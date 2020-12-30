Digital health codes have been instrumental in containing the Covid-19 pandemic in China. The codes, which assign users a red, yellow or green health ranking, are the difference between government quarantine, self-isolation and freedom.

Everyone has them. And, while some have raised concerns over privacy and data usage, they might take solace in the fact that privacy issues affect all users equally, from street cleaners to movie stars.

This was highlighted by a recent data leak in Beijing. On Monday, Hongxing News, a digital subsidiary of Chengdu Economic Daily, reported that the city’s health code app was easily hackable.

The outlet reported that users of the app could access other’s Covid-19 testing records – just by entering their full name and government 18-digit ID number.

In China, the sale of ID numbers is a well-known clandestine underground trade and police have cracked numerous syndicates over the years.

According to Hongxing, hackers are doing a brisk trade in the spoils of this simple trick. In one online chat group, a hacker offered to sell more than 1,000 personal government ID numbers – used in China for everything from buying plane tickets to renting homes – for just one yuan (S$0.20).

Hackers were able to acquire users’ photos – used for facial verification – as well as their most recent Covid-19 test, and details of any future test appointments they may have booked.

Thousands of photos of celebrities and artists – generally innocuous and hastily-snapped selfies – started appearing for sale in online chat groups, with one particularly popular post offering to sell the “health code photos” of all seven members of Chinese pop group Teens in Times.

They are sold in group chats to enthusiasts of a phenomenon known as “proxy photography” – an online community in which participants compete for the best celebrity pictures, and the details needed to capture them – including leaked travel plans and plane reservations.

Beijing Youth Daily reported in November last year that proxy photography enthusiasts often bought details of celebrity flight plans so they could photograph them at the airport.

In January this year the flight details of 12 famous Chinese singers, including Jason Zhang and Bibi Zhou, were leaked in a proxy photography group so fans could get their own photographs.

The hacking of Beijing’s health code system is both a means and an end for eager buyers, and has offered up such a trove of information that even usually-prized celebrity photos are sold on the cheap.

One advertisement offered pictures of 70 famous artists for less than the price of a can of Coke.

By some estimates, the programme – which is compulsory for both residents and visitors to the city – has more than 30 million users.

Hongxing said on Monday evening that, despite having contacted the company responsible for the app, proxy photography group chats were still full of members offering to sell health code photos.

The South China Morning Post experimented with the method described by Hongxing News to obtain personal details on Tuesday evening but found the system now requires facial verification for access.

The Post contacted the company responsible for Beijing’s health code programme, Beijing Zhonghaijiyuan Digital Technology Development Co, for comment but has not yet received a response.

This article was first published in South China Morning Post.