A Chinese technology firm has compiled a range of personal information on 2.6 million people in Xinjiang — from their ethnicity to locations — according to a data leak highlighting the wide extent of surveillance in the restive region.
Xinjiang is home to most of China’s Uighur ethnic minority lives and has been under heavy police surveillance in recent years after violent inter-ethnic tensions.
Nearly one million Uighurs and other Turkic language-speaking minorities in Xinjiang are reportedly held in re-education camps, according to a UN panel of experts.
The leak was discovered last week by security researcher Victor Gevers, who found that Chinese tech company SenseNets had stored the records of individuals in an open database “fully accessible to anyone”.
The records included information such as their Chinese ID number, birthday, address, ethnicity, and employer.
There is this company in China named SenseNets. They make artificial intelligence-based security software systems for face recognition, crowd analysis, and personal verification. And their business IP and millions of records of people tracking data is fully accessible to anyone. pic.twitter.com/Zaf6w5502i
— Victor Gevers (@0xDUDE) February 13, 2019
The exposed data also linked individuals to GPS coordinates — labelled with descriptions such as “mosque” — captured by tracking devices around the region.
Within a 24-hour period, more than six million locations were saved by SenseNets’ tracking devices, according to Gevers, who works at Dutch online security non-profit GDI Foundation and posted his findings on Twitter.
“You can clearly see they have absolutely no clue about network security,” he told AFP, describing SenseNets’ IT skills as belonging “to the early 90s”.
“Who in their right mind runs a database which is completely open and gives any visitors full administrative rights so then those database records can be manipulated by anyone with an internet connection?” he said.
“It simply does not compute.”
The database had been exposed since last July but was closed last Thursday, after Gevers reported the leak to SenseNets, he said.
SenseNets told AFP it was not accepting media interviews. The Xinjiang government did not immediately respond to AFP’s request for comment.
The demand for high-tech surveillance in Xinjiang region has led to the placing of surveillance cameras inside mosques, restaurants and other public places, while police checkpoints have been set up across the region.
It has has also created lucrative business opportunities for artificial intelligence companies like SenseNets, which specialises in facial recognition.
On its website, the Shenzhen-based firm showcases different applications, from detecting “blacklisted” individuals in a crowd to tracing a suspect’s whereabouts.
The technology firm partners with public security bureaus around the country, as well as US tech firms such as Microsoft and semiconductor company AMD.
In 2016, for instance, it helped local police in southern Guangdong province identify individuals involved in organising an “illegal gathering” — a term that often refers to protests in China.
SenseNets is majority-owned by NetPosa, a public company listed on the Shenzhen stock exchange. On its website, the Beijing-based firm calls itself a “leading manufacturer of video surveillance platforms” and boasted coverage of over 1.5 million roads in China at the end of 2017.