A new data breach in China, reported by TechCrunch, has exposed further examples of real-time facial recognition tracking, including ethnicity codes and links to government databases. The only surprise is that this time it was in Beijing and not Xinjiang.
It’s happened again. TechCrunchreported on Friday that a security researcher had «found a smart city database accessible from a web browser without a password, [the details of which he passed] to TechCrunch in an effort to get the data secured.» The data, which included «facial recognition scans on hundreds of people over several months,» was hosted by Alibaba, a major player in China’s tech sector and a backer of several of the AI unicorns behind the most sophisticated surveillance state capabilities.
The exposed data, discovered by John Wethington, even «uses facial recognition to detect ethnicities and labels them — such as ‘汉族’ for Han Chinese, the main ethnic group of China — and also ‘维族’ — or Uyghur Muslims.» These systems have been honed in Xinjiang, an unconstrained high-tech surveillance laboratory where the industrial-scale oppression of the Muslim Uighur population has created a belated wave of international condemnation in recent months.
The technologies developed by China (oppressively) in Xinjiang and (more sensitively) in cities like Beijing are now being relentlessly exported under a state-subsidized push towards a dominant position in the security sector. It is a program that has fueled the development of advanced surveillance technology by existing players and new entrants with no reins applied.
On Wednesday, Human Rights Watch (HRW) exposed details of a smartphone app that is used by the police in Xinjiang that packaged multiple data sources on monitored citizens. The system «tracked the movement of people by monitoring the ‘trajectory’ and location data of their phones, ID cards, and vehicles; it also monitoring the use of electricity and gas stations of everybody in the region. This is consistent with Xinjiang local government statements that emphasize officials must collect data for the IJOP system in a ‘comprehensive manner’ from ‘everyone in every household’.»
Two days later, and the system in this latest exposed data breach «monitors the residents around at least two small housing communities in eastern Beijing, the largest of which is Liangmaqiao, known as the city’s embassy district. The system is made up of several data collection points, including cameras designed to collect facial recognition data. The exposed data contains enough information to pinpoint where people went, when and for how long, allowing anyone with access to the data — including police — to build up a picture of a person’s day-to-day life.»
This level of sophistication first came to light with the SenseNets data breach earlier this year, which exposed more than 2.5 million records relating to the near real-time movement of Xinjiang Muslims. A database which ethical hacker Victor Gevers of the GDI Foundation explained at the time «contains over 2.565.724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, pass photo, employer and which locations with trackers they have passed in the last 24 hours which is about 6.680.348 records.»
What SenseNets illustrated perfectly is that if no impediments are applied by technologists, customers, investors or regulators, then we are collectively responsible for what is unleashed. «Under President Xi Jinping,» the New York Times said last week, «the Chinese government has vastly expanded domestic surveillance, fueling a new generation of companies that make sophisticated technology at ever lower prices. A global infrastructure initiative is spreading that technology even further.»
According to TechCrunch, this latest set of exposed data «was hosted by Chinese tech giant Alibaba; the customer, which Alibaba did not name, tapped into the tech giant’s artificial intelligence-powered cloud platform, known as City Brain,» a smart city platform now being exported under China’s national security strategy.
Alibaba defended their position to TechCrunch, saying «this is a database project created by a customer and hosted on the Alibaba Cloud platform.
