data leak exposes vast hi-tech surveillance operation in Xinjiang

A security camera is placed in a renovated section of the Old City in Kashgar, Xinjiang Uighur Autonomous Region, China September 6, 2018.
PHOTO: Reuters

A Chinese surveillance firm is tracking the movements of more than 2.5 million people in the far-western Xinjiang region, according to a data leak flagged by a Dutch internet expert.

An online database containing names, ID card numbers, birth dates and location data was left unprotected for months by Shenzhen-based facial-recognition technology firm SenseNets Technology, according to Victor Gevers, co-founder of non-profit organisation GDI.Foundation, who first noted the vulnerability in a series of social media posts last week.

Exposed data also showed about 6.7 million location data points linked to the people which were gathered within 24 hours, tagged with descriptions such as "mosque", "hotel", "internet cafe" and other places where surveillance cameras were likely to be found.

"It was fully open and anyone without authentication had full administrative rights. You could go in the database and create, read, update and delete anything," Gevers said.

China has faced an outcry from activists, scholars, foreign governments and United Nations rights specialists over what they call mass detentions and strict surveillance of the mostly Muslim Uygur minority and other Muslim groups who call Xinjiang home.

According to its website, SenseNets works with China's police across several cities. Its Shenzhen-listed parent company NetPosa Technologies has offices in most Chinese provinces and regions, including Xinjiang.

SenseNets and NetPosa, as well as the Xinjiang regional government, did not immediately respond to requests for comment on Sunday.

The Chinese government has ramped up personal surveillance in Xinjiang over recent years, including the construction of an extensive video surveillance system and smartphone monitoring technology.

Gevers said the foundation directly alerted SenseNets to the vulnerability, in line with GDI.Foundation protocol. He said SenseNets did not respond, but that it has since taken steps to secure the database.

SERVICES